Load Balancing ADFS

Active Directory Federation Services (AD FS) is a Microsoft identity access solution. It was an optional component of Microsoft Windows Server® 2003 R2 and is now built into Windows Server® 2008, Windows Server® 2012 and Windows Server 2012 R2. AD FS on Windows 2012 R2 is sometimes referred to as ADFS 3.0.

KEMP LoadMaster family of products provide high availability to AD FS and AD FS proxy farms (WAP). AD FS proxy servers provide termination of external traffic at DMZ and provides additional layer of protection against external threats. AD FS proxy servers also help internal AD FS servers clearly identify which authentication attempts are external. This is achieved by inserting x-ms-proxy claim in AD FS request.

AD FS administrators can configure advanced claims rules that allow granular control over user authentication restrictions such as requiring users to be a part of certain group or requiring users to authenticate from certain IP networks. When such claims rules are configured on AD FS servers, it becomes critical to identify if user is trying to authenticate from external location or is internal.

In deployments where such advanced claims rules are not in use, KEMP LoadMaster devices can be placed in DMZ and can proxy authentication requests to internal AD FS servers without requiring additional AD FS proxy (WAP) servers. This can help customers save, hardware, software and management costs associated with maintaining additional AD FS proxy servers.

Overview of AD FS Load Balancing

  1. The internal Client tries to access the AD FS-enabled resource.
  2. The client is redirected to the resource’s Federation Service.
  3. If the resource’s federation service is configured as a trusted partner, the client is redirected to the organisation’s internal Federation Service.
  4. The AD FS server uses the Active Directory to authenticate the client.
  5. The AD FS server sends an authorization cookie to the client. This contains the signed security token and a set of claims for the resource partner.
  6. The client connects to the resource partner’s Federation Service where the token and claims are verified. If appropriate, the resource partner may send a new security token.
  7. The client presents the new authorisation cookie with the security token to the resource in order to access it.