Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens

Posted by Jorge on 2013-09-24


I have seen or heart multiple times if ADFS can provide security tokens for users in other forests. If YES what are the requirements to achieve that?

For the ADFS STS (Security Token Service) to be able to issue security tokens to AD users, the ADFS STS MUST be joined to an AD domain. When joined to an AD domain it supports Windows Integrated Authentication. For an ADFS STS to be able to issues security tokens for a user, the user must be able to access the ADFS STS as a resource in an authenticated manner, AND the ADFS STS must be able to extract information about the user in, again, an authenticated manner. With all that in mind, the ADFS STS is therefore able to provide security tokens with claims for any of the following users when specific requirements are met:

  • User accounts in the same AD domain of the ADFS STS (in this case the user and the ADFS STS trust each other automatically already, so no additional specific requirements needed);
  • User accounts in any AD domain in the same AD forest of the ADFS STS (in this case the user and the ADFS STS trust each other automatically already because of the implicit/explicit transitive trusts, so no additional specific requirements needed);
  • User accounts in any AD domain/forest for which a two-way trust exists with the AD domain/forest of the ADFS STS server.

If you have an AD forest with multiple AD domains, you only need one ADFS STS farm to be able to issue security tokens for all the users in the same AD forest.

If you have multiple AD forests, you only need one ADFS STS farm in any of the AD forest AND every other AD forest must have a two-way trust with the AD forest where the ADFS STS farm is installed in. If any of the AD forests does not have or cannot have a two-way trust with the AD forest that hosts the ADFS STS farm, then that AD forest must host its own ADFS STS farm.

Be aware to consider the ADFS STS as a writable DC and also secure it as such! Anyone in control of an ADFS STS is able to issue security tokens. If for whatever reason you need to connect to your STS server from an untrusted network (e.g. the internet) you would need to have a federation (reverse) proxy server or a unified access gateway (UAG) server with SP1 as an intermediate.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

10 Responses to “(2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens”

  1. Arek said

    I have a problem with ADFS 3.0 which is installed in child domain one of our partner. Probably the root cause is that the traffic to root domain is prohibited from site where ADFS is located. ADFS server has only access to DC for child domain. I got error trying login with my credentials to ADFS. In logs I have something like that: System.ComponentModel.Win32Exception: Failed to open ldap conection to domain.name.com.
    So my question is, there is any possibility to bypass this issue? We just want authenticate users from child domain.

    • Jorge said

      there not enough details in your question to be able to determine the root cause. My first guess is that the nearest GC is a GC in the root AD domain. Have you turned on debug logging in ADFS to get more details?
      In a multiple AD domain forest, the connection to a GC is mandatory for authenticaction to succeed

      PS: I responded quite late on this question. Most likely you have solved this by now. If possible provide information of the root cause and how you solved it

  2. […] a separate AD with its own ADFS infrastructure and configure federation between (also see: (2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens) […]

  3. […] In the following blog posts I explained for which user accounts an ADFS STS was able to issue security tokens: (2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens. […]

  4. Gurujyot said

    hi,
    I have two domain abc.com and 123.com in different forests, abc.com hosts different cloud applications, I want to set up ADFS between abc.com and 123.com so that users for these domains should be able to access those applications without any issues using ADFS.

    Please help me to know what this set up would require? are there any downsides with this kind of set up?

  5. Matthias said

    Hi, if I have two forests (without a forest trust but with two ADFS instances) and users from forest A like to access an application in forest B. Is there a way to create a federation where user from forest A authenticates against the adfs proxy of forest b when accessing the app from “external” ?

    • Jorge said

      Environment B (ENV-B.COM):
      * AD forest (ENV-B.COM)
      * ADFS instance(s)
      * WAP instance(s)
      * App(s) connected to ADFS
      * ADFS has an IdP/CP trust for FSA.ENV-A.COM
      * Federation FQDN FSB.ENV-B.COM
      In this case the WAP instances must resolve FSB.ENV-B.COM to IPs of ADFS instance(s) in environment B
      App(s) and user(s) in this forest must resolve FSB.ENV-B.COM to IPs of ADFS instance(s) in environment B

      Environment A (ENV-A.COM):
      * AD forest (ENV-A.COM)
      * ADFS instance(s)
      * WAP instance(s)
      * App(s) connected to ADFS
      * ADFS has an RP/SP trust for FSB.ENV-B.COM
      * Federation FQDN FSA.ENV-A.COM
      In this case the WAP instances must resolve FSA.ENV-A.COM to IPs of ADFS instance(s) in environment A
      App(s) and user(s) in this forest must resolve FSA.ENV-A.COM to IPs of ADFS instance(s) in environment A

      Now you are saying users in ENV-A.COM must target the WAP in ENV-B.COM when resolving FSB.ENV-B.COM
      Remember that you have the following choices, and there is NOTHING in between!:
      [1] From environment A, FSB.ENV-B.COM resolves to ADFS in environment B
      OR
      [2] From environment A, FSB.ENV-B.COM resolves to WAP in environment B

      I assume you already a DNS forwarder on your DNS servers for ENV-B.COM to the DNS servers of environment B
      If yes, because of that FSB.ENV-B.COM will always resolve to the ADFS servers in environment B

      However if you want to resolve FSB.ENV-B.COM to the WAP servers in environment B for both users and ADFS in environment A, then do the following
      On your DNS servers create a DNS zone called FSB.ENV-B.COM and specify the “(same as parent)” A records to point to the WAP servers in the environment B
      The downside of this is that if people change (reconfigure, add, delete) WAP servers, you must become aware of it to be able to adjust your DNS records

      Best Regards,
      Jorge

  6. Jonathan Turwy said

    Hello,

    I have 2 forests, twoway trust setup. I am unable to authenticate with domain b to the adfs on domain a. I can resolve fqdn’s no issues. I can set AD on both sites to allow accounts from the others domains to manage. etc

    I get errors 364 and 1000 on the adfs servers for accounts in domain b.

    I have to be missing something any ideas?

    • Jorge said

      is this a 2-way forest trust WITHOUT selective authentication or WITH selective authentication?

      It should just work if it is a 2-way forest trust WITHOUT selective authentication, or in other words with forest-wide authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: