Windows 10: ADFS on premise install - best practice

Hi,


I am trying to find a document that states that installing ADFS is a seurity risk if installed on a Domain Controller and not seen as best practice.

I know there may be reasons why and they should be mitigated but would be good to highlight the risk levels



Thanks

:)

 

ADFS Integration

Hi,

Actually we are developing an Enterprise SaaS Application (Mobile Application which calls a web API) hosted on Azure App service , and we need to build our application to integrate with customers through ADFS. That allows customer's employees to use the
on-premises active directory identity to access our services seamlessly.

We are totally aware of the ADFS different protocols/relaying party trust configuration/tokens/Claims but still we have a question

Q: Should we as a service provider (Resource Owner) build an ADFS farm ( as per Reference : Federate with a customer's AD FS - Azure Architecture Center )
OR just develop our application to redirect the request to the customer's ADFS (Account owner) and validate tokens of the customer....... (as per Reference : https://docs.microsoft.com/en-us/wi...ad-fs/overview/ad-fs-scenarios-for-developers)
?

Thanks,

Omnia

 

Recommendation: Load balancer for ADFS environment?

We want to put in ADFS for our current network to support about 30K authenticated users, currently to start off just for sharepoint application, but potentially will support other application/ users as well.

Looking for recommendation on whether we should go with virtual or hardware based Load Balancer, and
which vendor of LB that people tend to adopt for their ADFS and WAP servers? Imagine we'll need to get the LB that can support Layer 7

Here is how we are currently spec'ed out so far:

• 2 WAP servers (Win2016) sit behind a LB and all on DMZ
• 2 ADFS servers (Win2016) sit behind another LB and all on Internal network
• DC server is on Internal network as well

----

Can anyone explain how the traffic/federation process goes (step by step) when user access the website from the internet (please include how request is being passed/redirect between webserver, WAP, ADFS, and DC servers)

Thanks!

 

ADFS SAML setup

Hello,

I have questions regarding ADFS SAML configuration.

I have been charged with setting up ADFS SAML and connecting our system with clarity safetyzone.

I am using Using windows serv 2019 platform for the servers. I have created a test environment that has a domain controller, server with ADCS, and another server with ADFS. I have a certificate created within the ADCS server and I installed ADFS on the
respective server. I verified after installation of the role and configuring an adfs administrator that the adfs administrator can sign into the https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx, I created a windows test account and logged into the
adfs server for testing purposes and when navigating to the https://sts.contoso.com/adfs/ls/ and attempting to sign in with that user, I get an error:

An error occurred
An error occurred. Contact your administrator for more information.
Error details
Activity ID: f68cc99a-b6e5-40dc-1a00-0080000000e5Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.Node name: 85253664-435b-4d04-8775-d4b96854cb12Error time: Mon, 02 Nov 2020 20:11:16 GMTCookie:
enabledUser agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

I have everyone permitted for intranet access in the Access Control Policies.
Am i missing something? Once i can verify that a standard user can login, then i can move on to the step of setting up the appropriate claims/trusts.

Does anyone have experience with this and maybe even experience with the Clarity Safety Zone platform?