AD FS service in Windows 2012 R2 provides simplified, secured claims based identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
ADFS has undergone many changes in Windows 2012 R2, new improvements in ADFS are:
- ADFS is a role service in Windows 2012 R2
- Support for Multi factor authentication which can be applied globally or per Relying Party
- A brand new Device Registration service that allows you to register non domain joined devices to your Corporate Active Directory which is known as workplace joined. Workplace joined is a mid-state between domain joined and workgroup computers. You need to manually enable this service once ADFS is installed and need to have the subject name for the Device registration service on the certificate used for ADFS. This service can be used as a second factor authentication to ensure that an application can be accessed from devices which are workplace joined.
- Web Application Proxy – ADFS Proxy is used to publish the ADFS service to external clients. In Windows 2012 R2, a new service Remote Access Role is used to install the ADFS proxy service. To configure the ADFS Proxy you need to install the Web Application Proxy service and enable the ADFS Proxy service there. Apart from being used as an ADFS Proxy, Web application Proxy can be used as a reverse proxy service for many other applications, a functionality which is also provided by TMG.
- Password change from Workplace joined devices
- New PowerShell commands for federation server and ADFS Proxy
Prerequisites – Before you install the ADFS service, make sure the following prerequisites are met:
You need a third party certificate for ADFS service which is trusted by clients. Following subject names are required in certificate:
Subject Name (CN): adfs1.contoso.com ( or whatever is the name for ADFS service )
Subject Alternative Name (DNS): adfs1.contoso.com
Subject Alternative Name (DNS): enterpriseregistration.contoso.com (for device registration service which is used by clients to connect to device registration service)
This certificate should be installed on federation server as well as on Web Application Proxy server
ADFS Service account
Create a group managed service account (GMSA) that is used for ADFS service account while installing ADFS. FSGMSA group managed account is used in this demo.
You can also use a domain service account for ADFS service account.
DNS service records
Create A record for ADFS service that point to ADFS farm or standalone ADFS server
Create an alias for device registration service i.e. Enterpriseregistration.contoso.com that points to ADFS server
Configure name resolution between the ADFS federation and Web Application Proxy