Infrastructure Requirements – ADFS

At a minimum, deploying AD FS 2.0 within a single organisation requires the following infrastructure:


  • Active Directory – AD FS 2.0 requires Active Directory to authenticate users. This can be any version of AD, and does not require a specific schema revision, or domain or forest functional level.


  • Active Directory Federation Services 2.0 – Deploying AD FS in a single organisation requires a minimum of one AD FS 2.0 server. In its simplest configuration, this server will be configured with a claims provider trust to the corporate Active Directory (this is configured by default on every AD FS 2.0 server), and a relying party trust for each application that will be consuming claims produced by this AD FS server. By default, internal users will authenticate to the AD FS server via Integrated Windows Authentication in order to obtain AD FS tokens that they will present to any relying party applications. A single AD FS server can authenticate users in the same domain as the ADFS server, in any domain within the same Active Directory forest, and any users in any trusted forest.


  • Domain Name System (DNS) – The DNS requirements for the WebSSO deployment are fairly straightforward. All clients must be able to resolve the A record of the federation server and any relying party applications, in addition to the DNS requirements associated with Active Directory authentication (SRV records, and so on). If a Federation Server proxy (FSP) has been deployed, this will potentially add to the DNS requirements in this scenario.


ADFS Overview


ADFS was first introduced in Windows Server 2003 R2 Enterprise Edition – This uses ADFS V1

In order to use the latest version of ADFS (V2) you will need to be running Windows Server 2008 SP2 or Windows Server 2008 R2. (This also includes Server 2012)

ADFS 2.0 does not require a particular operating system level and neither versions require a particular domain functional level or forest functional level for the AD Domain Controllers used for authentication.

The Federation service components consist of –

  • The Federation Server (FS)
  • The Federation Server Proxy (FSP)
  • The AD FS web agent (AD FS V1 only)

Networking Requirements

TCP/IP Connectivity –

FS in ADFS do not need to talk directly to each other for applications using the passive requester profile.

FS will communicate directly when using WS-trust, and optionally during metadata exchange.

ADFS and DNS –

Federation Service Proxy (FSP) servers should use the same host name as the federation server they are protecting.

Depending on the solution required, a split DNS configuration may be necessitated.

ADFS requires the deployment of a solid TCP/IP network and DNS name resolution for a successful implementation.

Directory Services and AD FS

AD FS is a technology that allows one location/company/party holding user accounts to project these identities to another party that hosts resources. In order to do this, authentication is required somewhere along the line, ADFS can use AD and ADLDS to accomplish this. ADFS uses Kerberos to authenticate with AD, and a LDAP call when communicating with AD’s younger brother, ADLDS, this call could be secured with an SSL but is not a requirement.

In both versions of ADFS (v1 and v2), Federation servers must be joined to an AD domain. However an Federation Server Proxy (FSP) does not need to be joined to a domain; it is recommended that this isn’t the case and instead used on a workgroup for best practice.

%d bloggers like this: