Tag Archives: ADFS

ADFS in multi forest environments

Published by:

ADFS in multi forest environments is still a very hot topic based on my day to day experience. Even if I’m concentrating more on cloud application development projects for more than 8 months, I still get a lot of questions from partners, colleagues, customers, IT admins from all around the world regarding this specific scenario. To put this in a little bit more perspective, the questions are usually asked in the context of Azure Active Directory, so the already renowned federated identity scenario. So that’s why I decided to blog about it, hoping to complement the scarce existing documentation.

Before we get started I would like to clarify one thing. Even if I will reference a lot Azure AD, everything I describe here is not restricted to Azure AD as a relying party. In fact, last time I worked on such a scenario, the relying party was AWS. So let’s get started.

The basic scenario is the following: a company has two or more Active Directory forest and one Azure AD. Using Azure AD Connect we can synchronize several forests to the same Azure AD. The question arises on the ADFS design. How many ADFS farms would we need? How would this work? Is this supported? Continue reading

Exchange Hybrid deployment certificate requirements

Published by:

Exchange Online gains more and more momentum and Exchange hybrid deployments are already a pretty common scenario for a lot of IT organizations. Even if almost every aspect around an Exchange Hybrid deployment is well known by IT pros, there is still a point that seems to cause some difficulties: certificates. And since an Exchange hybrid deployment is not possible without a proper certificate configuration, I thought to clarify the most important aspects about certificates in such a scenario by answering 5 questions I often hear when working with IT administrators.

One of the top question I deal with almost every day is: “I have a self signed certificate configured for my Exchange Server deployment, issued by my Windows Server 2012 R2 Certification authority. Can I use this certificate for an Exchange Hybrid deployment?” The answer is NO! In order to create an Exchange Hybrid deployment, organizations need a certificates issued by a trusted and public certification authority. And the reason why is very simple. Certificates are meant to prove your organization’s identity so that users and other service providers (like Microsoft) can be sure that they engage with the organizations they wanted to engage and not with an attacker. Continue reading

What’s new in AD FS on Windows Server 2016

Published by:

Identity Federation is one of my favourite IT topics, maybe also because it is the foundation for any discussion about cyber security in a cloud-first world. And I am glad that Microsoft presented today at Ignite some cool new feature that will be included in the AD FS server role in Windows Server 2016, as well as some key improvements made to some great features already present in Windows Server 2012 R2. So let’s take a look at them!

The first great thing I noticed is the ability to authenticate users from LDAP v3 directories, such like AD LDS, Novell, OpenLDAP just to name few of them. This is because modern LDAP directories are modelled as a local claim provider (just like Active Directory is). This LDAP directories will show up as another Claims Provider in the home realm discovery for passive authentication. Login ID can be any attribute, but it has to be unique in the LDAP directory. For authentication to Office 365, the attribute chosen for authentication should be unique across al directories that are configured for authentication to Office 365. In other.  Continue reading

Build an Office 365 Identity lab in Microsoft Azure

Published by:

Important note: Please note that the information in this post may be outdated.

Managing identities is a vital part of cyber-security in general and especially in the cloud. Organizations may want to manage identities, authentication and authorization by themselves, also when users are accessing cloud resources and workloads. They can do this without any problems by using Azure AD Sync to synchronize Active Directory Objects to Azure AD, and therefore keep the source of authority of these objects in the organization. On the other hand, organizations may use ADFS to federate identities. By doing this, authentication and authorization decisions are made also in the organization.

IT professionals normally try to build such labs in order to understand and see how everything works. These days I managed to build such a lab in Microsoft Azure. I used a MSDN subscription where you get a monthly credit of 115 EUR, if I’m not wrong. I think it may be helpful to briefly share how I build this lab.  Continue reading

ADFS service not starting after server reboot

Published by:

I’ve recently built a new lab for my Office 365 tenant including Azure AD Sync and ADFS running on Windows Server 2012 R2 machines. Everything worked as expected until I installed some updates on the ADFS server and restarted it. I noticed right away that the Active Directory Federation Service did not start at all. When I checked in services.msc I noticed that it is in a “starting” state. I waited a lot, but it remained the same.

I tried t stop it and to restart it manually. However, when I did this I received an error message pointing out that the service account may be short of some necessary permissions. This seemed very strange to me, since it worked perfectly before the reboot. As a further background, I was using an gMSA account as ADFS service account.  Continue reading

ADFS in a resource/account forest scenario

Published by:

Handling identities in a hybrid cloud is often no easy task. Configuring ADFS with Office 365 and Azure should not be difficult. Generally speaking using the cloud is not necessarily rocket science. However, things can get very complicated depending on the on the server infrastructure a company already has in place when deciding to move to the cloud.

A very common scenario is using resource forests and account forests in the same organization. Typically the resource forest is configured for some services, like Exchange or SharePoint and the account forest contains account information for client login. Many larger organizations have opted for such a scenario a while back and probably nowadays they want to move some workloads to the cloud. The big question for identity folks is, how should directory synchronization and identity federation be implemented in a resource/account forest scenario?  Continue reading