Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 191
  • Last Modified:

How do you configure load balancing for AD FS (SSO)?

How do you configure load balancing for Active Directory Federation Services (using SSO)?

...or, is this even desirable?

We are testing out a social media intranet for our company and will be setting up SSO so the end users don't have to log in a second time.

We have two Domain Controllers with Windows Server 2012 Datacenter (not R2).
Do I load AD FS on both DCs or just one? Failover? etc. etc.
0
Paul Wagner
Asked:
Paul Wagner
  • 7
  • 5
  • 4
  • +1
3 Solutions
 
Cliff GaliherCommented:
If this is for an intranet, why use ADFS? The purpose of ADFS is for external apps and directories to associate and delegate authentication. Not really an intranet scenario. To do ADFS right, you are talking about at least four servers (and virtualization doesn't help reduce that count in this instance) plus other non-server components such as a load balancer appliance.
0
 
Bryant SchaperCommented:
Not sure why you would need 4 physical servers, we run adfs virtual for office 365 mainly and it is fine, two proxies and 2 adfs servers. Just some config on the networking side to make it work.

Now the question of benefit depends on the use, if you are using it in a small environment you may just keep good backups of the two servers and restore if needed. We did that for many years
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
This will definitely be for external use. We are testing a social platform that is hosted by another company.

You mentioned two adfs servers and two proxies. Would using load balanced SonicWalls do the trick for the proxy side?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Paul WagnerFriend To Robots and RocksAuthor Commented:
This will be for about 150 users.
0
 
Bryant SchaperCommented:
I would think, the proxies rely the outside request to the internal servers, they are not even on the domain. As long as you put them in their own vlan and point to the nlb address it should work.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
OK, cool. So, two proxies and two adfs servers.
Anything else to consider?
Any good documentation/articles that walk through the process? I couldn't find anything specific like that (granted, my 5 minute Google search could have been longer).
0
 
Cliff GaliherCommented:
2 adfs proxies (not SONICWALL, but the actual adfs proxy role) and 2 ADFS servers equals....drumroll...4 servers. Precisely what I said.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
So the ADFS proxy is a Windows Server in itself?
Do you know where I can find a walk through on getting everything set up?
0
 
Bryant SchaperCommented:
Sorry Cliff. I thought you meant that 4 physical servers were required. My mistake. But yes in a ha config you would have 4 Windows servers 2xproxy role and 2 x adfs role

Microsoft has some good docs on technet
0
 
Cliff GaliherCommented:
Realistically you do need four physical servers. The two identical roles (2xADFS and 2xproxy) are for redundancy, so virtualizing and colocationg doesn't make any sense, as losing a physical host would lose both instances, defeating the purpose of having two. And colocating the proxy with the ADFS server is bad because the while point of the proxy is to provide a security barrier. Which means they also shouldn't be run as VMs on the same host. Sharing the same VMBus defeats much (but admittedly not all) of that security.

Microsoft has long said beat practice with hyper -v is to bot mingle VMs at different security layers. So don't run So-called "DMZ" machines on hists that also run "core" domain machines.

So 4 Windows instances, because of what they do, does mean four physical servers. The 4 instances can be VMs, and even run on hosts with other VMs, but not all on the *same* hosts, so your physical count is still 4.

ADFS is really a large enterprise solution and has never been scared down well. Microsoft simply seema to thing Azure AD and password sync us good enough for those who don't want to deploy the massive architecture lift that ADFS represents.
0
 
Bryant SchaperCommented:
I guess that logic makes sense, I was looking at your comment as four dedicated servers, we have an esxi farm with full redundancy so the adfs proxies and servers are on different hosts.  All traffic for their vlan is routed through the firewalls.
0
 
MdlinnettCommented:
Don't skimp on the redundancy, if it goes down you're unable to log in at all, so yeah... don't skimp on redundancy :)
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
You guys bring up good points.

We have a robust ESXi environment with proper anti-affinity rules, HA and DRS set up so I'm not worried about failover/redundancy.

Since I'm setting this up for 100-150 people, should I not bother setting up ADFS "in house"? We were trying to avoid paying money to a subscription service. Maybe we just make everyone log in manually?

From what I'm reading, ADFS isn't that scary and can be easily set up. I've just never done it before so I was hoping someone might know where I can find a walkthrough.
0
 
Cliff GaliherCommented:
Technet has all the docs you need. And it isn't "scary" but it does become a some authentication authority, so VM-level HA isn't enough. You really do have a four server minimum and load balancing to make it work well.

If yo udon't want that level of complexity, yes, outsource it (it is often cheaper) or manual logons are both options.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Topologically, does it look something like this?

Possible ADFS structure??
0
 
Bryant SchaperCommented:
Yes, but you should have a firewall between your dmz and internal, plus you have to do a bit of dns work, it is in the docs.  Both DC ADFS on different servers, like you note 3 and 4
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Great info. Thanks for the help and sorry for the delay in closing the question.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now