AD FS Components

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video for my tea free training I will look at the different components in Active Directory Federation services in particular this video looks at what each component does rather than the features each version of Active Directory Federation services has that I will leave to a different video as shown the components change depending on which version of Active Directory Federation services you are using however most of the changes are to the name or the location of the component the first component is Active Directory Federation services Windows Server 2012 r2 comes with version 3 of Federation services the most noticeable difference is that Federation service is a role only with no separate components when you install the role you are not given the choice to install additional components like in previous versions version 2.1 of Active Directory Federation services was included with Windows Server 2012 the name of the role is Active Directory Federation services and the main component is Federation services so the main difference between this and version 3 is that the Federation service component is now a role rather than a component of a role version 2.0 was an optional download for Windows Server 2008 version 1.1 was included with the operating system regardless of which version you use Federation Services is a component of the Active Directory Federation services role so essentially if you want to install the main part of Active Directory Federation services you would install the Active Directory Federation services role and then select the Federation service component the next component that I will look at is the proxy component I will have a closer look at this in a moment but essentially it is installed on the DMZ and provides communication between the Internet and the Active Directory Federation server in Windows Server 2012 r2 the big change is this component has been moved out of the Active Directory Federation services role and into the remote access role the component is now called web application proxy it still provides the same basic functionality as it did in the previous versions in all the previous versions of Active Directory Federation services the component is called Federation services proxy and is part of the Active Directory Federation services role the last component that I will look at is the web agents in version 3.1 of ad FS these web agents have been removed and are no longer available in version 2.1 in previous versions they are available as components of the Active Directory Federation services role in a moment I will have a closer look at the web agents but essentially there is no real difference between the different versions of AD FS other than a small name change in the later version of ad FS the web agents have the version number of 1.1 in the name so in effect regardless of what the version of the web agent is they perform the same role and have the same features regardless of which version of ad FS you are using I will now have a look at some of the functionality of these components the first component I will have a closer look at is the web application proxy this component is new in Windows Server 2012 r2 and is a component of remote access rather than of the Active Directory Federation services role it has the same functionality as Federation service proxy and thus replaces it the point to remember is that it has the same functionality but also has additional functionality for example it also allows applications to be published for remote access this is not a feature that is required with Active Directory Federation services but shows that this component can be used for things other than just for Active Directory Federation services regardless of what the component is called of where it is found in server manager it performs the same basic task if you consider that Active Directory Federation services needs to be on a server that is a member of the domain an administrator will generally want to install an Active Directory Federation server on their internal network if you have a user on the internet that needs to access this server in order to obtain claims you generally do not want a user directly accessing an internal network from the Internet in the case of Active Directory Federation services this user may not be an employee of your company for this reason an ad FS proxy server will normally be deployed between the user on the DMZ or the perimeter network and the internal network to keep the network safe firewalls are placed between them what will happen now is when the user attempts to contact the Active Directory Federation server they will instead contact the ad FS proxy server the proxy server will pass the request on to the Active Directory Federation server the Federation server will respond back to the proxy server for example if the user was requesting a claim it would pass this claim to the proxy server the proxy server will then send the result back to the user now that the user has the claim they can use it to contact at claims aware application which will most likely be on the DMZ you can see that the user at no time needs to contact the Active Directory Federation server directly also the Active Directory Federation server needs to be a member of the domain whereas the a DFS proxy does not need to be a domain member which improves security it should be pointed out that the user will use the same address to access the a DFS proxy server as they would if they were to contact the Active Directory Federation server directly the a DFS proxy server essentially is transparent in the process the next component that I will look at is the Active Directory Federation services web agents these are not available in a DFS 3.0 shipped with Windows Server 2012 r2 if you are running an earlier version of a DFS you have two web agents to choose from these are the claims aware agent and the windows token based agent the name of the component may be slightly different depending on which version of a DFS you were running a third party may also provide their own agent what they do is as follows let's say you have an application running on a server and this server only accepts NT security tokens you also have Active Directory Federation services running the problem is that it creates a security token that has a claim in it however it is not an NT security token to get around this you have an agent running in between this agent will take a security token issued by Active Directory Federation services with the claim inside and change it into an NT security token this provides a way for claim where applications to work with Active Directory Federation services that only accept NT tokens windows nt-based authentication is quite old now and this is probably why Microsoft removed this feature the claims of where agents were usually used with Internet Information Services there are different ways to achieve this using different software that was previously not available so may also be one of the reasons why Microsoft removed it the point to remember is that if you are planning to use a BFS 3.0 these features are no longer available thanks for watching this video from IIT free training I hope that you found it informative I hope to see you in other free videos from us for Active Directory Federation services and others until then thanks for watching and see you next time

Info

Channel: itfreetraining

Views: 56,229

Rating: undefined out of 5

Keywords: ADFS Components, ITFreeTraining, Active Directory Federation Services, Active Directory (Software), Software (Industry), Windows Server (Operating System)

Id: l2sIUExLv5k

Channel Id: undefined

Length: 8min 4sec (484 seconds)

Published: Tue Jun 17 2014