AD FS v3

1 Introduction

Active Directory Federation Services (AD FS) is a Microsoft identity access solution. It was an optional component of Microsoft Windows Server® 2003 R2. It is now built into Windows Server® 2008, Windows Server® 2012 and Windows Server 2012 R2. AD FS helps to establish trust relationships and reduces the need for provisioning and managing user accounts. Its implementation provides clients (internal or external to the trusted internal LAN) with simplified access to systems and applications relying on claims-based authorization. AD FS also supports web Single-Sign-On (SSO) technologies to improve User Experience across multiple protected applications.

Trust relationships are used to project a user’s digital identity and access rights to trusted partners and can be deployed in multiple organisations to facilitate business-to-business (B2B) transactions between trusted partner organisations.

1.1 Document Purpose

This documentation is intended to provide guidance on how to configure KEMP LoadMaster products to provide high availability for an AD FS 3.0 environment, based on Windows Server 2012 R2. This documentation is created using a representative sample environment described later in the document. As this documentation is not intended to cover every possible deployment scenario it may not address unique setup or requirements. The KEMP Support Team is always available to provide solutions for scenarios not explicitly defined.

1.2 Intended Audience

It is assumed that the reader is a server/network administrator or a person otherwise familiar with networking and general computer terminology and is familiar with AD FS technology.

If you are using Advanced Claims with the AD FS infrastructure, the LoadMaster can be used alongside the AD FS Proxy Farm but cannot be used as a replacement.

1.3 Intended use of KEMP LoadMaster products with AD FS and AD FS proxy (WAP) farms

KEMP LoadMaster family of products provide high availability to AD FS and AD FS proxy farms (WAP). AD FS proxy servers provide termination of external traffic at the DMZ and provides an additional layer of protection against external threats. AD FS proxy servers also help internal AD FS servers clearly identify which authentication attempts are external. This is achieved by inserting x-ms-proxy claims in AD FS requests.

AD FS administrators can configure advanced claim rules that allow granular control over user authentication restrictions such as requiring users to be a part of a certain group or requiring users to authenticate from certain IP networks. When such claims rules are configured on AD FS servers, it becomes critical to identify if the user is trying to authenticate from an external or internal location.

In deployments where such advanced claim rules are not in use, KEMP LoadMaster devices can be placed in the DMZ and can proxy authentication requests to internal AD FS servers without requiring additional AD FS proxy (WAP) servers. This can help customers save on hardware, software and management costs associated with maintaining additional AD FS proxy servers.

2 Load Balancing AD FS

The core components of AD FS are as follows:

An AD FS server which is responsible for issuance of claims and user authentication. This server must be able to connect to a Domain Controller. It authenticates users from multiple domains by using Windows Trust. The AD FS server can be set up in a cluster to ensure high availability.

An AD FS proxy server (Windows Application Proxy (WAP)) which protects the AD FS server from internet-based threats. The WAP server also authenticates users from the internet. The WAP server cannot be set up as a cluster and must be used with a load balancer to provide high availability.

Terminating SSL between the WAP and AD FS server is not supported. Terminating SSL breaks the trust between the WAP and AD FS.

For further information, please refer to the following Microsoft TechNet article: https://blogs.technet.microsoft.com/applicationproxyblog/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2 

An AD FS configuration database which can be stored in a SQL database or Windows Internal Database (maximum of 5 servers) but not both at the same time. This database stores the following items:

- Relying Party Trust

- Certificates

- Claim Provider Trust

- Claims description

- Service configuration

- Attributes

The diagram below shows a common authentication process flow for applications located in a resource organization and secured with AD FS, of which Office 365 is a popular example. The steps, which correspond to the numbers in the diagram, are outlined as follows.

Load Balancing AD FS.png

1. The internal user tries to access the AD FS-enabled resource.

2. The client is redirected to the resource’s Federation Service.

3. If the resource’s federation service is configured as a trusted partner, the client is redirected to the organisation’s internal Federation Service.

4. The AD FS server uses the Active Directory to authenticate the user.

5. The AD FS server sends an authorization cookie to the client. This contains the signed security token and a set of claims for the resource partner.

6. The client connects to the resource partner’s Federation Service where the token and claims are verified. If appropriate, the resource partner may send a new security token.

7. The client presents the new authorisation cookie with the security token to the resource in order to access it.

3 Example Environment Setup

In our example deployment, “KEMP Demo” has deployed AD FS 3.0 in their environment to facilitate claims-based authentication for their Exchange 2010 infrastructure and allow for SSO capabilities across applications. The deployment contains the following:

Two AD FS 3.0 Servers

Two AD FS 3.0 Proxy Servers (Windows Application Proxy)

Two Exchange 2013 Multi-Role Servers

A KEMP LoadMaster High Availability (HA) Cluster

A name space of owaADFS.KEMPdemo.com is used for access to the Microsoft Exchange environment. A name space of myADFS.KEMPdemo.com is used for access to the AD FS environment. Split DNS is implemented, which allows these name spaces to be used both internally and externally in the environment.

The following scenarios are defined:

Internal access to Outlook Web App (OWA) using the internal AD FS farm, both of which are being load-balanced by the KEMP LoadMaster

External access to OWA using the Proxy Farm and Internal Farm all three of which are being load-balanced by the KEMP LoadMaster

The following diagrams represent the respective environments:

Example Environment Setup.png

Example Environment Setup_1.png

4 Prerequisites

There are some prerequisites to be aware of before deploying the KEMP LoadMaster with AD FS.

It is assumed that the AD FS 3.0 environment is already set up and the KEMP LoadMaster has been installed. We recommend reviewing the LoadMaster Web User Interface (WUI), Configuration Guide .

At a minimum, the following actions should be completed:

Implemented Active Directory, AD FS, Domain Name System (DNS), Federation Server Proxy (FSP), and other Microsoft requirements

Configured the application servers to support claims-based authentication

Installed the LoadMaster on the same network as the servers

Established access to the LoadMaster WUI

4.1 DNS

Access to the DNS used in the environment must be available. This is needed to set up name resolution of the AD FS services to the Virtual Service IP addresses that will be configured on the KEMP LoadMaster.

4.2 AD FS SSL Certificate Import on LoadMaster

The AD FS SSL certificate has to be imported into the LoadMaster before deployment. To import the certificate, follow the steps below:

1. Log in to the relevant Virtual Load Master (VLM).

2. In the main menu, click Certificates & Security and select SSL Certificates.

3. Click the Import Certificate button.

AD FS SSL Certificate Import.png

4. Click Choose File next to the Certificate File field.

5. Browse to and select the certificate file.

6. Click Open.

7. Browse to and select the Key File if needed.

8. Enter the Pass Phrase of the certificate.

9. Enter a name for the certificate in the Certificate Identifier field.

10. Click Save.

11. If it works a success message will be displayed. Click OK.

Despite the fact that clients establish a single Transmission Control Protocol (TCP) connection with the AD FS server to request and receive a security token, certain applications can suffer from multiple login redirections if persistence is not enabled on the load balancer. For this reason, a Layer 7 service is used, along with SSL reencryption, to allow for the more intelligent forms of persistence that are not available at Layer 4 or when SSL traffic is not terminated at the LoadMaster.

5 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B - Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

When Subnet Originating Requests is enabled, the LoadMaster will route traffic so that the Real Server will see traffic arriving from the LoadMaster interface that is in that network/subnet not the Virtual Service address.

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether or not to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

SCMONO002.png

2. Tick the Subnet Originating Requests check box.

6 Virtual Service (VS) Configuration

Steps on how to configure the AD FS Virtual Services that can be used are outlined in the sections below.

6.1 Configure an AD FS Internal Farm Virtual Service

Follow the steps below to configure the AD FS internal farm Virtual Service:

Do not enable SSL Acceleration on this Virtual Service. When using the Web Application Proxy role, the proxy server needs to present a certificate of trust to the AD FS server.

1. Log in to the relevant VLM.

2. In the main menu, click Virtual Services and select Add New.

Configure an AD FS Internal.png

3. Enter the Virtual Address.

This is the Virtual IP address used for the service and must be unique and not in use by any other device on the network.

4. Enter 443 in the Port field.

5. Enter a name for the VS in the Service Name (Optional) field.

6. Ensure that tcp is selected as the Protocol.

7. Click Add this Virtual Service.

8. Configure the settings as recommended in the following table:

Section

Option

Value

Comments

Standard Options

Persistence Mode

Source IP

If the traffic is being Network Address Translated (NATed), set the Service Type to Generic and set the Persistence Mode to SSL Session ID.

 

Timeout

1 Hour

 

 

Scheduling Method

least connection

ESP can be enabled if an ESP license is in place. For more information on ESP, refer to the ESP, Feature Description.

9. Expand the Real Servers section.

10. In the first Real Server Check Parameters field, select HTTPS Protocol.

11. Enter the health check URL and click Set URL.

The Health Check URL can be set to adfs/services/trust/mex or /adfs/ls/idpInitiatedSignon.aspx.

12. Select the Use HTTP/1.1 check box.

13. Enter the HTTP/1.1 Host name and click Set Host.

14. Select GET as the HTTP Method.

15. Click the Add New… button.

16. Enter the IP address of the server to be added to the real server pool. Click Add This Real Server. A success message will be displayed after adding. Click OK. Repeat this for any other real servers that need to be added.

17. In the main menu, click Virtual Services and select View/Modify Services.

18. Confirm that the service is listed with a Status of Up and that all added member servers are listed in non-bold font.

19. Test access to the AD FS Internal Farm by opening a browser and going to https://<AD FS URL>/ADFS/ls/idpinitiatedsignon.aspx and following the instructions to log in.

20. Once all other Microsoft-defined AD FS prerequisites and application configurations are complete, test access to the application to ensure authentication success. To do this, open a browser and go to https://owAD FS/<AD FS URL>/owa.

A successful login will result in access to the protected application.

Login experience is dependent upon the parameters set in the web.config file located on the AD FS servers.

6.2 Configure an AD FS Proxy Farm Virtual Service

The steps to set up an AD FS Proxy Farm Virtual Service, follow the steps below:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Configure an AD FS Proxy Farm.png

2. Enter a valid IP address.

3. Enter 443 as the Port.

4. Enter a recognizable Service Name, for example AD FS Proxy Farm.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comments

SSL Properties

SSL Acceleration

Enabled

 

 

Reencrypt

Selected

 

  Require SNI Hostname   Type your SNI Hostname then click Set SNI Hostname.
Standard Options Persistence Mode Super HTTP  
  Timeout 1 Hour  

 

Scheduling Method

least connection

 

Advanced Properties Enable Caching Selected The maximum cache usage should be configured dependent upon the number of services on the LoadMaster that are leveraging this feature. If there are no other services, the Maximum Cache usage can be set to No Limit. Otherwise, it can be set as needed.
  Enable Compression Selected  
Real Servers Real Server Check Parameters HTTPS Protocol  
  URL adfs/services/trust/mex or /adfs/ls/idpInitiatedSignon.aspx Click Set URL.
  Use HTTP/1.1 check box Selected  
  HTTP/1.1 Host   Type the host name and click Set Host.
  HTTP Method GET  

7. Continue from the Click the Add New… button. step in the Configure an AD FS Internal Farm Virtual Service section.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

ESP, Feature Description

LoadMaster Web User Interface (WUI), Configuration Guide

Document History

Date

Change

Reason for Change

Version

Resp.

Nov 2014

Initial draft

Initial draft of document

1.0

LB

Feb 2015

Minor changes

Enhancements made

1.1

LB

Aug 2015

Minor changes

Enhancements made

3.0

LB

Nov 2015

Minor changes

Updated to reflect template

4.0

LB

Dec 2015

Release updates

Updates for 7.1-32

5.0

LB

Jan 2016

Minor changes

Updated Copyright Notices

6.0

LB

Mar 2016

Release updates

Updates for 7.1-34

7.0

LB

July 2016

Minor changes

Enhancements made

8.0

LB

Nov 2017

Minor changes

Enhancements made

9.0

LB

July 2017 Minor changes Enhancements made 10.0 LB

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
Vitaly K

Any advice on ADFS 3.0 port 49443 publication? It seems that part is missing. Port 49443 is requred for smartcard / certificate authentication. When I do additional rule L7 passthru for this port, while certificate is requested, ADFS returns error. It works internally.

Avatar
kwokyin.wong

How about the setting for Web Publishing from ADFS Proxy server ?
Test numbers of times. it is not possible to turn on SSL Acceleration,
And we found Exchange OWA can not reach properly the connect through LB except we place "/" behind owa URL manually. However, i cant find a way to make it work in LB.. please check and advise

Avatar
Derek Kiely

I have created tickets for both comments. Our support team will investigate both items and this article will be update based on their findings.

Avatar
James Rago Global Support Manager

We will be adding information concerning SSL Offloading with AD FS 2012 R2 & WAP in our next document release.

The reason for this addition is to highlight SSL Offloading is not supported due to the Proxy Trust relationship between Web Application Proxy and AD FS 2012 R2 is based on Client SSL Certificates.

For more info: http://blogs.technet.com/b/applicationproxyblog/archive/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2.aspx

Avatar
itservices

Hi James, any info on how to get around this issue for now?

Avatar
James Rago Global Support Manager

Currently there is no workaround given the above reason is not due to our functionality. A workaround would to simply do pass-thru SSL instead of offloading.

Avatar
Ian.hardie

Hi - can you confirm the current document v8 has been updated with the ADFS v3 SSL offloading/pass-thru issue included? Will the walk-through now work as expected via the Kemp LB albeit in pass-thru mode?

Thanks.

Edited by Ian.hardie
Avatar
James Rago Global Support Manager

Ian,

A note was added in section 2 concerning SSL termination. SSL pass thru was always an alternative option. If doing Pass-thru you need to ensure the RS's know how to handle multiple certificates and SNI. Performing Re-encryption allows the LoadMaster to handle this functionality.

Avatar
jamesdoe

This article should be updated to use /adfs/probe endpoint for AD FS on 2012 R2 and above OS editions. mex and idpinitiatedsignon pages are options for AD FS 2.0. https://blogs.technet.microsoft.com/applicationproxyblog/2014/10/17/hardware-load-balancer-health-checks-and-web-application-proxy-ad-fs-2012-r2/ has details.

I cant set a 200 status code when doing set status code.

Avatar
Naseer Husein

Hello James,

Thank you for your feedback. I will push this internally to have it reviewed and once it's been approved then I can update you.

As far as setting a 200 status code, that is not a valid option. The value has to be between 300-599. We have received some feedback to also allow 200 status codes and this is something which is being worked on and will be available in future release.