Summit 7 Team Blogs

AD FS: Answers to Your Comments and Questions

I'd like to start by apologizing to everyone for not responding more promptly to your comments on the Beginners Guide series. I won't make any excuses; I've been just a little busy and it fell through the cracks.

That brings us to the point of today's article, my responses to your questions and comments. I thought it would be easier if I just answered them here in a single article for a couple of reasons. There were one or two questions that might spark some further discussion (which is always good in my opinion).

Before I jump into the questions I'll take the time to thank everyone that made comments and asked questions for taking the time to do so. It's rewarding to see people getting something useful from my efforts.

So, now the questions, comments and my responses.

Jacob commented: "I still don't understand the benefits ADFS provides w.r.t. SSO, since every time the IE browser is re-initialized I get both an ADFS login window and then another windows login prompt. Where my hope was the user wouldn't have to re-authenticate any time after logging on once and the certificate was valid. I don't see the benefits of ADFS yet."

Me: Jacob what I would look at first off the top of my head would be the token timing. If that timing is off a little bit it's possible that you will see frequent requests to authenticate. It's actually common to see a situation when first configuring AD FS where the browser gets hung in an authentication request loop because the token times are off.

Aside from that there are other considerations I haven't written about because they are probably more business decision focused than the technical stuff I normally tend to write. There are going to be situations where the implementation of AD FS is more of a requirement than a "This would be nice to have" kind of thing. Several examples of that:

  • If you're going to publish your SharePoint web application externally using a reverse proxy you only have 4 choices of reverse proxy to use. Microsoft only supports Threat Management Gateway 2010 (TMG which has been discontinued), F5 Big-IP, Citrix Netscaler, and….? Windows Server 2012 R2 Web Application Proxy or WA-P which requires an AD FS instance internally on your network to work correctly (more on that sometime soon).
  • If you are going to do any kind of hybrid deployment you may find that implementing AD FS is easier, or more cost effective choice than trying to go another direction.


Soheil commented: "It would be nice if you could describe OAuth in plain language as well."

Me: That's a good and a fair point and it's on that constantly adjusting list of planned projects. To be honest the more I dig into AD FS, Claims-based authentication, WA-P (which I haven't even gotten to here yet), etc… the more I find there is to learn, read, research, record. So at this point it's really hard to say if or when I'll be able to get to it.

I'm going to post this article and then three more I'm planning on having done before SharePointalooza on September 18 – 20. I'll be presenting an AD FS session there Saturday morning at 8:30. More on that coming soon. I have a couple of tests I have to take so I won't be writing much in October and November in all likelihood.

After that, a lot of what I'll be writing will be dependent on what I'm actually doing at the time. I'm lucky enough to have a job that allows me the opportunity to do a lot of different things.

Anil247 asked: Why SharePoint needs to generate STS Token and is there any validation done against SAML token and STS token? How is the user roll mapping done in this mechanism?

Me: I'll probably come back at some point and talk about how roles can be used to manage access to specific content within SharePoint. The actual mapping of a role is done the same way you set any other claim type mapping, syntax is slightly different I would imagine.

The primary responsibility of the Security Token Service (STS) is to manage, issue and validate security tokens, if the STS is not functioning correctly then users will likely experience issues logging in.

Sahil Verma asked: I have two SP web applications which I need to put in Single Sign In mode using Claim Based Authentication with ADFS Issuer.

Issue is that these web applications are in production, up and running. Main Intranet web application has 100's of site collections and complex permission management. Will an implementation like this effects the permissions over the site since the existing permissions are there with Users from default provider? Do I need to define the permissions again everywhere?

Me: Sahil I'd say that there's a very real chance that inserting AD FS/Claims could impact your setup. First thing I would do before I would even consider making that leap is make sure I have some way to document all the configuration settings and permissions (down to the item level) in the farm AND present them to me, or my team in a manner that is fairly simple to understand.

Once you know you have a solidly documented configuration of the farm (and you really should have that anyway right?) I think you would need to plan out your authentication schema and do everything you can from changing it too drastically (i.e. going from logging in using sAMAccountName to using email address). My thought would be that

I'd also strongly recommend trying it in a test farm first, better to break the test farm trying something than the production farm right?

Richard commented: I am lost on the statements above. I don't see how an identifier claim type is set in a SharePoint Trusted Identity Provider, thus what I would specify differently if/when recreating it. I do see how email is used in the ADFS claim rules (# 4 specifically), but don't understand what changing that would accomplish.

Me: Thanks Richard, I think what I meant there, and that apparently got missed when I proofed it, was the input claim type. Nice catch, thanks for pointing out and I'm glad you got some value from the series.

Krishna asked: In the step "Configure the S7Gear Relying Party Trust", you have edited the Claim rules to add new rule. This will force the user to redirect to the S7LAB ADFS server for the authentication.

How could I continue to make sure that Internal users who are connecting via internet can use ADFS authentication or they would they just need to connect using Windows authentication and they would get the authentication popup since they are not connecting from internal network?

Me: Krishna, the way it would work in my mind is that internal users accessing the corporate SharePoint portal over the internet would have to access the portal after it's been published through the firewall, preferably with a reverse proxy (see my comments to Jacob on which ones are supported by Microsoft) to add that additional layer of protection.

Internal users would be accessing over the local network and could be logged in using the currently logged in user settings of IE without being prompted for authentication at all.

Jaymz asked: One question, you said "For this lab I am passing through all claims although that might not be advisable in a production configuration". Can you elaborate on why it's not such a good idea and what you would do instead if you are constructing a production environment?

Me: it's probably more personal paranoia than anything else Jaymz. I think it's just a matter of time before we have a major SharePoint hack (I don't really consider what Snowden did a hack as much as a rogue administrator run amok). I also think it would be dependent upon your environment, if you work in an industry or vertical that deals with sensitive or confidential information or is subject to some form of compliance (HIPPA, FERPA, SOX, etc…) there may be reason to limit, or monitor, what is being passed back and forth.

Of course I could just have an overactive imagination J

Coming Up

My next planned AD FS article will be around some of the troubleshooting tools I have found useful as I have been working through this process. I think most folks will find most of them useful for more than just troubleshooting authentication issues.

Again, to all of you that have read and commented - my apologies for not replying sooner. Thanks for reading and enjoying!