Cloud Knowledge

Your Go-To Hub for Cloud Solutions & Insights

Advertisement
On Premise Active Directory

AD FS deep-dive: architecture, claims, WAP, MFA, security hardening, and step-by-step troubleshooting with PowerShell.

Shivam Tiwari 0
AD FS deep-dive: architecture, claims, WAP, MFA, security hardening, and step-by-step troubleshooting with PowerShell.
Active Directory Federation Services (AD FS): Ultimate Guide, Architecture, Security, and Troubleshooting

Active Directory Federation Services (AD FS): End-to-End Guide for Architecture, SSO, Security, and Troubleshooting

Why this guide? If you run hybrid identity or partner federation, Active Directory Federation Services (AD FS) remains a proven way to deliver Single Sign-On (SSO) and standards-based federation across on-premises and cloud apps. This WordPress-ready, black-and-white reference covers the architecture (Security Token Service, Web Application Proxy), protocols (SAML 2.0, OAuth 2.0, OpenID Connect, WS-Fed), claims, policy design, high availability, hardening, and deep troubleshooting with PowerShell and Microsoft Graph. You’ll also get migration pointers to Microsoft Entra ID (Azure AD) when it’s time to modernize.

Key Takeaways

  • Federated Auth Platform: AD FS bridges AD DS identity to cloud/partner apps via standards-based tokens.
  • Claims-Based: Everything is a claim—shape identity once, reuse across relying parties.
  • WAP + TLS: Internet-facing access happens through Web Application Proxy with strict TLS and certificate hygiene.
  • MFA & Conditional Access: Tighten risk with MFA, device/location controls, and custom claims rules.
  • HA & DR: Use AD FS farms, SQL/WID, and load balancers. Test failover. Monitor event IDs.
  • Troubleshoot Fast: Use the PowerShell runbook below, event logs, and Fiddler/Network traces.
  • Modernize Smartly: Evaluate moving to Microsoft Entra ID for simpler SSO where possible.

1) What is AD FS? A Federated Authentication Platform

AD FS enables secure SSO and federated authentication between on-prem Active Directory and external systems/partners. It issues standards-based tokens through its Security Token Service (STS). Users authenticate once and access multiple apps sans repeated sign-ins.

Keypoints

  • Acts as an identity bridge for hybrid and partner scenarios.
  • Centralizes authentication, token issuance, and claims transformation.
  • Reduces credential prompts and improves UX across apps.

2) Claims-Based Identity Model (The Heart of AD FS)

In AD FS, identity is expressed with claims—typed statements like email, upn, groups. AD FS reads incoming claims from an IdP (or AD) and emits outgoing claims for a Relying Party Trust (RPT). Custom rules let you transform, filter, and enrich claims.

Keypoints

  • Decouple authentication from application authorization.
  • Normalize identities across heterogeneous directories.
  • Custom rules support complex partner requirements.

3) Integration with Active Directory (AD DS)

AD FS integrates tightly with AD DS. Users authenticate via Kerberos/NTLM to AD FS servers joined to the domain. AD FS then issues tokens to apps or partners, using SAML/WS-Fed/OAuth 2.0/OpenID Connect.

Keypoints

  • Requires domain-joined federation servers for AD integration.
  • Relies on token-signing/decrypting certificates managed by AD FS.
  • Supports smartcard/cert auth against AD where required.

4) Single Sign-On (SSO) Experience

With AD FS, users authenticate once to access Microsoft 365, Salesforce, AWS, and custom apps—no repeated credentials. Use keep-me-signed-in, token lifetimes, and device registration to tune session durability and security.

Keypoints

  • Minimize password prompts and reduce helpdesk load.
  • Balance long-lived tokens with conditional risk controls.
  • Leverage device registration (DRS) for seamless access.

5) Relying Party Trusts (RPT)

An RPT defines how AD FS trusts an application (SP). It includes identifiers, endpoints, signature requirements, and claim issuance rules.

Keypoints

  • Create one RPT per app/SP. Keep identifiers and endpoints exact.
  • Maintain explicit claim rules per RPT; avoid global over-permissive rules.
  • Use metadata URLs for automatic updates where supported.

6) Claims Provider Trusts (CPT)

A CPT represents an upstream IdP that AD FS accepts authentication from—another AD FS, Microsoft Entra ID, or third-party IdP.

Keypoints

  • Use CPT when AD FS does not authenticate users directly.
  • Map incoming claims types to your standard schema.
  • Isolate CPT rules from RPT rules for clarity.

7) Security Token Service (STS)

The STS authenticates users, evaluates policy, and issues the resulting token to the RP. It signs tokens with the token-signing certificate and can encrypt tokens with the RP’s public key.

Keypoints

  • Protect the signing key—monitor expiration and rollover.
  • Audit token issuance via AD FS event logs.
  • Pin endpoints to TLS 1.2+ and strong cipher suites.

8) Authentication Protocol Support

AD FS supports SAML 2.0, WS-Federation, OAuth 2.0, OpenID Connect, and WS-Trust. This compatibility lets you federate to most enterprise and SaaS apps.

Keypoints

  • Choose protocol per application requirement.
  • Prefer OIDC/OAuth for modern apps; SAML/WS-Fed for legacy SPs.
  • Standardize claim types to reduce per-app complexity.

9) Web Application Proxy (WAP)

WAP publishes AD FS to the internet without exposing internal federation servers. It terminates TLS, pre-authenticates, and forwards to AD FS through a secure channel.

Keypoints

  • Place WAP in DMZ, lock down inbound/outbound rules.
  • Use separate TLS certs per published name; automate renewal.
  • Monitor WAP-to-AD FS health (probe URLs, event logs).

10) Multi-Factor Authentication (MFA)

AD FS integrates with Azure MFA and compatible third-party providers to require a second factor based on user, group, device, or location conditions.

Keypoints

  • Enforce MFA for privileged roles and risky geos.
  • Use step-up MFA for sensitive RP access.
  • Capture MFA claims for downstream authorization.

11) Certificate-Based Authentication & TLS

AD FS uses SSL/TLS service certs and token-signing/decrypting certs. Rotate before expiry and validate issuance chains end-to-end.

Keypoints

  • Automate renewal; pre-stage new certs and test rollover.
  • Harden cipher suites; disable legacy TLS/SSL.
  • Pin CRL/OCSP reachability for validation.

12) Conditional Access and Access Control Policies

AD FS access control policies evaluate user, group, device state (Workplace-Joined), network location, and authentication method.

Keypoints

  • Block legacy auth from untrusted locations.
  • Require MFA outside corporate network.
  • Issue device claims to apps that support them.

13) Integration with Microsoft Entra ID (Azure AD)

In hybrid identity, AD FS can federate on-prem identities to Microsoft Entra ID to enable cloud SSO and conditional access. Consider migrating to PHS/PTA when possible to reduce complexity.

Keypoints

  • Federate custom domains; manage federation settings.
  • Plan cutover to PHS/PTA to retire AD FS where feasible.
  • Re-configure app auth to OIDC/SAML in Entra ID.

14) High Availability & Load Balancing

Deploy AD FS as a farm with multiple federation servers and WAP nodes. Use load balancers for internal and external VIPs. Store config in WID or SQL (for more scale/metrics).

Keypoints

  • Use odd quorum of nodes for resilience.
  • Test farm behavior level and mixed-mode upgrades.
  • Run disaster recovery drills regularly.

15) Custom Claims Rules

Claims rules are written in the AD FS rule language or via the GUI wizard. They let you transform attributes, add constants, and enforce logic.

Keypoints

  • Keep rules per RPT minimal and documented.
  • Prefer issuance transform rules over acceptance rules where possible.
  • Version-control rules and test in lower environments.

16) Modern Authentication Support

AD FS supports OIDC/OAuth for SPA/native/web apps and WS-Trust for legacy clients. Use proof-key for code exchange (PKCE) for public clients.

Keypoints

  • Adopt OIDC/OAuth for new workloads.
  • Use confidential clients with client credentials where possible.
  • Leverage scopes and resources to model authorization.

17) Token Lifetimes & Revocation

Control lifetimes for ID, access, and SSO tokens, and revoke via certificate rollover, relying party policy changes, or clearing persistent cookies.

Keypoints

  • Shorten lifetimes for high-risk RPs.
  • Revoke sessions on incident response via policy updates.
  • Balance UX with risk when tuning lifetimes.

18) Audit & Monitoring

Turn on auditing, forward logs, and track key event IDs (e.g., 1200/1202 sign-in, 342 failures, 364 token issuance errors). Monitor WAP health and TLS.

Keypoints

  • Centralize logs (SIEM) with correlation IDs.
  • Alert on spikes in failed sign-ins or MFA denials.
  • Capture latency and token issuance metrics.

19) Migration or Replacement by Entra ID

Many orgs are consolidating federation in Microsoft Entra ID for simpler operations. Migrate apps to Entra ID enterprise apps and retire AD FS where compatible.

Keypoints

  • Inventory AD FS RPTs; map to Entra ID app gallery/custom apps.
  • Use password hash sync or pass-through auth to replace federation.
  • Plan staged cutovers with rollback.

20) Enterprise Use Cases

Partner identity (B2B), on-prem SSO for legacy apps, hybrid access to SaaS, and M&A scenarios that require rapid, standards-based trust.

Keypoints

  • B2B partner federation with minimal attribute sharing.
  • Legacy app enablement via WS-Fed/SAML until modernized.
  • Hybrid cloud bridging during transitions.

PowerShell Runbook: Operating and Troubleshooting AD FS

Health & Configuration Snapshot

# Run on an AD FS federation server (elevated PowerShell)
Get-AdfsProperties
Get-AdfsFarmInformation
Get-AdfsSyncProperties
Get-AdfsServiceContract
Get-AdfsGlobalAuthenticationPolicy
Get-AdfsCertificate
Get-AdfsEndpoint | Select-Object Protocol,Address,Proxy,Enabled
Get-AdfsRelyingPartyTrust | Select-Object Name,Identifier,Enabled
Get-WebApplicationProxyApplication | Select-Object Name,ExternalUrl,ExternalCertificateThumbprint

Common Fixes (One-Liners)

# 1) Re-enable a disabled RP fast
Set-AdfsRelyingPartyTrust -TargetName "Salesforce" -Enabled $true

# 2) Bump SAML token lifetime for a specific RP (minutes)
Set-AdfsRelyingPartyTrust -TargetName "LegacySAMLApp" -TokenLifetime 120

# 3) Force metadata update for a CPT/RPT (if metadata URL is configured)
Update-AdfsRelyingPartyTrust -TargetName "PartnerSAML"
Update-AdfsClaimsProviderTrust -TargetName "PartnerIdP"

# 4) Toggle TLS/SSL protocols (use OS-level SCHANNEL hardening too)
Set-AdfsSslCertificate -Thumbprint "YOUR-SAN-CERT-THUMBPRINT"

# 5) Export token-signing cert public key for partner
Get-AdfsCertificate -CertificateType Token-Signing | Select -ExpandProperty Certificate | 
  ForEach-Object { $_.Export('Cert') } | Set-Content .\token-signing.cer -Encoding Byte

# 6) Reset bad persistent SSO cookies (user-side action)
# Instruct users to clear cookies for your federation service DNS name.

# 7) Verify WAP to AD FS trust
Test-WebApplicationProxyConfiguration

Event IDs to Watch

AreaEvent IDsMeaning
Token Issuance1200, 1202, 1000Success, error details, and general operations
WAP13039, 12027Proxy trust, backend connection failures
Auth Failures342, 364Token issuance / claims rule or cert mismatch problems
MFA1203, 1204MFA required/satisfied, provider behavior

Claims Rule Snippets

# 1) Map UPN to NameID (SAML)
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
           Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
           ValueType = c.ValueType);

# 2) Pass immutableID only to a specific RP
c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
 => issue(Type = "http://schemas.contoso.com/claims/immutableid", Value = c.Value);

# 3) Add group-based role claim
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)App-Admins$"]
 => issue(Type = "roles", Value = "admin");

WAP Publishing Checks

# Ensure listeners and certs are bound correctly on WAP
netsh http show sslcert
Get-WebApplicationProxyApplication | fl *

Certificate Renewal (Safe Rollover)

  1. Import new public TLS certs to Local Computer\Personal on AD FS and WAP.
  2. Set new service cert: Set-AdfsSslCertificate -Thumbprint NEWTLS.
  3. Pre-stage new token-signing/decrypting certs with automatic rollover enabled in AD FS properties.
  4. Notify partners; provide updated metadata and new signing keys (public only).
  5. Validate signature and encryption end-to-end before decommissioning old keys.

Microsoft Graph & Entra ID: Federation and Migration Aids

Inspect Domain Federation Settings (Graph PowerShell)

# Requires Microsoft.Graph PowerShell modules and appropriate permissions
Connect-MgGraph -Scopes "Domain.Read.All, Directory.Read.All"

# List domains and see which are federated
Get-MgDomain | Select-Object Id, IsRoot, IsDefault, AuthenticationType

# For a specific federated domain, retrieve federation configuration
$domain = "contoso.com"
Get-MgDomainFederationConfiguration -DomainId $domain | 
  Select-Object DisplayName, IssuerUri, PassiveSignInUri, ActiveLogOnUri, SigningCertificate

Migrate a Domain from Federation to PHS/PTA (High-Level)

  1. Enable Password Hash Sync (or set up Pass-Through Authentication) in Entra Connect.
  2. Validate cloud auth sign-ins in a pilot group.
  3. Switch domain auth type to Managed during a maintenance window.
  4. Update app configs (now using Entra ID as IdP) and retire RPTs gradually.
# Graph does not flip auth type directly; use MSOnline/AzureAD modules if still available
# Reference approach (legacy):
# Set-MsolDomainAuthentication -DomainName contoso.com -Authentication Managed
Tip: As you migrate, modernize app protocols to OpenID Connect or SAML via Entra ID enterprise apps to minimize future maintenance.

Security Hardening Checklist (Black & White Edition)

  • Use TLS 1.2+ only; remove weak ciphers and protocols.
  • Restrict external exposure to WAP; never publish federation servers directly.
  • Rotate signing/decrypting and TLS certs proactively; monitor expiration.
  • Enable auditing at success and failure; forward to SIEM.
  • Use step-up MFA for privileged roles and sensitive RPs.
  • Harden service accounts (gMSA preferred), least privilege, and JIT/JEA for admins.
  • Constrain claim data—emit only what an RP needs; avoid PII sprawl.
  • Geo/IP allowlists for admin endpoints; CAPs for risky networks.
  • WAF in front of WAP; DDoS protections and bot throttling.
  • Regularly pen-test federation endpoints and metadata exposure.

Operational Runbooks: From Symptom to Root Cause

A) Sign-In Works Internally, Fails Externally

  1. Check WAP trust and backend health: Test-WebApplicationProxyConfiguration.
  2. Validate public DNS for federation service name; verify SANs on public TLS cert.
  3. Confirm firewall NAT, ports (443), and health probe targets.
  4. Review WAP events: 13039 (trust), 12027 (backend issues).
  5. Capture HAR via browser dev tools to spot redirects/loops.

B) “There are no claims configured” (RP Error)

  1. Open the RP’s Issuance Transform Rules—ensure NameID/email/immutableID as required.
  2. Compare RP metadata’s <RequestedAttribute> types with your rules.
  3. Event 364 often shows the exact missing claim—adjust rules accordingly.

C) Certificate Expiry or Rollover Breaks Apps

  1. Check Get-AdfsCertificate for Token-Signing/Decrypting status.
  2. Export new signing cert public key to partners; update their SP trust.
  3. For SAML, validate signature thumbprint on SP side matches new key.

D) MFA Prompts Too Often

  1. Review global auth policy and per-RP access control policies.
  2. Tune persistent SSO cookie and token lifetimes for the RP.
  3. Ensure device registration is healthy to leverage device claims.

E) Token Bloat / “Header Too Large”

  1. Minimize group memberships in outgoing claims (map to roles).
  2. Use filters or transform to emit a small, app-specific set of claims.
  3. For SAML, compress assertions where supported; shorten friendly names.

Design Patterns & Reference Architectures

Legacy SAML SPs

  • Use RP per SP; map UPN → NameID.
  • Encrypt assertions with SP key.
  • Short token life; force MFA off-network.

Modern OIDC Apps

  • Prefer Authorization Code + PKCE.
  • Emit sub, email, roles; avoid groups.
  • Rotate client secrets; favor cert auth for confidential clients.

Partner Federation

  • Minimal attributes; contractual data governance.
  • Dual-signing windows during cert rollover.
  • Geo-fencing and transaction-level logging.

10 Frequently Asked Questions (AD FS Essentials)

1) When should I keep AD FS instead of moving to Entra ID?
Keep AD FS for apps that require federation features not supported natively in Entra ID, complex custom claims, or strict on-prem requirements.
2) Which protocol should my app use—SAML, WS-Fed, or OIDC?
Use OIDC/OAuth for modern apps; SAML for established enterprise SPs; WS-Fed primarily for legacy Microsoft workloads.
3) How do I publish AD FS safely to the internet?
Always via WAP behind a load balancer/WAF, with hardened TLS and no direct exposure of federation servers.
4) What’s the difference between RPT and CPT?
RPT = app you issue tokens to (SP). CPT = upstream IdP you accept tokens from.
5) How do I reduce repeated MFA prompts?
Tune token lifetimes, persistent cookies, and apply conditional MFA (e.g., outside corporate network).
6) How do I monitor AD FS effectively?
Enable auditing, stream to SIEM, alert on events 342/364 spikes, track latency, and watch cert expiry.
7) Can I issue different claims to the same SP by group?
Yes—use conditional issuance rules to add/remove claims based on user groups/roles.
8) What breaks most often after certificate renewal?
Partners/SPs still trusting the old signing key or not importing the new metadata/cert.
9) How do I test a new claims rule safely?
Clone RP to a staging app, test in lower environment, then promote with change control.
10) How do I find which RP is failing quickly?
Filter AD FS Admin logs by Activity ID from user’s error page; correlate with event 364 to the RP name.

Appendix A — Command Reference (Day-2 Operations)

TaskCommand
List RPs and endpointsGet-AdfsRelyingPartyTrustGet-AdfsEndpoint
Import RP from metadataAdd-AdfsRelyingPartyTrust -MetadataUrl <url>
Rotate TLS certSet-AdfsSslCertificate -Thumbprint <thumb>
View signing keysGet-AdfsCertificate -CertificateType Token-Signing
Force metadata refreshUpdate-AdfsRelyingPartyTrust -TargetName <name>
Check WAP appsGet-WebApplicationProxyApplication
Probe WAP configTest-WebApplicationProxyConfiguration
Set token lifetimeSet-AdfsRelyingPartyTrust -TokenLifetime <mins>
View auth policyGet-AdfsGlobalAuthenticationPolicy
Farm infoGet-AdfsFarmInformation

Appendix B — Sample Change Templates

Change: Add New SAML RP

  1. Collect SP metadata URL/cert, ACS URLs, NameID format, required claims.
  2. Import RP from metadata; validate identifiers.
  3. Create issuance transform rules; test with a pilot user.
  4. Coordinate cert pinning on SP; validate signature.
  5. Go-live with rollback plan and monitoring enabled.

Change: Enable Step-Up MFA for Admins

  1. Identify admin groups; create policy requiring MFA off-network and for high-risk RPs.
  2. Communicate user impact; provide MFA enroll guidance.
  3. Pilot in non-production; evaluate failure rates.
  4. Enable gradually with monitoring and helpdesk scripts.

Glossary (Quick Links)

AD FS Active Directory Security Token Service Web Application Proxy SAML 2.0 WS-Federation OAuth 2.0 OpenID Connect MFA Conditional Access Microsoft Entra ID

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *