(2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens
Posted by Jorge on 2013-09-24
I have seen or heart multiple times if ADFS can provide security tokens for users in other forests. If YES what are the requirements to achieve that?
For the ADFS STS (Security Token Service) to be able to issue security tokens to AD users, the ADFS STS MUST be joined to an AD domain. When joined to an AD domain it supports Windows Integrated Authentication. For an ADFS STS to be able to issues security tokens for a user, the user must be able to access the ADFS STS as a resource in an authenticated manner, AND the ADFS STS must be able to extract information about the user in, again, an authenticated manner. With all that in mind, the ADFS STS is therefore able to provide security tokens with claims for any of the following users when specific requirements are met:
- User accounts in the same AD domain of the ADFS STS (in this case the user and the ADFS STS trust each other automatically already, so no additional specific requirements needed);
- User accounts in any AD domain in the same AD forest of the ADFS STS (in this case the user and the ADFS STS trust each other automatically already because of the implicit/explicit transitive trusts, so no additional specific requirements needed);
- User accounts in any AD domain/forest for which a two-way trust exists with the AD domain/forest of the ADFS STS server.
If you have an AD forest with multiple AD domains, you only need one ADFS STS farm to be able to issue security tokens for all the users in the same AD forest.
If you have multiple AD forests, you only need one ADFS STS farm in any of the AD forest AND every other AD forest must have a two-way trust with the AD forest where the ADFS STS farm is installed in. If any of the AD forests does not have or cannot have a two-way trust with the AD forest that hosts the ADFS STS farm, then that AD forest must host its own ADFS STS farm.
Be aware to consider the ADFS STS as a writable DC and also secure it as such! Anyone in control of an ADFS STS is able to issue security tokens. If for whatever reason you need to connect to your STS server from an untrusted network (e.g. the internet) you would need to have a federation (reverse) proxy server or a unified access gateway (UAG) server with SP1 as an intermediate.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########