1. Four common problems to avoid with your AD FS environment
6/1/ :11 AM
THR2145
Four common problems to avoid with your AD FS environment
Sander Berkouwer
SCCT
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. AD FS from the Field Active Directory Federation Services
6/1/ :11 AM
THR2145
AD FS from the Field
Active Directory Federation Services
Deployed most commonly for Single Sign-On (SSO) with Office 365
Typical organization contemplating AD FS is beyond 250 seats
Rich Authorization scenarios made easy
Claims-based, attribute based authorization decisions
Multi-factor Authentication with the Extensible Authentication Framework
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Common Problem 1: Choosing the wrong authentication scenario
THR2145
Common Problem 1: Choosing the wrong authentication scenario

4. Hybrid Identity Authentication Scenarios
THR2145
Hybrid Identity Authentication Scenarios
Active Directory Federation Services (AD FS)
Single Sign-On, based on one identity in Active Directory Domain Services
Integrates and publishes on-premises and cloud web applications
Password Hash Sync (PHS)
Same Sign-On, based on synchronization of objects and attributes
AES-256 OrgID Hash of the NT Hash is sync’ed with Azure Active Directory
Pass-through Authentication (PTA)
Seamless Single Sign-On (S3O)
More official info for making a choice

5. Choosing AD FS THR2145 yes no yes no yes no
Is there a legal requirement not to store secrets in the cloud?
yes no
Do you have on-premises 3rd party web applications?
Do you need High Availability?
yes no
yes no
Active Directory Federation Services
Pass-through
Authentication
Password Hash Synchronization

6. Common Problem 2: Improperly designing the AD FS infrastructure
THR2145
Common Problem 2: Improperly designing the AD FS infrastructure

7. The Right AD FS Infrastructure
THR2145
The Right AD FS Infrastructure
AD FS Server Farms
AD FS can easily be deployed highly available, with Windows / 3rd Party NLB
Deploy AD FS Proxies / Web Application Proxies in perimeter networks
Windows Internal Database or SQL Server
A WID farm has a limit of 30 Windows Server 2016-based federation servers, only master is writable, and does not support token replay detection or artifact resolution
SQL Server High Availability
Take advantage of your existing SQL Server investments
Take advantage of database mirroring, fail-over clustering, and monitoring

8. Recommended Practices
THR2145
Recommended Practices
Plan for proper time synchronization
Default w32time for domain-joined systems, follows AD DS Time Hierarchy
Web App Proxies on perimeter networks require special attention
Plan the AD FS service account
gMSAs offer additional security beyond traditional service accounts
Required: at least 1 Windows Server 2012 (or up) Domain Controller
Recommended: Windows Server 2008 R2 DFL for automatic password and SPN management
Plan for the right certificates
Go for a 2048-bit keylength, SHA2 AD FS Service Communication certificate
Add Device Registration and Certificate Authentication urls to certificate
Beware of other certificate issues, like the WoSign/StartCom distrust

9. Common Problem 3: Not managing AD FS (enough)
THR2145
Common Problem 3: Not managing AD FS (enough)

10. AD FS is not a Fire and Forget Scenario
THR2145
AD FS is not a Fire and Forget Scenario
Windows Update for Security and Reliability improvements
AD FS is updated on ‘Patch Tuesdays’.
Security updates only light up after you install the AD FS role
Monitoring AD FS
Use any one of these (or your preferred 3rd Party solution):
Systems Center Operations Manager (with GSM),
Operations Management Suite
Azure AD Connect Health for Federation
Auditing AD FS
AD FS offers built-in auditing and logging of errors and warnings
Decentralized per AD FS Server in the AD FS Farm

11. Managing AD FS with Azure AD Connect
THR2145
Managing AD FS with Azure AD Connect
Azure AD Connect
When you want Single Sign-On with Office 365, think Azure AD Connect
Azure AD Connect can setup AD FS for you, can manage AD FS with you
Management of AD FS through Azure AD Connect
Additional AD FS claims rules for device registration and mS-DS-ConsitencyGUID,
Management tasks made easy:
Repair the Relying Party Trust between AD FS and Azure AD (HowTo)
Add an additional DNS Domain name in Azure AD to federate (HowTo)
Update the AD FS Service Communications certificate (HowTo)
Verify AD FS Login
Azure AD Connect Health for Active Directory Federation Services

12. THR2145
Common Problem 4: Building on an unhealthy Active Directory Domain Services environment

13. AD FS is only as good as your AD DS
THR2145
AD FS is only as good as your AD DS
Attribute integrity and lingering objects
Lingering objects: Objects, attributes on some Domain Controllers, not on others
Resulting in unpredictable AD FS authentication and/or unexpected (denial of) access
Non-routable top level domains
DNS Domain Name for domains ending with .local, .int
Ideally, User Principal Name (UPN) needs to be added and changed, but AlternateID is also a solution in some scenarios.
UPN syntax mismatches
Critical for solutions with Azure AD Connect

14. Checking up on Active Directory Domain Services
THR2145
Checking up on Active Directory Domain Services
Use the free DirSync Error Remediation Tool (IdFix)
Use its Export functionality to make Pivot Tables in Microsoft Excel
Apply your Azure AD Connect Filtering Options manually
Use the Best Practices Analyzers
Use Azure AD Connect Health for Active Directory Domain Services
Are you a Microsoft Premier customer?
Request an Active Directory Risk Assessment (ADRAP)

15. THR2145
Concluding

16. Getting AD FS right Choose the right Authentication Scenario
THR2145
Getting AD FS right
Choose the right Authentication Scenario
Why not go for Password Hash Sync or Pass-through Authentication?
BRK3015 Deep-dive: Azure AD Authentication and SSO, tomorrow 2:15PM W414
Design the right AD FS Infrastructure
Getting it right the first time makes all the difference.
Manage AD FS with Azure AD Connect
Manage with ease and leverage Azure AD Connect Health
Check up on your Active Directory Domain Services, regularly

17. THR2145
Thank you!
Sander Berkouwer
SCCT.nl

18. Please evaluate this session
Tech Ready 15
6/1/2018
Please evaluate this session
From your
Please expand notes window at bottom of slide and read. Then Delete this text box.
PC or tablet: visit MyIgnite
Phone: download and use the Microsoft Ignite mobile app
Your input is important!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. 6/1/ :11 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.