sim401. a. datum account forest trey research resource forest federation trust microsoft (users)...
TRANSCRIPT
![Page 1: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/1.jpg)
Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure
Brian PuhlTechnology ArchitectMicrosoft IT
SIM401
![Page 2: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/2.jpg)
Agenda
ADFS Roles/FunctionsDeployment TopologiesManagement Operations
![Page 3: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/3.jpg)
Why Bother?
ADFS is your identity interface to the cloudClaims based authenticationApplication portabilitySaaS adoption – O365, etc…
The expectation from your users and applications, is that ADFS is as seamless and transparent as Active Directory
![Page 4: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/4.jpg)
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
ADFS in Action
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Microsoft(Users)
E-Company Store(Resource)
Contoso(Users)
Fabrikam(Resource)
![Page 5: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/5.jpg)
High Availability/Disaster Recovery
Factor in High availability and disaster recovery plans into service architecture2 or more ADFS server farms in different data centersBack end SQL store comprise of minimum 2 node clusters located in multiple DCs
Mirrored against one another for failover
STS Services configured for SQL failover
![Page 6: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/6.jpg)
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
![Page 7: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/7.jpg)
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
Federation Service (FS)
Security Token Service (STS) Maps user attributes to claimsIssues security tokens
Manages federation trust policies, claim rules
![Page 8: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/8.jpg)
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
Client proxy for token requestsProvides UI for browser clients
Forms based authHome realm discovery
Federation Service Proxy (FS-P)
![Page 9: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/9.jpg)
Configuring DNS
Users should always contact their “local” ADFS instanceInternet users must resolve to the FS-P serversThe FS-P’s must resolve to the FS serversInternal users must resolve to the FS servers
SolutionWe chose a dedicated namespace which we could host both internally and externally.
<instance>.sts.microsoft.com
![Page 10: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/10.jpg)
Load Balancing
Internet
DMZ
Intranet
Geographic DNS
Load Balanced
Load Balanced
Ability to shift or balance traffic between data centers
Hardware load balancers enable quick response to server failures
Internal load balancers provide high availability
![Page 11: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/11.jpg)
Load Balancing
Internet
DMZ
Intranet
Use HOST files to create pairs of Federation Servers and Proxies
Use HOST files to direct Proxy to FS-servers
Operations processes for managing a failed Fed Server
Add server name to common pages (HRD, Login, Error)
<%=System.Environment.MachineName %>
![Page 12: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/12.jpg)
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
SQL serverADFS service configurationTrust and claims rule storageSAML artifact storage
SQL Configuration Store
![Page 13: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/13.jpg)
SQL Configuration
Mirrored Clusters
SQL mode of operation: High Performance ModeAsynchronous transactionsMinor risk of loss of token replay and artifacts during fail overRequires low latency between clusters to keep consistency
![Page 14: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/14.jpg)
SQL Configuration Server Configuration
ADFS Service Host XML configuration fileC:\program files\Active Directory Federation Services 2.0\Microsoft.identityServer.ServiceHost.exe.config
<microsoft.identityServer.service> <policyStore connectionString="Data Source=SQL1.contoso.com; Initial Catalog=AdfsConfiguration; Integrated Security=True; Failover Partner= “SQL2.contoso.com" administrationUrl="net.tcp://localhost:1500/policy" /> <trustMonitoring enabled="true" /> </microsoft.identityServer.service>
![Page 15: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/15.jpg)
SQL Configuration Requirements
Repeat process for artifact store (Powershell)
PS C:\Windows\system32> get-ADFSProperties | %{$_.ArtifactDbConnection}
Data Source=SQL1.contoso.com;Initial Catalog=AdfsArtifactStore;Integrated Security=True;Failover Partner=SQL2.contoso.com
![Page 16: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/16.jpg)
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
ADFS in Action
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Microsoft(Users)
E-Company Store(Resource)
Contoso(Users)
Fabrikam(Resource)
![Page 17: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/17.jpg)
Claims Pipeline
A. DatumAccount Forest
Trey ResearchResource Forest
Contoso(Users)
Fabrikam(Resource)
Accept Incoming Claims
Authorize the Requestor
Issue Outgoing Claims
Accept Incoming Claims
Authorize the Requestor
Issue Outgoing Claims
![Page 18: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/18.jpg)
RP Trust Policy Management
Use Powershell not the UIAllows for quickly recreating/reconfiguring the serviceStore copies of the scripts externally from ADFS
#* Creating new Relying PartyAdd-ADFSRelyingPartyTrust -Name “Fabrikam" -Identifier "https://app.fabrikam.com/" -WsFedEndpoint "https://app.fabrikam.com/_trust/" -Notes "Sponsor Name:Brian Puhl" -TokenLifetime 60
![Page 19: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/19.jpg)
RP Rules Management
@RuleName = "Store:Active Directory, Get Claims"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query=";givenName;{0}", param = c.Value);
@RuleName = "Store:Active Directory, Send givenname" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] => issue(claim = c);
Use Powershell not the UIUse the @ operator to set the rule name in the UI
![Page 20: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/20.jpg)
Claims Sources
Master Data Management concepts applyApplications may not need “authoritative” dataInformation in AD may not be the same as the other stores
![Page 21: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/21.jpg)
SQL Attribute StoresMust ALSO be highly available
![Page 22: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/22.jpg)
Custom Attribute Stores
Custom extensibility point for querying attribute stores other than AD, ADLDS, or SQL
Written in .NET – implements IAttributeStore interface
Possible return values:2-dimensional array of [claim type] [claim value]AttributeStoreInvalidConfigurationExceptionAttributeStoreQueryExceptionExceptionAttributeStoreQueryFormatException
![Page 23: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/23.jpg)
Claims Best Practices
Claims Provider Rules apply to all users from that IdP
Custom Attribute Stores MUST return somethingIf the data store is unavailable, return a value to indicate to the application that the claims are not valid
Naming standards for claim types
Publish claim types in federation metadata for consistency
![Page 24: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/24.jpg)
Security Best Practices
Utilize ADFS 2.0 integration with SCWSystematically evaluate ADFSProperties and ADFS Relying Party properties
Set relevant Properties
Set optimal ADFS token lifetime to compliment Resource being securedLeverage Extended Protection for authentication propertyEnsure RPs call signout.aspx to cleanup ADFS cookies
![Page 25: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/25.jpg)
Security Best Practices
Enforce Privacy of PII information.secure custom attribute stores (SQL, WIF)
SQL server specific securityIf Policy/Artifact store = SQL
Implement and Enforce lifecycle on RP/IdP objectsDesign an Elevated Admin access Model Reduce authentication surface area
Enabling relevant authN types on ADFS and Proxy
Review and enable applicable Endpoints and usage
![Page 26: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/26.jpg)
ADFS/SCW unleashed
SCW usage and verificationUse scwcmd to register security role extensions.
![Page 27: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/27.jpg)
SCW Configuration Information
![Page 28: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/28.jpg)
Logging and Creating Usage Reports
![Page 29: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/29.jpg)
Approach
Utilize IIS Log Parser to collect W3SVC events on ADFS serversDownload Log Parser 2.2 from Microsoft.comOnly generated for passive federation
SQL Stored Procedures to parse and insert into SQLAuthor SSRS reports to view data in meaningful views.
# of auths per application realm.
![Page 30: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/30.jpg)
Troubleshooting User Authentications
Error messages include correlation ID which is included in one or more entries in the ADFS 2.0 log
Powershell snippet to query log for correlation ID
BEGIN { $query = "*[System/Correlation[@ActivityID='{" + $CoID + "}']]" $log = "AD FS 2.0/Admin"}PROCESS { Get-WinEvent -computername $computername -LogName $log -FilterXPath $query ` | fl machinename, timecreated, id, message}
![Page 31: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/31.jpg)
Availability and Monitoring
Internal MonitoringSCOM Management Pack
Server availabilityService health
External MonitoringInternet perspective of your servicePowershell scripts or internet providersVerifies end-to-end through all network layersComplex management of DNS records/resolution
![Page 32: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/32.jpg)
Summary
Deploying a high availability ADFS service is similar to any other highly available web applicationSQL configuration is crucialClaims availability can impact ADFS availabilityLeverage Powershell to externally store and manage configuration and trust informationUse IIS Logging and SSRS to manage utilization, capacity, and lifecycle management of the serviceConfigure monitoring from the internet for end-to-end
![Page 33: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/33.jpg)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
![Page 34: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/34.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 35: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/35.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 36: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/36.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 37: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/37.jpg)
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
![Page 38: SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56649f335503460f94c4f901/html5/thumbnails/38.jpg)