ADFS Overview


ADFS was first introduced in Windows Server 2003 R2 Enterprise Edition – This uses ADFS V1

In order to use the latest version of ADFS (V2) you will need to be running Windows Server 2008 SP2 or Windows Server 2008 R2. (This also includes Server 2012)

ADFS 2.0 does not require a particular operating system level and neither versions require a particular domain functional level or forest functional level for the AD Domain Controllers used for authentication.

The Federation service components consist of –

  • The Federation Server (FS)
  • The Federation Server Proxy (FSP)
  • The AD FS web agent (AD FS V1 only)

Networking Requirements

TCP/IP Connectivity –

FS in ADFS do not need to talk directly to each other for applications using the passive requester profile.

FS will communicate directly when using WS-trust, and optionally during metadata exchange.

ADFS and DNS –

Federation Service Proxy (FSP) servers should use the same host name as the federation server they are protecting.

Depending on the solution required, a split DNS configuration may be necessitated.

ADFS requires the deployment of a solid TCP/IP network and DNS name resolution for a successful implementation.

Directory Services and AD FS

AD FS is a technology that allows one location/company/party holding user accounts to project these identities to another party that hosts resources. In order to do this, authentication is required somewhere along the line, ADFS can use AD and ADLDS to accomplish this. ADFS uses Kerberos to authenticate with AD, and a LDAP call when communicating with AD’s younger brother, ADLDS, this call could be secured with an SSL but is not a requirement.

In both versions of ADFS (v1 and v2), Federation servers must be joined to an AD domain. However an Federation Server Proxy (FSP) does not need to be joined to a domain; it is recommended that this isn’t the case and instead used on a workgroup for best practice.

%d bloggers like this: