Active Directory Federation Services
In the previous post Load Balancing Azure AD FS Services we looked at using Azure RM to deploy and load balance AD FS services. This is the follow-up post to deploy the Web Application Proxy (WAP) servers and its associated load balancer into the DMZ.
In this post we will focus upon the highlighted area in the below diagram. The additional components were previously deployed, for details please … Read the rest “Load Balancing WAP In Azure RM”
There are many causes for receiving errors when signing onto AD FS. However some are more genuine than others. This is a quick tip to check that you are on the right track before diving into the details and potentially spending time troubleshooting when in fact nothing is wrong. Just lately, for some reason I’m seeing this more frequently. That has prompted the draft from last October to be fi… Read the rest “Testing AD FS Signon Page – An Error Occurred”
As mentioned in this blog's previous posts on deploying AD FS, one option is to deploy all or part of the AD FS solution in Azure. This is very valuable if there is insufficient capacity on-premises or if you only have a single datacentre and wish to increase resiliency.
Deploying the AD FS solution or connecting it to Azure is pretty straight forward. However, if you not correctly plan the Azure… Read the rest “Load Balancing AD FS Services In Azure RM”
One of the added features in AD FS 2012 R2 was the ability to leverage group managed service accounts (gMSA) which obviated the requirement to manually change the password associated with the service account. See Getting Started with Group Managed Service Accounts for some background on gMSA. You may also see the term sMSA which is a standalone managed service account.
Managed service accounts and … Read the rest “Change AD FS 2012 R2 Service Account Password”
The below Web Application Proxy (WAP) server had an unexpected issue. When the machine came back up, it had lost the configuration to allow it to communicate to the AD FS farm. This is not specifically an VM/Hyper-V/Azure issue, it is more of a WAP issue.
Fixing the issue is straight forward, though let’s take a look at the symptoms first.
On the affected WAP server the AD FS serv… Read the rest “Web Application Proxy Service Not Starting Due to Malformed Configuration File”
The below content is superseded -- for information on updating your certificates please see:
Active Directory Federation Services (AD FS) heavily leverages X.509 certificates to allow the solution to function securely. As with all of the other certificates that you deploy within your enterprise, there must be a process to manage and renew certifica… Read the rest “Updating Windows Server 2012 R2 AD FS SSL and Service Certificates”
In the Tailspintoys environment, the administrator (moi) was a bit slack. They let the AD FS 2012 R2 proxy get into a bad state. The AD FS Proxy was not contacting the AD FS server on the internal network, and this allowed the short lived authentication certificate to expire. At this point the AD FS Proxy was “dead to me” as far as the AD FS server was concerned. The internal AD FS server was … Read the rest “AD FS 2012 R2 Web Application Proxy – Re-Establish Proxy Trust”
AD FS 2012 R2 provides an interesting feature called Extranet Lockout Protection, where the intent is to protect AD accounts from malicious lockout from external access attempts. Previous versions of AD FS had no native mechanism to protect AD from such hammering attempts. For details on the feature please review this post.
One issue that can occur when extranet lockout pro… Read the rest “AD FS 2012 R2 – An Error Occurs When BadPwdCount Not Set”
The blog post on how to integrate Office 365 with Windows 2012 R2 AD FS raised an interesting question from a reader (Hi Eric!) on how should he request a certificate for the AD FS instance since there is no longer an IIS dependency. This means that there is no longer an IIS console to generate a certificate request with. What to do?
You could generate a certificate request, complete it and then e… Read the rest “How To Request Certificate Without Using IIS or Exchange”
Security is an integral aspect of running modern IT operations. There is a clear understanding that we need to protect our IT assets, company data and personal identifiable information. So when we discuss a migration to Office 365, security is an inevitable topic. One aspect that we need to discuss is around account lockout, and how to protect our Active Directory accounts as part of the overal… Read the rest “Enabling AD FS 2012 R2 Extranet Lockout Protection”