What’s new in AD FS on Windows Server 2016

Identity Federation is one of my favourite IT topics, maybe also because it is the foundation for any discussion about cyber security in a cloud-first world. And I am glad that Microsoft presented today at Ignite some cool new feature that will be included in the AD FS server role in Windows Server 2016, as well as some key improvements made to some great features already present in Windows Server 2012 R2. So let’s take a look at them!

The first great thing I noticed is the ability to authenticate users from LDAP v3 directories, such like AD LDS, Novell, OpenLDAP just to name few of them. This is because modern LDAP directories are modelled as a local claim provider (just like Active Directory is). This LDAP directories will show up as another Claims Provider in the home realm discovery for passive authentication. Login ID can be any attribute, but it has to be unique in the LDAP directory. For authentication to Office 365, the attribute chosen for authentication should be unique across al directories that are configured for authentication to Office 365. In other. 

A basic scenario where this feature will be priceless is an acquisition. Let’s say that you own a company which runs Active Directory Domain Services and you buy another company which is using OpenLDAP. You already have AD FS configured for authentication to Office 365. Till now, in such scenarios you would have to perform an Active Directory consolidation first, and move all users in the LDAP directory to your AD DS. Now, you just sync the users to Office 365 and add the LDAP directory to your AD FS server and that’s it.

Another great thing is that upgrading from AD FS on Windows Server 2012 R2 to Windows Server 2016 will be easier than ever before. You would just have to add Windows Server 2016 nodes into your farm and take the old server out of the load balancer. When all features are tested and working fine, you can simply upgrade the Farm Level and everything will work fine.

Conditional access also goes to the next level with ADFS on Windows Server 2016. When authenticating to Office 365, administrators are pretty limited regarding conditional access in Windows Server 2012 R2. Conditional access is right now limited to the network location where the authentication request comes from. So admins have the possibility to deny access to users which try to login from outside the corporate network.

With AD FS on Windows Server 2016, administrators can create access policy templates that they can use for the relying parties they need to. Creating this policies is very easy and it seems to be really similar to creating mailbox rules. You can create such policies that can restrict access based on group membership, network, device that the end users is using and so on. And related to this, comes a new great feature, which is the integration with MDM provided by Intune. So you with Windows Server 2016 administrators would be able to define a policy that allows authentication only from enrolled, managed and compliant devices.

And things get more exciting when taking into consideration we will be able to join Windows 10 devices to Azure Active Directory! This was also announced at Microsoft Ignite and it was a huge “WOW” for me.

And the best thing yet is that you don’t need to be a CLR expert any more in order to implement this type of access policies, since everything will be possible from the AD FS UI. And by the way, the AD FS Management Console is also slightly changed in Windows Server 2016.

So there’s a great future for identity federation in a cloud-first world!

Dan Patrascu-Baba

Partner Technical Consultant at Microsoft
Azure PaaS and dev consultant, working for Microsoft. Mostly dealing with Microsoft Azure services, ASP.Net Core, AngularJS, Javascript. Helping partners and customers to write good code and to architect their cloud and hybrid solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *