Solved

How do you configure load balancing for AD FS (SSO)?

Posted on 2016-07-20
17
69 Views
Last Modified: 2016-09-13
How do you configure load balancing for Active Directory Federation Services (using SSO)?

...or, is this even desirable?

We are testing out a social media intranet for our company and will be setting up SSO so the end users don't have to log in a second time.

We have two Domain Controllers with Windows Server 2012 Datacenter (not R2).
Do I load AD FS on both DCs or just one? Failover? etc. etc.
0
Comment
Question by:Paul Wagner
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 300 total points
ID: 41722047
If this is for an intranet, why use ADFS? The purpose of ADFS is for external apps and directories to associate and delegate authentication. Not really an intranet scenario. To do ADFS right, you are talking about at least four servers (and virtualization doesn't help reduce that count in this instance) plus other non-server components such as a load balancer appliance.
0
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41722154
Not sure why you would need 4 physical servers, we run adfs virtual for office 365 mainly and it is fine, two proxies and 2 adfs servers. Just some config on the networking side to make it work.

Now the question of benefit depends on the use, if you are using it in a small environment you may just keep good backups of the two servers and restore if needed. We did that for many years
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41722161
This will definitely be for external use. We are testing a social platform that is hosted by another company.

You mentioned two adfs servers and two proxies. Would using load balanced SonicWalls do the trick for the proxy side?
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41722162
This will be for about 150 users.
0
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41722165
I would think, the proxies rely the outside request to the internal servers, they are not even on the domain. As long as you put them in their own vlan and point to the nlb address it should work.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41722168
OK, cool. So, two proxies and two adfs servers.
Anything else to consider?
Any good documentation/articles that walk through the process? I couldn't find anything specific like that (granted, my 5 minute Google search could have been longer).
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41722174
2 adfs proxies (not SONICWALL, but the actual adfs proxy role) and 2 ADFS servers equals....drumroll...4 servers. Precisely what I said.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41722180
So the ADFS proxy is a Windows Server in itself?
Do you know where I can find a walk through on getting everything set up?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41722992
Sorry Cliff. I thought you meant that 4 physical servers were required. My mistake. But yes in a ha config you would have 4 Windows servers 2xproxy role and 2 x adfs role

Microsoft has some good docs on technet
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 300 total points
ID: 41723357
Realistically you do need four physical servers. The two identical roles (2xADFS and 2xproxy) are for redundancy, so virtualizing and colocationg doesn't make any sense, as losing a physical host would lose both instances, defeating the purpose of having two. And colocating the proxy with the ADFS server is bad because the while point of the proxy is to provide a security barrier. Which means they also shouldn't be run as VMs on the same host. Sharing the same VMBus defeats much (but admittedly not all) of that security.

Microsoft has long said beat practice with hyper -v is to bot mingle VMs at different security layers. So don't run So-called "DMZ" machines on hists that also run "core" domain machines.

So 4 Windows instances, because of what they do, does mean four physical servers. The 4 instances can be VMs, and even run on hosts with other VMs, but not all on the *same* hosts, so your physical count is still 4.

ADFS is really a large enterprise solution and has never been scared down well. Microsoft simply seema to thing Azure AD and password sync us good enough for those who don't want to deploy the massive architecture lift that ADFS represents.
0
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41723390
I guess that logic makes sense, I was looking at your comment as four dedicated servers, we have an esxi farm with full redundancy so the adfs proxies and servers are on different hosts.  All traffic for their vlan is routed through the firewalls.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723854
Don't skimp on the redundancy, if it goes down you're unable to log in at all, so yeah... don't skimp on redundancy :)
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41725250
You guys bring up good points.

We have a robust ESXi environment with proper anti-affinity rules, HA and DRS set up so I'm not worried about failover/redundancy.

Since I'm setting this up for 100-150 people, should I not bother setting up ADFS "in house"? We were trying to avoid paying money to a subscription service. Maybe we just make everyone log in manually?

From what I'm reading, ADFS isn't that scary and can be easily set up. I've just never done it before so I was hoping someone might know where I can find a walkthrough.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41725276
Technet has all the docs you need. And it isn't "scary" but it does become a some authentication authority, so VM-level HA isn't enough. You really do have a four server minimum and load balancing to make it work well.

If yo udon't want that level of complexity, yes, outsource it (it is often cheaper) or manual logons are both options.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 41725347
Topologically, does it look something like this?

Possible ADFS structure??
0
 
LVL 11

Assisted Solution

by:Bryant Schaper
Bryant Schaper earned 200 total points
ID: 41725353
Yes, but you should have a firewall between your dmz and internal, plus you have to do a bit of dns work, it is in the docs.  Both DC ADFS on different servers, like you note 3 and 4
0
 
LVL 3

Author Closing Comment

by:Paul Wagner
ID: 41796256
Great info. Thanks for the help and sorry for the delay in closing the question.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Video by: syed
The goal of the tutorial is to teach the what Skype is and how to use it.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now