ADFS new features and prerequisites in Windows 2012 R2

  • Artykuł

AD FS service in Windows 2012 R2 provides simplified, secured claims based identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

ADFS has undergone many changes in Windows 2012 R2, new improvements in ADFS are:

  • ADFS is a role service in Windows 2012 R2
  • Support for Multi factor authentication which can be applied globally or per Relying Party
  • A brand new Device Registration service that allows you to register non domain joined devices to your Corporate Active Directory which is known as workplace joined. Workplace joined is a mid-state between domain joined and workgroup computers. You need to manually enable this service once ADFS is installed and need to have the subject name for the Device registration service on the certificate used for ADFS. This service can be used as a second factor authentication to ensure that an application can be accessed from devices which are workplace joined.
  • Web Application Proxy - ADFS Proxy is used to publish the ADFS service to external clients. In Windows 2012 R2, a new service Remote Access Role is used to install the ADFS proxy service. To configure the ADFS Proxy you need to install the Web Application Proxy service and enable the ADFS Proxy service there. Apart from being used as an ADFS Proxy, Web application Proxy can be used as a reverse proxy service for many other applications, a functionality which is also provided by TMG.
  • Password change from Workplace joined devices
  • New PowerShell commands for federation server and ADFS Proxy

 

Prerequisites – Before you install the ADFS service, make sure the following prerequisites are met:

 

Certificate

You need a third party certificate for ADFS service which is trusted by clients. Following subject names are required in certificate:

Subject Name (CN): adfs1.contoso.com  ( or whatever is the name for ADFS service )

Subject Alternative Name (DNS): adfs1.contoso.com

Subject Alternative Name (DNS): enterpriseregistration.contoso.com (for device registration service which is used by clients to connect to device registration service)

This certificate should be installed on federation server as well as on Web Application Proxy server

 

ADFS Service account

Create a group managed service account (GMSA) that is used for ADFS service account while installing ADFS. FSGMSA group managed account is used in this demo.

You can also use a domain service account for ADFS service account.

 

DNS service records

Create A record for ADFS service that point to ADFS farm or standalone ADFS server

Create an alias for device registration service i.e. Enterpriseregistration.contoso.com that points to ADFS server

Configure name resolution between the ADFS federation and Web Application Proxy

In the Next post will talk about the Installation of ADFS federation server and configure Device Registration Service.

Comments

  • Anonymous
    May 07, 2014
    Installing ADFS federation server: In the previous blogs we looked at the different new features in ADFS
  • Anonymous
    May 08, 2014
    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG
  • Anonymous
    May 08, 2014
    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG
  • Anonymous
    November 03, 2014
    The comment has been removed
  • Anonymous
    November 23, 2014
    QQ: Why everyone forget to add 2012 R2 as a prerequisite for group managed service account (GMSA), as this is not available in 2008 R2 or below.
  • Anonymous
    November 24, 2014
    @ Arvind - Using GMSA for ADFS service account is not mandatory, its just good to have as its easy to manage. If not GMSA you can use a normal domain service account for ADFS as mentioned above under prerequisite section.
  • Anonymous
    February 19, 2015
    I have configure server 2012 r2 and configured ADFS and with self certificate. Now i have access login page but not access adfs portal.
  • Anonymous
    February 25, 2015
    The comment has been removed
  • Anonymous
    April 02, 2015
    The comment has been removed
  • Anonymous
    April 07, 2015
    The comment has been removed
  • Anonymous
    April 07, 2015
    The comment has been removed
  • Anonymous
    August 11, 2015
    You need a by-pass (direct-connect) within the proxy-server pac file to the external ADFS (.com) server (coupling).
    All Clients need:
    Create a GPO where external ADFS (.com) becomes a trusted intranet server (coupling).
    Create network access control list (ACL) to port 443 (ADFS uses SSL).