Upgrading the ADFS farm behavior level

[This blog posting was written with knowledge based on Windows Server 2016 TP4. Things may change in RTM.]

Some more investigations with ADFS in Windows Server 2016 TP4  – you have to start somewhere, right?

There are two ADFS servers that I mean to replace with two new ones on 2016 TP4, and then raise the farm behavior level. Easy enough – or so.

The plan:

  • Swap ADFS servers
  • Use the Test-ADFSFarmBehaviorLevelRaise CMDlet to test the procedure
  • Raise the ADFS Farm Behavior Level with Invoke-ADFSFarmBehaviorLevelRaise

The installation worked identical to installations with 2012 R2, when adding new nodes to an existing farm – in the end, there’s no difference between adding 2012 R2-based ADFS nodes to an existing farm or 2016-based nodes.

  • join to the domain
  • install the Service Communication cert on the new boxes
  • install ADFS role
  • add box to Load Balancer (probing will only activate it, when the service starts responding)
  • join to ADFS farm
  • Verify installation went good, event log is clean, WID replication worked

Read more »

Extranet Lockout in ADFS 2016–require PDC

You know in ADFS on Windows Server 2012 R2, when you enable the “Extranet Lockout” feature for Web Application Proxies and a user’s password is verified, the PDC emulator for the authoritative domain is contacted, to verify it?

Lu Zhao blogged about this in her blog: https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

In essence, in order to determine whether to extranet-lockout a user, the badPwdCount attribute for the user is determined – by asking the PDC for the value, as the authoritative source. In case ADFS can’t connect to the PDC (firewalls, routing are in the way), ADFS fails and user authentication is not completed.

Lu promised they are looking at changing that feature, to allow for a “local DC” fallback, in case the PDC isn’t available.

It looks like Microsoft delivered on their promise – at least judging from what we can see in ADFS in Windows Server 2016 TP4. My friend Thomas (http://setspn.blogspot.de/) did some investigations – and it looks like there’s a new property that one can set in ADFS 2016:

adfs-extranet-lockout-require-pdc

Read more »

Modern Access Control Policies for Office 365 Relying Party

So I have been playing with ADFS on Windows Server 2016 TP4, to discover new functionality and features. One of the things I really like is the ability to assign Access Control Policies now – and the Rule Editor behind it. These policies are found in the new “Access Control Policies” node in the AD FS management console.

The idea is that you configure Access Control Policies, that reflect your security requirements, and later assign them to applications. Depending on the security requirements, you would assign the application to one of your Access Control Policies – stricter or less strict, with MFA, without MFA.

When you need to change your security policies and need to touch the Access Control Policy, it will automatically be changed for all applications that have the policy assigned. No need to touch multiple Relying Parties or applications any more.

Microsoft delivers a number of Access Control Policies out of the box:

adfs-access-control-policies

Read more »

Next Page »