Dec 01, 2016 The new HTLM5 client capability supports neither the Azure AD Application Proxy or the AD FS Web Application Proxy, which is mind-boggling. It's not all darkness tho, RDS MI, in preview, is the key to solving this (or so it seems), since it aims to bridge the gap between legacy logon (RDS) versus modern (conditional access/MFA etc). Tight integration with Azure. Application Gateway is integrated with several Azure services. Azure Traffic Manager supports multiple-region redirection, automatic failover, and zero-downtime maintenance. Use Azure Virtual Machines, virtual machine scale sets, or the Web Apps feature of Azure App Service in your back-end pools.
- Internet Facing Load Balancer
- See Full List On Docs.microsoft.com
- High Availability Cross-geographic AD FS Deployment In Azure With Azure Traffic Manager
This reference architecture implements a secure hybrid network that extends your on-premises network to Azure and uses Active Directory Federation Services (AD FS) to perform federated authentication and authorization for components running in Azure. Deploy this solution.
Download a Visio file of this architecture.
AD FS can be hosted on-premises, but if your application is a hybrid in which some parts are implemented in Azure, it may be more efficient to replicate AD FS in the cloud.
The diagram shows the following scenarios:
- Application code from a partner organization accesses a web application hosted inside your Azure VNet.
- An external, registered user with credentials stored inside Active Directory Domain Services (DS) accesses a web application hosted inside your Azure VNet.
- A user connected to your VNet using an authorized device executes a web application hosted inside your Azure VNet.
Cod 2 back 2 fronts. Typical uses for this architecture include:
- Hybrid applications where workloads run partly on-premises and partly in Azure.
- Solutions that use federated authorization to expose web applications to partner organizations.
- Systems that support access from web browsers running outside of the organizational firewall.
- Systems that enable users to access to web applications by connecting from authorized external devices such as remote computers, notebooks, and other mobile devices.
This reference architecture focuses on passive federation, in which the federation servers decide how and when to authenticate a user. The user provides sign in information when the application is started. This mechanism is most commonly used by web browsers and involves a protocol that redirects the browser to a site where the user authenticates. AD FS also supports active federation, where an application takes on responsibility for supplying credentials without further user interaction, but that scenario is outside the scope of this architecture.
For additional considerations, see Choose a solution for integrating on-premises Active Directory with Azure.
Architecture
This architecture extends the implementation described in Extending AD DS to Azure. It contains the following components.
- AD DS subnet. The AD DS servers are contained in their own subnet with network security group (NSG) rules acting as a firewall.
- AD DS servers. Domain controllers running as VMs in Azure. These servers provide authentication of local identities within the domain.
- AD FS subnet. The AD FS servers are located within their own subnet with NSG rules acting as a firewall.
- AD FS servers. The AD FS servers provide federated authorization and authentication. In this architecture, they perform the following tasks:
- Receiving security tokens containing claims made by a partner federation server on behalf of a partner user. AD FS verifies that the tokens are valid before passing the claims to the web application running in Azure to authorize requests.The application running in Azure is the relying party. The partner federation server must issue claims that are understood by the web application. The partner federation servers are referred to as account partners, because they submit access requests on behalf of authenticated accounts in the partner organization. The AD FS servers are called resource partners because they provide access to resources (the web application).
- Authenticating and authorizing incoming requests from external users running a web browser or device that needs access to web applications, by using AD DS and the Active Directory Device Registration Service.
The AD FS servers are configured as a farm accessed through an Azure load balancer. This implementation improves availability and scalability. The AD FS servers are not exposed directly to the Internet. All Internet traffic is filtered through AD FS web application proxy servers and a DMZ (also referred to as a perimeter network).For more information about how AD FS works, see Active Directory Federation Services Overview. Also, the article AD FS deployment in Azure contains a detailed step-by-step introduction to implementation. - AD FS proxy subnet. The AD FS proxy servers can be contained within their own subnet, with NSG rules providing protection. The servers in this subnet are exposed to the Internet through a set of network virtual appliances that provide a firewall between your Azure virtual network and the Internet.
- AD FS web application proxy (WAP) servers. These VMs act as AD FS servers for incoming requests from partner organizations and external devices. The WAP servers act as a filter, shielding the AD FS servers from direct access from the Internet. As with the AD FS servers, deploying the WAP servers in a farm with load balancing gives you greater availability and scalability than deploying a collection of stand-alone servers.NoteFor detailed information about installing WAP servers, see Install and Configure the Web Application Proxy Server
- Partner organization. A partner organization running a web application that requests access to a web application running in Azure. The federation server at the partner organization authenticates requests locally, and submits security tokens containing claims to AD FS running in Azure. AD FS in Azure validates the security tokens, and if valid can pass the claims to the web application running in Azure to authorize them.NoteYou can also configure a VPN tunnel using Azure gateway to provide direct access to AD FS for trusted partners. Requests received from these partners do not pass through the WAP servers.
Recommendations
The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.
Networking recommendations
Configure the network interface for each of the VMs hosting AD FS and WAP servers with static private IP addresses.
Do not give the AD FS VMs public IP addresses. For more information, see the Security considerations section.
Set the IP address of the preferred and secondary domain name service (DNS) servers for the network interfaces for each AD FS and WAP VM to reference the Active Directory DS VMs. The Active Directory DS VMs should be running DNS. This step is necessary to enable each VM to join the domain.
AD FS installation
The article Deploying a Federation Server Farm provides detailed instructions for installing and configuring AD FS. Perform the following tasks before configuring the first AD FS server in the farm:
- Obtain a publicly trusted certificate for performing server authentication. The subject name must contain the name clients use to access the federation service. This can be the DNS name registered for the load balancer, for example, adfs.contoso.com (avoid using wildcard names such as *.contoso.com, for security reasons). Use the same certificate on all AD FS server VMs. You can purchase a certificate from a trusted certification authority, but if your organization uses Active Directory Certificate Services you can create your own.The subject alternative name is used by the device registration service (DRS) to enable access from external devices. This should be of the form enterpriseregistration.contoso.com.For more information, see Obtain and Configure a Secure Sockets Layer (SSL) Certificate for AD FS.
- On the domain controller, generate a new root key for the Key Distribution Service. Set the effective time to the current time minus 10 hours (this configuration reduces the delay that can occur in distributing and synchronizing keys across the domain). This step is necessary to support creating the group service account that is used to run the AD FS service. The following PowerShell command shows an example of how to do this:
- Add each AD FS server VM to the domain.
Note
To install AD FS, the domain controller running the primary domain controller (PDC) emulator flexible single master operation (FSMO) role for the domain must be running and accessible from the AD FS VMs.
AD FS trust
Establish federation trust between your AD FS installation, and the federation servers of any partner organizations. Configure any claims filtering and mapping required.
- DevOps staff at each partner organization must add a relying party trust for the web applications accessible through your AD FS servers.
- DevOps staff in your organization must configure claims-provider trust to enable your AD FS servers to trust the claims that partner organizations provide.
- DevOps staff in your organization must also configure AD FS to pass claims on to your organization's web applications.
For more information, see Establishing Federation Trust.
Publish your organization's web applications and make them available to external partners by using preauthentication through the WAP servers. For more information, see Publish Applications using AD FS Preauthentication
AD FS supports token transformation and augmentation. Azure Active Directory does not provide this feature. With AD FS, when you set up the trust relationships, you can:
- Configure claim transformations for authorization rules. For example, you can map group security from a representation used by a non-Microsoft partner organization to something that Active Directory DS can authorize in your organization.
- Transform claims from one format to another. For example, you can map from SAML 2.0 to SAML 1.1 if your application only supports SAML 1.1 claims.
AD FS monitoring
The Microsoft System Center Management Pack for Active Directory Federation Services 2012 R2 provides both proactive and reactive monitoring of your AD FS deployment for the federation server. This management pack monitors:
- Events that the AD FS service records in its event logs.
- The performance data that the AD FS performance counters collect.
- The overall health of the AD FS system and web applications (relying parties), and provides alerts for critical issues and warnings.
Scalability considerations
The following considerations, summarized from the article Plan your AD FS deployment, give a starting point for sizing AD FS farms:
- If you have fewer than 1000 users, do not create dedicated servers, but instead install AD FS on each of the Active Directory DS servers in the cloud. Make sure that you have at least two Active Directory DS servers to maintain availability. Create a single WAP server.
- If you have between 1000 and 15000 users, create two dedicated AD FS servers and two dedicated WAP servers.
- If you have between 15000 and 60000 users, create between three and five dedicated AD FS servers and at least two dedicated WAP servers.
These considerations assume that you are using dual quad-core VM (Standard D4_v2, or better) sizes in Azure.
If you are using the Windows Internal Database to store AD FS configuration data, you are limited to eight AD FS servers in the farm. If you anticipate that you will need more in the future, use SQL Server. For more information, see The Role of the AD FS Configuration Database.
Availability considerations
Create an AD FS farm with at least two servers to increase availability of the service. Use different storage accounts for each AD FS VM in the farm. This approach helps to ensure that a failure in a single storage account does not make the entire farm inaccessible.
Create separate Azure availability sets for the AD FS and WAP VMs. Ensure that there are at least two VMs in each set. Each availability set must have at least two update domains and two fault domains.
Configure the load balancers for the AD FS VMs and WAP VMs as follows:
- Use an Azure load balancer to provide external access to the WAP VMs, and an internal load balancer to distribute the load across the AD FS servers in the farm.
- Only pass traffic appearing on port 443 (HTTPS) to the AD FS/WAP servers.
- Give the load balancer a static IP address.
- Create a health probe using HTTP against
/adfs/probe
. For more information, see Hardware Load Balancer Health Checks and Web Application Proxy / AD FS 2012 R2.NoteAD FS servers use the Server Name Indication (SNI) protocol, so attempting to probe using an HTTPS endpoint from the load balancer fails. - Add a DNS A record to the domain for the AD FS load balancer. Specify the IP address of the load balancer, and give it a name in the domain (such as adfs.contoso.com). This is the name clients and the WAP servers use to access the AD FS server farm.
You can use either SQL Server or the Windows Internal Database to hold AD FS configuration information. The Windows Internal Database provides basic redundancy. Changes are written directly to only one of the AD FS databases in the AD FS cluster, while the other servers use pull replication to keep their databases up to date. Using SQL Server can provide full database redundancy and high availability using failover clustering or mirroring.
Manageability considerations
DevOps staff should be prepared to perform the following tasks:
- Managing the federation servers, including managing the AD FS farm, managing trust policy on the federation servers, and managing the certificates used by the federation services.
- Managing the WAP servers including managing the WAP farm and certificates.
- Managing web applications including configuring relying parties, authentication methods, and claims mappings.
- Backing up AD FS components.
Security considerations
AD FS uses HTTPS, so make sure that the NSG rules for the subnet containing the web tier VMs permit HTTPS requests. These requests can originate from the on-premises network, the subnets containing the web tier, business tier, data tier, private DMZ, public DMZ, and the subnet containing the AD FS servers.
Prevent direct exposure of the AD FS servers to the Internet. AD FS servers are domain-joined computers that have full authorization to grant security tokens. If a server is compromised, a malicious user can issue full access tokens to all web applications and to all federation servers that are protected by AD FS. If your system must handle requests from external users not connecting from trusted partner sites, use WAP servers to handle these requests. For more information, see Where to Place a Federation Server Proxy.
Place AD FS servers and WAP servers in separate subnets with their own firewalls. You can use NSG rules to define firewall rules. All firewalls should allow traffic on port 443 (HTTPS).
Restrict direct sign in access to the AD FS and WAP servers. Only DevOps staff should be able to connect. Do not join the WAP servers to the domain.
Consider using a set of network virtual appliances that logs detailed information on traffic traversing the edge of your virtual network for auditing purposes.
DevOps considerations
For DevOps considerations, see DevOps: Extending Active Directory Domain Services (AD DS) to Azure.
Cost considerations
Use the Azure pricing calculator to estimate costs. Other considerations are described in the Cost section in Microsoft Azure Well-Architected Framework.
Here are cost considerations for the services used in this architecture.
AD Domain Services
Consider having Active Directory Domain Services as a shared service that is consumed by multiple workloads to lower costs. For more information, see Active Directory Domain Services pricing.
Azure AD Federation Services
For information about the editions offered by Azure Active Directory, see Azure AD pricing. The AD Federation Services feature is available in all editions.
Deploy the solution
A deployment for this architecture is available on GitHub. Note that the entire deployment can take up to two hours, which includes creating the VPN gateway and running the scripts that configure Active Directory and AD FS.
Prerequisites
- Clone, fork, or download the zip file for the GitHub repository.
- Install Azure CLI 2.0.
- Install the Azure building blocks npm package.
- From a command prompt, bash prompt, or PowerShell prompt, sign into your Azure account as follows:Dragon age soldier's peak level. Com'on EA you've had YEARS to fix this?Anyone know of any other solution?
Deploy the simulated on-premises datacenter
- Navigate to the
adfs
folder of the GitHub repository. - Open the
onprem.json
file. Search for instances ofadminPassword
,Password
, andSafeModeAdminPassword
and update the passwords. - Run the following command and wait for the deployment to finish:
Deploy the Azure infrastructure
- Open the
azure.json
file. Search for instances ofadminPassword
andPassword
and add values for the passwords. - Run the following command and wait for the deployment to finish:
Set up the AD FS farm
- Open the
adfs-farm-first.json
file. Search forAdminPassword
and replace the default password. - Run the following command:
- Open the
adfs-farm-rest.json
file. Search forAdminPassword
and replace the default password. - Run the following command and wait for the deployment to finish:
Configure AD FS (part 1)
- Open a remote desktop session to the VM named
ra-adfs-jb-vm1
, which is the jumpbox VM. The user name istestuser
. - From the jumpbox, open a remote desktop session to the VM named
ra-adfs-proxy-vm1
. The private IP address is 10.0.6.4. - From this remote desktop session, run the PowerShell ISE.
- In PowerShell, navigate to the following directory:
- Paste the following code into a script pane and run it:At the
Get-Credential
prompt, enter the password that you specified in the deployment parameter file. - Run the following command to monitor the progress of the DSC configuration:It can take several minutes to reach consistency. During this time, you may see errors from the command. When the configuration succeeds, the output should look similar to the following:
Configure AD FS (part 2)
- From the jumpbox, open a remote desktop session to the VM named
ra-adfs-proxy-vm2
. The private IP address is 10.0.6.5. - From this remote desktop session, run the PowerShell ISE.
- Navigate to the following directory:
- Past the following in a script pane and run the script:At the
Get-Credential
prompt, enter the password that you specified in the deployment parameter file. - Run the following command to monitor the progress of the DSC configuration:It can take several minutes to reach consistency. During this time, you may see errors from the command. When the configuration succeeds, the output should look similar to the following:Sometimes this DSC fails. If the status check shows
Status=Failure
andType=Consistency
, try re-running step 4.
![Pricing Pricing](/uploads/1/2/4/3/124378696/971054010.png)
Sign into AD FS
- From the jumpbox, open a remote desktop session to the VM named
ra-adfs-adfs-vm1
. The private IP address is 10.0.5.4. - Follow the steps in Enable the Idp-Initiated Sign on page to enable the sign-on page.
- From the jump box, browse to
https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.htm
. You may receive a certificate warning that you can ignore for this test. - Verify that the Contoso Corporation sign-in page appears. Sign in as contosotestuser.
Internet Facing Load Balancer
In this article, you add a custom health probe to an existing application gateway through the Azure portal. Using the health probes, Azure Application Gateway monitors the health of the resources in the back-end pool.
Before you begin
If you do not already have an application gateway, visit Create an Application Gateway to create an application gateway to work with.
Create probe for Application Gateway v2 SKU
Probes are configured in a two-step process through the portal. The first step is to enter the values required for the probe configuration. In the second step, you test the backend health using this probe configuration and save the probe.
Enter probe properties
- Sign in to the Azure portal. If you don't already have an account, you can sign up for a free one-month trial
- In the Azure portal Favorites pane, click All resources. Click the application gateway in the All resources blade. If the subscription you selected already has several resources in it, you can enter partners.contoso.net in the Filter by name… box to easily access the application gateway.
- Select Health probes and then select Add to add a new health probe.
- On the Add health probe page, fill out the required information for the probe, and when complete select OK.
Setting Value Details Name customProbe This value is a friendly name given to the probe that is accessible in the portal. Protocol HTTP or HTTPS The protocol that the health probe uses. Host i.e contoso.com This value is the name of the virtual host (different from the VM host name) running on the application server. The probe is sent to <protocol>://<host name>:<port>/<urlPath> Pick host name from backend HTTP settings Yes or No Sets the host header in the probe to the host name from the HTTP settings to which this probe is associated to. Specially required in case of multi-tenant backends such as Azure app service. Learn more Pick port from backend HTTP settings Yes or No Sets the port of the health probe to the port from HTTP settings to which this probe is associated to. If you choose no, you can enter a custom destination port to use Port 1-65535 Custom port to be used for the health probes Path / or any valid path The remainder of the full url for the custom probe. A valid path starts with '/'. For the default path of http://contoso.com just use '/' Interval (secs) 30 How often the probe is run to check for health. It is not recommended to set the lower than 30 seconds. Timeout (secs) 30 The amount of time the probe waits before timing out. If a valid response is not received within this time-out period, the probe is marked as failed. The timeout interval needs to be high enough that an http call can be made to ensure the backend health page is available. Note that the time-out value should not be more than the ‘Interval’ value used in this probe setting or the ‘Request timeout’ value in the HTTP setting which will be associated with this probe. Unhealthy threshold 3 Number of consecutive failed attempts to be considered unhealthy. The threshold can be set to 1 or more. Use probe matching conditions Yes or No By default, an HTTP(S) response with status code between 200 and 399 is considered healthy. You can change the acceptable range of backend response code or backend response body. Learn more HTTP Settings selection from dropdown Probe will get associated with the HTTP setting(s) selected here and therefore, will monitor the health of that backend pool which is associated with the selected HTTP setting. It will use the same port for the probe request as the one being used in the selected HTTP setting. You can only choose those HTTP setting(s) which are not associated with any other custom probe.
Note that only those HTTP setting(s) are available for association which have the same protocol as the protocol chosen in this probe configuration and have the same state for the Pick Host Name From Backend HTTP setting switch.ImportantThe probe will monitor health of the backend only when it is associated with one or more HTTP Setting(s). It will monitor back-end resources of those back-end pools which are associated to the HTTP setting(s) to which this probe is associated with. The probe request will be sent as <protocol>://<hostName>:<port>/<urlPath>.
Test backend health with the probe
After entering the probe properties, you can test the health of the back-end resources to verify that the probe configuration is correct and that the back-end resources are working as expected.
- Select Test and note the result of the probe. The Application gateway tests the health of all the backend resources in the backend pools associated with the HTTP Setting(s) used for this probe.
- If there are any unhealthy backend resources, then check the Details column to understand the reason for unhealthy state of the resource. If the resource has been marked unhealthy due to an incorrect probe configuration, then select the Go back to probe link and edit the probe configuration. Otherwise, if the resource has been marked unhealthy due to an issue with the backend, then resolve the issues with the backend resource and then test the backend again by selecting the Go back to probe link and select Test.NoteYou can choose to save the probe even with unhealthy backend resources, but it is not recommended. This is because the Application Gateway will not forward requests to the backend servers from the backend pool which are determined to be unhealthy by the probe. In case there are no healthy resources in a backend pool, you will not be able to access your application and will get a HTTP 502 error.
- Select Add to save the probe.
Create probe for Application Gateway v1 SKU
Probes are configured in a two-step process through the portal. The first step is to create the probe. In the second step, you add the probe to the backend http settings of the application gateway.
Create the probe
- Sign in to the Azure portal. If you don't already have an account, you can sign up for a free one-month trial
- In the Azure portal Favorites pane, select All resources. Select the application gateway in the All resources page. If the subscription you selected already has several resources in it, you can enter partners.contoso.net in the Filter by name… box to easily access the application gateway.
- Select Probes and then select Add to add a probe.
- On the Add health probe blade, fill out the required information for the probe, and when complete select OK.
Setting Value Details Name customProbe This value is a friendly name given to the probe that is accessible in the portal. Protocol HTTP or HTTPS The protocol that the health probe uses. Host i.e contoso.com This value is the name of the virtual host (different from the VM host name) running on the application server. The probe is sent to (protocol)://(host name):(port from httpsetting)/urlPath. This is applicable when multi-site is configured on Application Gateway. If the Application Gateway is configured for a single site, then enter '127.0.0.1'. Pick host name from backend HTTP settings Yes or No Sets the host header in the probe to the host name of the back-end resource in the back-end pool associated with the HTTP Setting to which this probe is associated to. Specially required in case of multi-tenant backends such as Azure app service. Learn more Path / or any valid path The remainder of the full url for the custom probe. A valid path starts with '/'. For the default path of http://contoso.com just use '/' Interval (secs) 30 How often the probe is run to check for health. It is not recommended to set the lower than 30 seconds. Timeout (secs) 30 The amount of time the probe waits before timing out. If a valid response is not received within this time-out period, the probe is marked as failed. The timeout interval needs to be high enough that an http call can be made to ensure the backend health page is available. Note that the time-out value should not be more than the ‘Interval’ value used in this probe setting or the ‘Request timeout’ value in the HTTP setting which will be associated with this probe. Unhealthy threshold 3 Number of consecutive failed attempts to be considered unhealthy. The threshold can be set to 1 or more. Use probe matching conditions Yes or No By default, an HTTP(S) response with status code between 200 and 399 is considered healthy. You can change the acceptable range of backend response code or backend response body. Learn more ImportantThe host name is not the same as server name. This value is the name of the virtual host running on the application server. The probe is sent to <protocol>://<hostName>:<port from http settings>/<urlPath>
See Full List On Docs.microsoft.com
Add probe to the gateway
Now that the probe has been created, it is time to add it to the gateway. Probe settings are set on the backend http settings of the application gateway.
- Click HTTP settings on the application gateway, to bring up the configuration blade click the current backend http settings listed in the window.
- On the appGatewayBackEndHttpSettings settings page, check the Use custom probe checkbox and choose the probe created in the Create the probe section on the Custom probe drop-down.When complete, click Save and the settings are applied.
Next steps
High Availability Cross-geographic AD FS Deployment In Azure With Azure Traffic Manager
View the health of the backend resources as determined by the probe using the backend health view.