Re: ADFS Experience

[Miguel Angel Gonzalez de la Torre <mglez () ITESM MX>]

Greetings Kevin.
We are implementing our test enviroment for DRP of ADFS, but in another data center we have.
For high availability we have a farm of adfs and proxys and a cluster for the database, since we manage mor than 
100,000 users.

Could you share your results of the azure test?
Thanks in advance.

Ing. Miguel Angel González de la Torre, MCC
Director Seguridad de la Información
Dirección de Tecnologías de Información
Contáctame por Lync<sip:mglez () itesm mx>

Instituto Tecnológico y de Estudios Superiores de Monterrey
Tel.: 52 (81) 8158 2000, ext. 2936. Fax: 81 81582287
Enlace intercampus: 80-689-2936.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Halgren
Sent: martes, 21 de octubre de 2014 03:08 p. m.
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ADFS Experience

ADFS 3.0 is supposed to add a self-service password reset, though ADFS 3.0 and ADFS 2.0 seem to be fundamentally very 
different so I don’t know how much experience in ADFS 2.0 will translate.

We plan on putting up a self-service password reset through FIM, but because we had an immediate need when going live 
with Office 365, we set up a server using PWM (https://code.google.com/p/pwm/) which has worked quite well in the 
interim.

We set up ADFS 2.0 with our Office 365 instance.  One of the challenges, at least in 2.0, is high availability.  
Basically if you want high availability you’re going to have to put a load balancer in front of your ADFS servers.  The 
built-in software load balancer they ask you to configure in Windows isn’t very good and we’ve found it’s absolutely 
not VM friendly, and certainly doesn’t give you much in terms or high availability.  The Microsoft Exchange Team 
actually advises against using it in Exchange (article is a bit dated but given our experience still reasonably valid: 
http://www.stevieg.org/2010/11/exchange-team-no-longer-recommend-windows-nlb-for-client-access-server-load-balancing/ ).

I’m working on building an ADFS stack in Azure as a test to give us some capability for continued access if our site 
link goes down.  That includes in a Read-Only DC, ADFS server, and ADFS proxy all in a restricted private virtual 
network connected to ours via a VPN link.  Of course we’ll lock the systems down tight, encrypt storage, and ensure 
that only the ADFS proxy external IP address and port 443 are Internet accessible.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ryan 
Hiebert
Sent: Tuesday, October 21, 2014 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ADFS Experience

I’ve been away from the management of it for a while, but I set up ADFS with office 365, and it worked OK. There’s no 
self-service account reset, etc, with ADFS, which was one of the main features that I personally found lacking. I found 
attempting to customize ADFS to be quite difficult, and I never was able to do it, though admittedly I wasn’t able to 
put as much into trying as I would have liked.

On Oct 21, 2014, at 10:03 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU<mailto:tcarter () AUSTINCOLLEGE EDU>> wrote:

We are looking at implementing ADFS for use with both Office 365 as well as on-site Sharepoint 2013 (with Ellucian 
Portal more specifically). I’m looking for input from anyone who has implemented ADFS for either/both of those and what 
their experience has been. I’m also interested in the on-going maintenance and problems experienced managing ADFS.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
<image001.gif>