Post on 05-Jan-2016
transcript
Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure
Brian PuhlTechnology ArchitectMicrosoft IT
SIM401
Agenda
ADFS Roles/FunctionsDeployment TopologiesManagement Operations
Why Bother?
ADFS is your identity interface to the cloudClaims based authenticationApplication portabilitySaaS adoption – O365, etc…
The expectation from your users and applications, is that ADFS is as seamless and transparent as Active Directory
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
ADFS in Action
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Microsoft(Users)
E-Company Store(Resource)
Contoso(Users)
Fabrikam(Resource)
High Availability/Disaster Recovery
Factor in High availability and disaster recovery plans into service architecture2 or more ADFS server farms in different data centersBack end SQL store comprise of minimum 2 node clusters located in multiple DCs
Mirrored against one another for failover
STS Services configured for SQL failover
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
Federation Service (FS)
Security Token Service (STS) Maps user attributes to claimsIssues security tokens
Manages federation trust policies, claim rules
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
Client proxy for token requestsProvides UI for browser clients
Forms based authHome realm discovery
Federation Service Proxy (FS-P)
Configuring DNS
Users should always contact their “local” ADFS instanceInternet users must resolve to the FS-P serversThe FS-P’s must resolve to the FS serversInternal users must resolve to the FS servers
SolutionWe chose a dedicated namespace which we could host both internally and externally.
<instance>.sts.microsoft.com
Load Balancing
Internet
DMZ
Intranet
Geographic DNS
Load Balanced
Load Balanced
Ability to shift or balance traffic between data centers
Hardware load balancers enable quick response to server failures
Internal load balancers provide high availability
Load Balancing
Internet
DMZ
Intranet
Use HOST files to create pairs of Federation Servers and Proxies
Use HOST files to direct Proxy to FS-servers
Operations processes for managing a failed Fed Server
Add server name to common pages (HRD, Login, Error)
<%=System.Environment.MachineName %>
Deployment Topology
Site1 Site2
MSIT.adfs.microsoft.com
Extranet
Corpnet
Extranet
Corpnet
MSIT.adfs.microsoft.com
Mirrored Clusters
SQL serverADFS service configurationTrust and claims rule storageSAML artifact storage
SQL Configuration Store
SQL Configuration
Mirrored Clusters
SQL mode of operation: High Performance ModeAsynchronous transactionsMinor risk of loss of token replay and artifacts during fail overRequires low latency between clusters to keep consistency
SQL Configuration Server Configuration
ADFS Service Host XML configuration fileC:\program files\Active Directory Federation Services 2.0\Microsoft.identityServer.ServiceHost.exe.config
<microsoft.identityServer.service> <policyStore connectionString="Data Source=SQL1.contoso.com; Initial Catalog=AdfsConfiguration; Integrated Security=True; Failover Partner= “SQL2.contoso.com" administrationUrl="net.tcp://localhost:1500/policy" /> <trustMonitoring enabled="true" /> </microsoft.identityServer.service>
SQL Configuration Requirements
Repeat process for artifact store (Powershell)
PS C:\Windows\system32> get-ADFSProperties | %{$_.ArtifactDbConnection}
Data Source=SQL1.contoso.com;Initial Catalog=AdfsArtifactStore;Integrated Security=True;Failover Partner=SQL2.contoso.com
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
ADFS in Action
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Microsoft(Users)
E-Company Store(Resource)
Contoso(Users)
Fabrikam(Resource)
Claims Pipeline
A. DatumAccount Forest
Trey ResearchResource Forest
Contoso(Users)
Fabrikam(Resource)
Accept Incoming Claims
Authorize the Requestor
Issue Outgoing Claims
Accept Incoming Claims
Authorize the Requestor
Issue Outgoing Claims
RP Trust Policy Management
Use Powershell not the UIAllows for quickly recreating/reconfiguring the serviceStore copies of the scripts externally from ADFS
#* Creating new Relying PartyAdd-ADFSRelyingPartyTrust -Name “Fabrikam" -Identifier "https://app.fabrikam.com/" -WsFedEndpoint "https://app.fabrikam.com/_trust/" -Notes "Sponsor Name:Brian Puhl" -TokenLifetime 60
RP Rules Management
@RuleName = "Store:Active Directory, Get Claims"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query=";givenName;{0}", param = c.Value);
@RuleName = "Store:Active Directory, Send givenname" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] => issue(claim = c);
Use Powershell not the UIUse the @ operator to set the rule name in the UI
Claims Sources
Master Data Management concepts applyApplications may not need “authoritative” dataInformation in AD may not be the same as the other stores
SQL Attribute StoresMust ALSO be highly available
Custom Attribute Stores
Custom extensibility point for querying attribute stores other than AD, ADLDS, or SQL
Written in .NET – implements IAttributeStore interface
Possible return values:2-dimensional array of [claim type] [claim value]AttributeStoreInvalidConfigurationExceptionAttributeStoreQueryExceptionExceptionAttributeStoreQueryFormatException
Claims Best Practices
Claims Provider Rules apply to all users from that IdP
Custom Attribute Stores MUST return somethingIf the data store is unavailable, return a value to indicate to the application that the claims are not valid
Naming standards for claim types
Publish claim types in federation metadata for consistency
Security Best Practices
Utilize ADFS 2.0 integration with SCWSystematically evaluate ADFSProperties and ADFS Relying Party properties
Set relevant Properties
Set optimal ADFS token lifetime to compliment Resource being securedLeverage Extended Protection for authentication propertyEnsure RPs call signout.aspx to cleanup ADFS cookies
Security Best Practices
Enforce Privacy of PII information.secure custom attribute stores (SQL, WIF)
SQL server specific securityIf Policy/Artifact store = SQL
Implement and Enforce lifecycle on RP/IdP objectsDesign an Elevated Admin access Model Reduce authentication surface area
Enabling relevant authN types on ADFS and Proxy
Review and enable applicable Endpoints and usage
ADFS/SCW unleashed
SCW usage and verificationUse scwcmd to register security role extensions.
SCW Configuration Information
Logging and Creating Usage Reports
Approach
Utilize IIS Log Parser to collect W3SVC events on ADFS serversDownload Log Parser 2.2 from Microsoft.comOnly generated for passive federation
SQL Stored Procedures to parse and insert into SQLAuthor SSRS reports to view data in meaningful views.
# of auths per application realm.
Troubleshooting User Authentications
Error messages include correlation ID which is included in one or more entries in the ADFS 2.0 log
Powershell snippet to query log for correlation ID
BEGIN { $query = "*[System/Correlation[@ActivityID='{" + $CoID + "}']]" $log = "AD FS 2.0/Admin"}PROCESS { Get-WinEvent -computername $computername -LogName $log -FilterXPath $query ` | fl machinename, timecreated, id, message}
Availability and Monitoring
Internal MonitoringSCOM Management Pack
Server availabilityService health
External MonitoringInternet perspective of your servicePowershell scripts or internet providersVerifies end-to-end through all network layersComplex management of DNS records/resolution
Summary
Deploying a high availability ADFS service is similar to any other highly available web applicationSQL configuration is crucialClaims availability can impact ADFS availabilityLeverage Powershell to externally store and manage configuration and trust informationUse IIS Logging and SSRS to manage utilization, capacity, and lifecycle management of the serviceConfigure monitoring from the internet for end-to-end
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.