Lead Image © Helder Almeida, 123RF.com
Monitoring Active Directory Federation Services
Reducing the Drop Height
The purpose of Active Directory Federation Services (ADFS) is to provide access to a different environment through a federation trust. Office 365 is a common scenario, but other target environments or applications are also common: SharePoint, Salesforce, or Google, for example. The important point is that both sides know each other, which is ensured when setting up the trust with certificates. In the home Active Directory, the ADFS server then ensures that a Security Assertion Markup Language (SAML) token is provided for users wanting to access the connected service; this token is used for access on the other side. In most cases, a WAP (Web Application Proxy) server comes into play in the perimeter network (DMZ); it knows the ADFS server in the neighboring Active Directory and controls access from the Internet.
For end users, this means they do not have to log in again by entering a password with their normal user ID when accessing the other service. The single sign-on scenario this creates is transparent and convenient for the user. In the background, however, a number of elements are responsible for the smooth process and present multiple sources of error that force the administrator to perform sophisticated monitoring at different levels. If the ADFS server no longer issues tokens, for whatever reason, all of a sudden, access is no longer possible. For Office 365, for example, this means that users cannot access their mailboxes with Outlook. Telephony will also fail if you use Skype for Business from the Office 365 portfolio.
Numerous Dependencies
ADFS has various dependencies. First is Active Directory, with the service account in whose context ADFS runs. It does not have far-reaching rights, but if it is blocked, nothing will work. It is also advisable to use a Group Managed Service Account for this purpose, which reduces such problems and also increases security. Active Directory
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Monitor Active Directory with Azure AD Connect Health
Microsoft cloud service Azure Active Directory Connect Health supports monitoring of Active Directory, especially in large and distributed environments, but the tool is also useful for monitoring hybrid landscapes using Azure Active Directory. -
Automate the Active Directory Federation Services install
Installing Active Directory Federation Services is complex and involves several GUIs. For admins entrusted with building a farm, repetitive clicking in various management consoles can become an annoying and error-prone process. The call for automation is loud. -
Secure status and event monitoring of tier 0 systems
We show you how monitoring your sensitive IT systems can be a more secure experience. -
Monitor Windows systems and Linux servers
The Microsoft Operations Management Suite provides a comprehensive monitoring solution in the cloud that offers a high degree of flexibility and scalability. -
Managing networks in Windows Server vNext
We look at a new component in Windows Server vNext – the Network Controller server role.