AD FS v2

 

1Introduction

Active Directory Federation Services (AD FS) is a Microsoft identity access solution. It was an optional component of Microsoft Windows Server® 2003 R2. It is now built into Windows Server® 2008 and Windows Server® 2012. AD FS helps to establish trust relationships and reduces the need for provisioning and managing user accounts. Its implementation provides clients (internal or external to the trusted internal LAN) with simplified access to systems and applications relying on claims-based authorization. AD FS also supports web Single-Sign-On (SSO) technologies to improve UX across multiple protected applications.

Trust relationships are used to project a user’s digital identity and access rights to trusted partners and can be deployed in multiple organisations to facilitate business-to-business (B2B) transactions between trusted partner organisations.

1.1Document Purpose

This documentation is intended to provide guidance on how to configure KEMP LoadMaster products to provide high availability for an AD FS 2.0 environment. This documentation is created using a representative sample environment described later in the document. As this documentation is not intended to cover every possible deployment scenario it may not address unique setup or requirements. The KEMP Support Team is always available to provide solutions for scenarios not explicitly defined.

1.2Intended Audience

It is assumed that the reader is a server/network administrator or a person otherwise familiar with networking and general computer terminology and is familiar with AD FS technology.

2Load Balancing AD FS

The core components of AD FS are as follows:

  • An AD FS server which is responsible for issuance of claims and user authentication. This server must be able to connect to a Domain Controller. It authenticates users from multiple domains by using Windows Trust. The AD FS server can be set up in a cluster to ensure high availability.
  • An AD FS proxy server which protects the AD FS server from internet-based threats. The AD FS proxy server also authenticates users from the internet. Again, the AD FS proxy server can be set up in a cluster to ensure high availability.
  • An AD FS configuration database which can be stored in an SQL database or Windows Internal Database (maximum of 5 servers) but not both at the same time. This database stores the following items:
    • Relying Party Trust
    • Certificates
    • Claim Provider Trust
    • Claims description
    • Service configuration
    • Attributes

The diagram below shows a common authentication process flow for applications located in a resource organization and secured with AD FS, of which Office 365 is a popular example. The steps, which correspond to the numbers in the diagram, are outlined as follows.

Figure 2‑1: Load Balancing the AD FS Server Farm

  1. The internal user tries to access the AD FS-enabled resource.
  2. The client is redirected to the resource’s Federation Service.
  3. If the resource’s federation service is configured as a trusted partner, the client is redirected to the organisation’s internal Federation Service.
  4. The AD FS server uses the Active Directory to authenticate the user.
  5. The AD FS server sends an authorization cookie to the client. This contains the signed security token and a set of claims for the resource partner.
  6. The client connects to the resource partner’s Federation Service where the token and claims are verified. If appropriate, the resource partner may send a new security token.
  7. The client presents the new authorisation cookie with the security token to the resource in order to access it.

3Example Environment Setup

In our example deployment, “KEMP Demo” has deployed AD FS 2.0 in their environment to facilitate claims-based authentication for their Exchange 2010 infrastructure and allow for SSO capabilities across applications. The deployment contains the following:

  • Two AD FS 2.0 Servers
  • Two AD FS 2.0 Proxy Servers
  • Two Exchange 2010 Multi-Role Servers
  • A KEMP LoadMaster High Availability (HA) Cluster

A name space of owaADFS.KEMPdemo.com is used for access to the Microsoft Exchange environment. A name space of myADFS.KEMPdemo.com is used for access to the AD FS environment. Split DNS is implemented, which allows these name spaces to be used both internally and externally in the environment.

The following scenarios are defined:

  • Internal access to Outlook Web App (OWA) using the internal AD FS farm, both of which are being load-balanced by the KEMP LoadMaster
  • External access to OWA using the Proxy Farm and Internal Farm all three of which are being load-balanced by the KEMP LoadMaster

The following diagrams represent the respective environments:

Figure 3‑1: Internal user access

Figure 3‑2: External user access

4Prerequisites

There are some prerequisites to be aware of before deploying the KEMP LoadMaster with AD FS.

It is assumed that the AD FS 2.0 environment is already set up and the KEMP LoadMaster has been installed. We recommend reviewing the LoadMaster Web User Interface (WUI), Configuration Guide.

At a minimum, the following actions should be completed:

  • Implemented Active Directory, AD FS, Domain Name System (DNS), Federation Server Proxy (FSP), and other Microsoft requirements
  • Configured the application servers to support claims-based authentication
  • Installed the LoadMaster on the same network as the servers
  • Established access to the LoadMaster WUI

4.1DNS

Access to the DNS used in the environment must be available. This is needed to set up name resolution of the AD FS services to the virtual service IP addresses that will be configured on the KEMP LoadMaster.

4.2AD FS SSL Certificate Import on LoadMaster

The AD FS SSL certificate has to be imported into the LoadMaster before deployment. To import the certificate, follow the steps below:

  1. Log in to the relevant Virtual Load Master (VLM).
  2. In the main menu, click Certificates & Security and select SSL Certificates.

Figure 4‑1: Manage Certificates screen

  1. Click the Import Certificate button.

Figure 4‑2: Install certificate screen

  1. Click Choose File next to the Certificate File field.
  2. Browse to and select the certificate file.
  3. Click Open.
  4. Browse to and select the Key File if needed.
  5. Enter the Pass Phrase of the certificate.
  6. Enter a name for the certificate in the Certificate Identifier field.
  7. Click Save.
  8. If it works a success message will be displayed. Click OK.

Despite the fact that clients establish a single Transmission Control Protocol (TCP) connection with the AD FS server to request and receive a security token, certain applications can suffer from multiple login redirections if persistence is not enabled on the load balancer. For this reason, a Layer 7 service is used, along with SSL bridging, to allow for the more intelligent forms of persistence that are not available at Layer 4 or when SSL traffic is not terminated at the LoadMaster.

5Virtual Service (VS) Configuration

Steps on how to configure the AD FS Virtual Services that can be used are outlined in the sections below.

5.1Configure an AD FS Internal Farm Virtual Service

Follow the steps below to configure a VS:

  1. Log in to the relevant VLM.
  2. In the main menu, click Virtual Services and select Add New.

Figure 5‑1: VS parameters

  1. Enter the Virtual Address.

This is the Virtual IP address used for the service and must be unique and not in use by any other device on the network.

  1. Enter 443 in the Port field.
  2. Enter a name for the VS in the Service Name (Optional) field.
  3. Ensure that tcp is selected as the Protocol.
  4. Click Add this Virtual Service.
  5. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

SSL Properties

SSL Acceleration

Enabled

 
 

Cipher Set

Default

 
 

Reencrypt

Enabled

Set the Reencryption SNI Hostname if required. ADFS 3.0 requires the Reencryption SNI Hostname to be set.

 

Standard Options

Persistence Mode

Super HTTP

 
 

Timeout

1 Hour

 
 

Scheduling Method

least connection

ESP can be enabled if an ESP license is in place. For more information on ESP, refer to the ESP, Feature Description.

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Table 5‑2: AD FS Internal Farm Recommended Settings

  1. Expand the Real Servers section.
  2. In the first Real Server Check Parameters field, select HTTPS Protocol.
  3. Enter /federationmetadata/2007-06/federationmetadata.xml in the URL text box and click the Set URL button.
  4. Select the Use HTTP/1.1 check box.
  5. Select GET as the HTTP Method.
  6. Click the Add New… button.
  7. Enter the IP address of the server to be added to the real server pool. Click Add This Real Server. A success message will be displayed after adding. Click OK. Repeat this for any other real servers that need to be added.
  8. In the main menu, click Certificates & Security and select SSL Certificates.
  9. Locate the certificate that was added earlier. In the Available VSs field, select the Virtual Service that has just been added and click the right arrow button to assign it.
  10. In the main menu, click Virtual Services and select View/Modify Services.
  11. Confirm that the service is listed with a Status of Up and that all added member servers are listed in non-bold font.
  12. Test access to the AD FS Internal Farm by opening a browser and going to https://<AD FS URL>/ADFS/ls/idpinitiatedsignon.aspx and following the instructions to log in.
  13. Once all other Microsoft-defined AD FS prerequisites and application configurations are complete, test access to the application to ensure authentication success. To do this, open a browser and go to https://owAD FS/<AD FS URL>/owa.

A successful login will result in access to the protected application.

Login experience is dependent upon the parameters set in the web.config file located on the AD FS servers.

5.2Configure an AD FS Proxy Farm Virtual Service

The steps to set up an AD FS Proxy Farm are almost identical to the ones listed above in Section 5.1. The only difference is, you should give the Virtual Service a different name and follow the steps below:

  1. Expand the Advanced Properties section.

Figure 5‑2: Advanced Properties section

  1. Select Enable Caching.
  2. Select Enable Compression.

The maximum cache usage should be configured dependent upon the number of services on the LoadMaster that are leveraging this feature.

  1. Expand the Real Servers section.

Figure 5‑3: Real Servers section

  1. In the first Real Server Check Parameters drop-down list, select HTTPS Protocol.
  2. Enter /adfs/ls/idpInitiatedSignon.aspx in the URL text box and click Set URL.
  3. Select GET as the HTTP Method.
  4. Continue from Step 14in Section 5.1.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

ESP, Feature Description LoadMaster Web User Interface (WUI), Configuration Guide

Document History

Date

Change

Reason for Change

Version

Resp.

Aug 2013

Initial draft

Initial draft of document

1.0

LB

Nov 2013

Minor change

Aesthetic change

1.1

LB

Feb 2014

Minor change

Update for 7.0-12a release

1.2

LB

Mar 2014

Release updates

Update for 7.0-14 release

1.3

LB

July 2014

Release updates

Update for 7.1-18a release

1.4

LB

Feb 2015

Minor change

Fixed a defect

1.5

LB

Sep 2015

Screenshot updates

LoadMaster WUI reskin

3.0

KG

Dec 2015

Release updates

Updates for 7.1-32

4.0

LB

Jan 2016

Minor change

Updated

5.0

LB

Mar 2016

Release updates

Updates for 7.1-34

6.0

LB

Jan 2017

Minor change

Enhancements made

7.0

LB

Was this article helpful?

0 out of 0 found this helpful

Comments