Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-02-25) Gathering Architectural Details From Your ADFS Infrastructure – ADFS StandAlone Or ADFS Farm

Posted by Jorge on 2014-02-25


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know if you are running an ADFS Standalone or ADFS Farm installation? Keep reading to find out how to determine that!

Is it an ADFS Standalone or ADFS Farm installation?

After installing the ADFS binaries that were downloaded from the internet (W2K8 and W2K8R2) or installing the ADFS server role (W2K12), you have the following options to configure ADFS.

image_thumb[4]

Figure 1: The ADFS Configuration Options

Below you find the CLI configuration options when configuring a "StandAlone" ADFS.

When using the parameter "StandAlone", ADFS will be installed in single server mode. Basically that means it will use the "Network Service" as its service account and in addition, it will use WID for the ADFS configuration database. If you use the GUI version of the configuration wizard to configure the federation service it will use ADFS Managed Self-Signed certs for both the Token Signing cert and the Token Encryption cert. However, if you use the CLI version of the configuration wizard to configure the federation service you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name. If you use the GUI version of the configuration wizard to configure the federation service it will use the subject name of the specified Service Communication cert as the federation service name. If you use the CLI version of the configuration wizard to configure the federation service you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

image_thumb[7]

Figure 2: Configuration Options Using The CLI For An ADFS StandAlone Configuration (W2K8, W2K8R2, W2K12)

Below you find the CLI configuration options when configuring a "Farm" ADFS that leverages the WID for the ADFS Configuration database

When using the parameter "CreateFarm", ADFS will be installed in multiple server mode while using WID for the ADFS Configuration database. Basically that means it will/must use a custom AD service account. If you use the GUI version of the configuration wizard to configure the federation service it will use ADFS Managed Self-Signed certs for both the Token Signing cert and the Token Encryption cert. However, if you use the CLI version of the configuration wizard to configure the federation service you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name. If you use the GUI version of the configuration wizard to configure the federation service it will use the subject name of the specified Service Communication cert as the federation service name. If you use the CLI version of the configuration wizard to configure the federation service you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

image_thumb[9]

Figure 3: Configuration Options Using The CLI For An ADFS Farm Configuration On WID (W2K8, W2K8R2, W2K12)

Below you find the CLI configuration options when configuring a "Farm" ADFS that leverages SQL for the ADFS Configuration database.

When using the parameter "CreateSQLFarm", ADFS will be installed in multiple server mode while using SQL Server for the ADFS Configuration database. Basically that means it will/must use a custom AD service account. It is not possible to use the GUI version of the configuration wizard and create a SQL based ADFS farm. The latter is only possible through the CLI version. With the CLI version of the configuration wizard you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name, you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

image_thumb[13]

Figure 4: Configuration Options Using The CLI For An ADFS Farm Configuration On SQL (W2K8, W2K8R2, W2K12)

image

Figure 5: Configuration Options Using The GUI For An ADFS StandAlone/Farm Configuration On WID (W2K8, W2K8R2, W2K12)

With ADFS v3.0 in W2K12R2 you can only install ADFS in Farm mode, either leveraging WID or SQL Server. ADFS in StandAlone mode is not possible anymore. To be honest, you don’t loose anything with this as you can still install just one ADFS STS server. In either case, when leveraging WID or SQL server for the ADFS configuration database, you can install/configure the ADFS farm through PowerShell or the Server Manager GUI. The capabilities are almost the same. With PowerShell you can use/configure both CA issued certificates and ADFS Managed Self-Signed certificates for the Token Signing and Token Encryption certificate. With the Server Manager you can only use ADFS Managed Self-Signed certificates for the Token Signing and Token Encryption certificate. My suggestion is to use CA issued certificates from an external/third-party and well-known certificate issuer, like DigiCert, Thawte, Verisign, etc.

image_thumb[15]

Figure 6: Configuration Options Using The CLI For An ADFS Farm Configuration On WID Or SQL (W2K12R2)

YOU HAVE ADFS IN STANDALONE MODE WHEN:

[1] The ADFS service "ADFSSRV" is running with the Network Service as its service account

image

Figure 7: The ADFS Service "ADFSSRV"

image

Figure 8: The ADFS Service "ADFSSRV" With The "Network Service" As The Service Account

[2] …And the ADFS application pool is running with the "Network Service"

image

Figure 9: The ADFS Application Pool "ADFSAppPool" With The "Network Service"

One important thing to remember is that when you install ADFS in StandAlone mode, you CANNOT add an additional ADFS STS instance. Multiple ADFS STS instances are only possible when installing ADFS in Farm mode! It is possible to "Convert" ADFS in StandAlone mode to ADFS in Farm mode? Yes it is! See this blog post!

When trying to install an additional ADFS STS instance with a custom service account against an ADFS STS in StandAlone mode, which is using the Network Service that also has the SPN configured, you get the error below. This error occurs because the specified service account does not have the SPN configured, but rather the Network Service (the computer account) does.

image

Figure 10: Error When Installing An Addition ADFS STS Instance Against An ADFS StandAlone Installation (SPN On Wrong Account)

When trying to install an additional ADFS STS instance with a custom service account that also has the SPN configured against an ADFS STS in StandAlone mode, which is using the Network Service, you get the error below. This error occurs because the specified service account does not match the service account used by the ADFS StandAlone installation.

image

Figure 11: Error When Installing An Addition ADFS STS Instance Against An ADFS StandAlone Installation (Service Accounts Do Not Match)

YOU HAVE ADFS IN FARM MODE WHEN:

[1] The ADFS service "ADFSSRV" is running with a custom AD service account as its service account

image

Figure 12: The ADFS Service "ADFSSRV"

image

Figure 13: The ADFS Service "ADFSSRV" With A Custom AD User Account As The Service Account

[2] …And the ADFS application pool is running with the custom AD user account

image

Figure 14: The ADFS Application Pool "ADFSAppPool" With The Custom AD User Account

And as soon as you are running in Farm mode, you can add additional ADFS STS instances

image

Figure 15: No Error When Adding An Additional ADFS STS Instance When Running In Farm Mode (After Conversion From StandAlone Mode)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: