I have often seen IT organizations within large enterprises struggle trying to figure out the right AD FS implementation. They almost certainly understand that AD FS is the right tool to create a secure network for managing resource requests from both internal and external users, but fail to position it in a reliable fashion. In my first post today, I will explain a set of generic guidelines to help you configure AD FS in your farm environment in an optimal way.
In a typical farm environment, you have three security zones.
- The internet zone, where your external users reside and request access to your organizational resources.
- The DMZ (de-militarized zone), which is your perimeter network behind the firewall limiting external user access to web servers and resources with limited confidentiality.
- The intranet zone, which is the most secure fort, only letting internal users access to resources residing in this zone.
In a world where you have to constantly interact with lot of trading partners having users in the internet zone, it becomes a challenge to let them access to resources that are in the intranet. ADFS can be used in this scenario to create an “AD FS enabled resource”, but occasionally this is where IT teams hit the wall. They really cannot expose AD FS for external access and participate in a trust relationship, since this would mean opening SSL ports in the firewall for intranet which is not in their policy books.
AD FS can be used in conjunction with an AD FS Proxy and a HTTP Proxy to solve the problem of external and internal access in the following configuration scenarios:
- External users AD FS configuration without firewall limitations on SSL port
- External users AD FS configuration with firewall limitations on SSL port
- AD FS configuration for internal users
Before exploring these scenarios, you must be aware of the pre-requisites that are discussed in the next section.
The following setup is expected in your environment before you can configure ADFS:
- Split brain DNS setup with public DNS pointing to the IP address of the ADFS proxy server (the IP of the machine in DMZ where you will install ADFS Proxy).
- Valid Certificate Authority (CA) certificate with the subject as the Federation Service Name installed in the personal folder of the proxy server with managed permissions for ADFS service account.
- Firewall configuration to allow SSL traffic on port 443 (only for first scenario).
- The ADFS proxy needs to have the host headers for internal IP mapping.
ADFS configuration without firewall limitations on SSL
The following diagram illustrates the AD FS setup for allowing external partners access to internal resources without firewall restrictions on SSL port 443:
Figure 1: Access to external users using AD FS Proxy
- Client attempts to access the AD FS-enabled internal resource via the Network Load Balancer (NLB).
- Client is redirected to its organization’s internal federation service.
- The AD FS proxy server intercepts and presents the client with the sign-on page.
- The AD FS proxy presents the submitted user credentials to the AD FS server for authentication.
- The AD FS server authenticates the client credentials to active directory.
- The AD FS server provides the client, (via the AD FS proxy server) with an authorization cookie containing the signed security token and set of claims for the resource partner.
- The client presents the authorization cookie with the security token to the resource for access.
The AD FS Proxy needs to be configured with the server authentication SSL certificate from a CA. The AD FS machine can be an enterprise PKI or CA as per the organization security policies.
ADFS configuration with firewall limitations on SSL
The following diagram illustrates the AD FS setup for allowing external partners access to internal resources where there are firewall restrictions to opening port 443:
Figure 2: Access to external users (HTTP proxy enabled)
The steps are similar to the previous section, except that AD FS proxy needs to be configured to allow HTTP proxy routing. This is required if there are restrictions to opening TCP 443 on the internal firewall. The HTTP Proxy can be configured using IE or tools like Fiddler. An alternate arrangement can be to use hardware routers to work around the port restrictions.
ADFS configuration for internal access
The internal user scenario is much simpler. The intranet zone has a one way trust with perimeter.
Figure 3: Access to internal users
- Employee attempts to access the AD FS-enabled internal resource.
- The AD FS server authenticates the client to active directory.
- The AD FS server provides the client with an authorization cookie containing the signed security token and set of claims for the resource partner.
- The client presents the authorization cookie with included security token to the resource for access.
Caution for SSL offloading
AD FS requires SSL traffic throughout. The external user scenarios discussed would fail if there are requirements for SSL offloading to a NLB.