ADFS new features and prerequisites in Windows 2012 R2


AD FS service in Windows 2012 R2 provides simplified, secured claims based identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

ADFS has undergone many changes in Windows 2012 R2, new improvements in ADFS are:

  • ADFS is a role service in Windows 2012 R2
  • Support for Multi factor authentication which can be applied globally or per Relying Party
  • A brand new Device Registration service that allows you to register non domain joined devices to your Corporate Active Directory which is known as workplace joined. Workplace joined is a mid-state between domain joined and workgroup computers. You need to manually enable this service once ADFS is installed and need to have the subject name for the Device registration service on the certificate used for ADFS. This service can be used as a second factor authentication to ensure that an application can be accessed from devices which are workplace joined.
  • Web Application Proxy - ADFS Proxy is used to publish the ADFS service to external clients. In Windows 2012 R2, a new service Remote Access Role is used to install the ADFS proxy service. To configure the ADFS Proxy you need to install the Web Application Proxy service and enable the ADFS Proxy service there. Apart from being used as an ADFS Proxy, Web application Proxy can be used as a reverse proxy service for many other applications, a functionality which is also provided by TMG.
  • Password change from Workplace joined devices
  • New PowerShell commands for federation server and ADFS Proxy

 

Prerequisites – Before you install the ADFS service, make sure the following prerequisites are met:

 

Certificate

You need a third party certificate for ADFS service which is trusted by clients. Following subject names are required in certificate:

Subject Name (CN): adfs1.contoso.com  ( or whatever is the name for ADFS service )

Subject Alternative Name (DNS): adfs1.contoso.com

Subject Alternative Name (DNS): enterpriseregistration.contoso.com (for device registration service which is used by clients to connect to device registration service)

This certificate should be installed on federation server as well as on Web Application Proxy server

 

ADFS Service account

Create a group managed service account (GMSA) that is used for ADFS service account while installing ADFS. FSGMSA group managed account is used in this demo.

You can also use a domain service account for ADFS service account.

 

DNS service records

Create A record for ADFS service that point to ADFS farm or standalone ADFS server

Create an alias for device registration service i.e. Enterpriseregistration.contoso.com that points to ADFS server

Configure name resolution between the ADFS federation and Web Application Proxy

In the Next post will talk about the Installation of ADFS federation server and configure Device Registration Service.


Comments (12)

  1. Anonymous says:

    Installing ADFS federation server: In the previous blogs we looked at the different new features in ADFS

  2. Anonymous says:

    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG

  3. Anonymous says:

    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG

  4. Oncloud says:

    Hi

    I have a simple question and looking for a simple solution 🙂

    I have Active directory with .local domain (We are not running a split DNS). Our SharePoint is published externally on .com however internal users type .com to reached the SharePoint site, they have to enter the username and password. We don't have .com DNS
    Zone in our internal DNS and for some reason we don't want that.

    Now we re planning to install ADFS 3.0 for a new solution. We will install ADFS 3.0 internally and Proxy server DMZ. Users externally will type .com domain to get to ADFS proxy, so I need to have ADFS service on .com - Happy to buy the SSL with all the required
    domain names and SANs and create a DNS entry in public DNS provider to point to ADFS server. All fine. but also need a DNS Zone .com on internal DNS server and create A record for the ADFS service/server. Now this is difficult, it means that if we create a
    split domain new have to enter more than 500 records which we have published services. big change, and if we don't do it then we will receive a No page found error.

    Any one have any idea how I can achieve with making split DNS? or if I have to create a Zone internally, then is there a way not to create each service enter?

    Many Thanks.

  5. QQ: Why everyone forget to add 2012 R2 as a prerequisite for group managed service account (GMSA), as this is not available in 2008 R2 or below.

  6. Amit Dobhal says:

    @ Arvind - Using GMSA for ADFS service account is not mandatory, its just good to have as its easy to manage. If not GMSA you can use a normal domain service account for ADFS as mentioned above under prerequisite section.

  7. IT pradeep says:

    I have configure server 2012 r2 and configured ADFS and with self certificate. Now i have access login page but not access adfs portal.

  8. Hoani says:

    To: Oncloud

    I'm assuming you've already got your ADFS setup in already?

    In case you haven't, the easiest way for you to achieve this without split domains is to

    1. Add an alternative UPN suffix of .com to your Domain
    2. Change all user logon names to use the new .com UPN. The old .local will still work though but they should all use the new UPN as I suspect this will be the same as their email addresses?.
    This is easy enough to achieve by running a powershell script against the user accounts

    3. Create a new forward lookup zone in DNS for your .com domain. You will have entries in here for your ADFS server
    4. Configure the federation of you on-prem SharePoint against ADFS.

  9. Politi says:

    oncloud, check out pinpoint dns , basically the idea is to create a zone just for the adfs a record thereby avoiding the whole split dns debacle

  10. Indunil says:

    DNS Requirement
    • Internal DNS

    DNS Record Record Type Value Comments
    sts.mydomain.com A 172.16.160.30 HLB IP address
    enterpriseregistration.mydomain.com CNAME App.mydomain.com

    • External DNS

    DNS Record Record Type Value Comments
    sts.mydomain.com A 77.88.88.138 Public IP address
    my question is do we need to have external DNS Entry for enterpriseregistration.mydomain.com with same Public IP address.

  11. Indunil says:

    sorry internal DNS is
    enterpriseregistration.mydomain.com CNAME sts.mydomain.com

  12. B-Art says:

    You need a by-pass (direct-connect) within the proxy-server pac file to the external ADFS (.com) server (coupling).
    All Clients need:
    Create a GPO where external ADFS (.com) becomes a trusted intranet server (coupling).
    Create network access control list (ACL) to port 443 (ADFS uses SSL).

Skip to main content