1 / 38

Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure

SIM401. Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure. Brian Puhl Technology Architect Microsoft IT. Agenda. ADFS Roles/Functions Deployment Topologies Management Operations. Why Bother?. ADFS is your identity interface to the cloud

Patman
Télécharger la présentation

Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIM401 Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure Brian Puhl Technology Architect Microsoft IT

  2. Agenda • ADFS Roles/Functions • Deployment Topologies • Management • Operations

  3. Why Bother? • ADFS is your identity interface to the cloud • Claims based authentication • Application portability • SaaS adoption – O365, etc… The expectation from your users and applications, is that ADFS is as seamless and transparent as Active Directory

  4. ADFS in Action Contoso (Users) Fabrikam (Resource) E-Company Store (Resource) A. Datum Account Forest Trey Research Resource Forest Microsoft (Users) Federation Trust

  5. High Availability/Disaster Recovery • Factor in High availability and disaster recovery plans into service architecture • 2 or more ADFS server farms in different data centers • Back end SQL store comprise of minimum 2 node clusters located in multiple DCs • Mirrored against one another for failover • STS Services configured for SQL failover

  6. Deployment Topology MSIT.adfs.microsoft.com Site2 Site1 Extranet Extranet Corpnet Corpnet Mirrored Clusters MSIT.adfs.microsoft.com

  7. Deployment Topology Federation Service (FS) • Security Token Service (STS) • Maps user attributes to claims • Issues security tokens • Manages federation trust policies, claim rules MSIT.adfs.microsoft.com Site2 Site1 Extranet Extranet Corpnet Corpnet Mirrored Clusters MSIT.adfs.microsoft.com

  8. Deployment Topology MSIT.adfs.microsoft.com Site2 Site1 Extranet Extranet Federation Service Proxy (FS-P) Corpnet Corpnet • Client proxy for token requests • Provides UI for browser clients • Forms based auth • Home realm discovery Mirrored Clusters MSIT.adfs.microsoft.com

  9. Configuring DNS • Users should always contact their “local” ADFS instance • Internet users must resolve to the FS-P servers • The FS-P’s must resolve to the FS servers • Internal users must resolve to the FS servers Solution We chose a dedicated namespace which we could host both internally and externally. <instance>.sts.microsoft.com

  10. Load Balancing Internet Ability to shift or balance traffic between data centers Hardware load balancers enable quick response to server failures Internal load balancers provide high availability Geographic DNS DMZ Load Balanced Intranet Load Balanced

  11. Load Balancing Internet Use HOST files to create pairs of Federation Servers and Proxies • Use HOST files to direct Proxy to FS-servers • Operations processes for managing a failed Fed Server • Add server name to common pages (HRD, Login, Error) <%=System.Environment.MachineName %> DMZ Intranet

  12. Deployment Topology MSIT.adfs.microsoft.com SQL Configuration Store Site2 Site1 SQL server ADFS service configuration Trust and claims rule storage SAML artifact storage Extranet Extranet Corpnet Corpnet Mirrored Clusters MSIT.adfs.microsoft.com

  13. SQL Configuration • SQL mode of operation: High Performance Mode • Asynchronous transactions • Minor risk of loss of token replay and artifacts during fail over • Requires low latency between clusters to keep consistency Mirrored Clusters

  14. SQL Configuration Server Configuration • ADFS Service Host XML configuration file C:\program files\Active Directory Federation Services 2.0\Microsoft.identityServer.ServiceHost.exe.config <microsoft.identityServer.service> <policyStoreconnectionString="Data Source=SQL1.contoso.com; Initial Catalog=AdfsConfiguration; Integrated Security=True;Failover Partner= “SQL2.contoso.com" administrationUrl="net.tcp://localhost:1500/policy" /> <trustMonitoring enabled="true" /> </microsoft.identityServer.service>

  15. SQL Configuration Requirements • Repeat process for artifact store (Powershell) PS C:\Windows\system32> get-ADFSProperties | %{$_.ArtifactDbConnection} Data Source=SQL1.contoso.com;Initial Catalog=AdfsArtifactStore;IntegratedSecurity=True;Failover Partner=SQL2.contoso.com

  16. ADFS in Action Contoso (Users) Microsoft (Users) Fabrikam (Resource) E-Company Store (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust

  17. Claims Pipeline Contoso (Users) Fabrikam (Resource) A. Datum Account Forest Trey Research Resource Forest

  18. RP Trust Policy Management • Use Powershell not the UI • Allows for quickly recreating/reconfiguring the service • Store copies of the scripts externally from ADFS #* Creating new Relying Party Add-ADFSRelyingPartyTrust -Name “Fabrikam" -Identifier "https://app.fabrikam.com/" -WsFedEndpoint "https://app.fabrikam.com/_trust/" -Notes "Sponsor Name:Brian Puhl" -TokenLifetime 60

  19. RP Rules Management • Use Powershell not the UI • Use the @ operator to set the rule name in the UI @RuleName = "Store:Active Directory, Get Claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query=";givenName;{0}", param = c.Value); @RuleName = "Store:Active Directory, Send givenname" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"] => issue(claim = c);

  20. Claims Sources • Master Data Management concepts apply • Applications may not need “authoritative” data • Information in AD may not be the same as the other stores

  21. Must ALSO be highly available SQL Attribute Stores

  22. Custom Attribute Stores • Custom extensibility point for querying attribute stores other than AD, ADLDS, or SQL • Written in .NET – implements IAttributeStore interface • Possible return values: • 2-dimensional array of [claim type] [claim value] • AttributeStoreInvalidConfigurationException • AttributeStoreQueryExceptionException • AttributeStoreQueryFormatException

  23. Claims Best Practices • Claims Provider Rules apply to all users from that IdP • Custom Attribute Stores MUST return something • If the data store is unavailable, return a value to indicate to the application that the claims are not valid • Naming standards for claim types • Publish claim types in federation metadata for consistency

  24. Security Best Practices • Utilize ADFS 2.0 integration with SCW • Systematically evaluate ADFSProperties and ADFS Relying Party properties • Set relevant Properties • Set optimal ADFS token lifetime to compliment Resource being secured • Leverage Extended Protection for authentication property • Ensure RPs call signout.aspx to cleanup ADFS cookies

  25. Security Best Practices • Enforce Privacy of PII information. • secure custom attribute stores (SQL, WIF) • SQL server specific security • If Policy/Artifact store = SQL • Implement and Enforce lifecycle on RP/IdP objects • Design an Elevated Admin access Model • Reduce authentication surface area • Enabling relevant authN types on ADFS and Proxy • Review and enable applicable Endpoints and usage

  26. ADFS/SCW unleashed • SCW usage and verification • Use scwcmd to register security role extensions.

  27. SCW Configuration Information

  28. Logging and Creating Usage Reports

  29. Approach • Utilize IIS Log Parser to collect W3SVC events on ADFS servers • Download Log Parser 2.2 from Microsoft.com • Only generated for passive federation • SQL Stored Procedures to parse and insert into SQL • Author SSRS reports to view data in meaningful views. • # of auths per application realm.

  30. Troubleshooting User Authentications • Error messages include correlation ID which is included in one or more entries in the ADFS 2.0 log Powershell snippet to query log for correlation ID BEGIN { $query = "*[System/Correlation[@ActivityID='{" + $CoID + "}']]" $log = "AD FS 2.0/Admin" }PROCESS { Get-WinEvent -computername $computername -LogName $log -FilterXPath $query ` | flmachinename, timecreated, id, message }

  31. Availability and Monitoring • Internal Monitoring • SCOM Management Pack • Server availability • Service health • External Monitoring • Internet perspective of your service • Powershell scripts or internet providers • Verifies end-to-end through all network layers • Complex management of DNS records/resolution

  32. Summary • Deploying a high availability ADFS service is similar to any other highly available web application • SQL configuration is crucial • Claims availability can impact ADFS availability • Leverage Powershell to externally store and manage configuration and trust information • Use IIS Logging and SSRS to manage utilization, capacity, and lifecycle management of the service • Configure monitoring from the internet for end-to-end

  33. Track Resources • Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. • You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/

  34. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  35. Complete an evaluation on CommNet and enter to win!

  36. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related