Load Balancing and Active Directory Federation Services (ADFS 2.0)

Active Directory Federation Services (ADFS) is a Microsoft identity access solution. It was an optional component of Microsoft Windows Server® 2003 R2, now built into Windows Server® 2008. ADFS helps you establish trust relationships and reduces the need for provisioning and managing user accounts. Its implementation provides browser-based clients (internal or external to your network) with seamless, “Single Sign-On” access to one or more protected Internet-facing applications (e.g. Cloud based services such as Office 365).

Trust relationships are used to project a user’s digital identity and access rights to trusted partners and can be deployed in multiple organisations in order to facilitate business-to-business (B2B) transactions between trusted partner organisations.

Servers – Proxy – Configuration Store (Database)

ADFS Server: Responsible for user authentication and issuance of claims. The Server must be able to connect to a Domain Controller. It authenticates users from multiple domains via windows trust. The ADFS server can be setup in cluster for high availability.

ADFS Proxy Server: Authenticates users from the internet and protects the ADFS Server from Internet based threats.

ADFS configuration Database: Relying party trust, certificates, claim Provider trust, claims description, service configuration, attributes… are all stored in the Database. The entire content of the Database can be stored as in instance of SQL database or Windows Internal Database (max 5 servers) but not both at the same time.

Multiple ADFS proxy servers can be setup in cluster for high availability solutions.

3 Basic Load Balancing Methods

  • DNS round robin.
  • Windows Network Load Balancing (WNLB).
  • Hardware based network load balancing (Kemp).

Traffic & Process flow of the Kemp Load Balanced ADFS 2.0 farm

  1. The user on the internal corporate site uses the Web browser to access the ADFS external resource.
  2. The external Web server rejects the connection because there is no ADFS authentication Token, the user is then redirected to the external ADFS Resource Partner.
  3. The user is redirected to its own organisation’s internal federation service.
  4. The ADFS server authenticates the user credentials to active directory.
  5. The ADFS server provides the user with the signed security token and a set of claims for the external ADFS resource partner.
  6. The corporate user connects to the resource partner federation service where the token and claims are verified.
  7. The user gain access after presenting the new security token to the resource for access.

Summary

The Kemp LoadMaster can be deployed to load balance ADFS 2.0 Servers, Proxy Farms and provide high availability, better performance and scalability as ADFS requires Transport Layer Security and Secure Sockets Layer (TLS/SSL). The Hardware Load Balancing will provide the functionality to test the application or the service connectivity. A greater range of scheduling methods (Least connection preferred).


Using the Kemp LoadMaster™
Joe Lepore, Pre-Sales Engineer, Kemp Technologies