Federation Services and Direct Access
Posted by BPuhl on August 6, 2009
Now here’s an interesting combination. What do you do when you have a service which has both an internal and internet facing components, with different behavior for each, and then you deploy Direct Access?
Quick aside: For those not aware, Direct Access is a feature which allows domain joined Win7 laptops to behave as though they were on the corporate network and have full access to internal resources, regardless of where they are.
The important detail here, is that one of the control mechanisms is an idea of split DNS. Internal domains are flagged as such, so that clients route that traffic internally, and everything else is considered “internet”.
So the question is, if you have your ADFS servers deployed in a unique namespace (we use *.sts.microsoft.com), then do you call that an internal namespace or an external one? I’m not sure of the right answer at this point, but I’ve been bouncing around and just recently (this past week) requested a change.
Another quick note: Remember, that we’ve got ADFS deployed so that users who are on corpnet get integrated authentication – no prompts – when they hit the ADFS servers. Users on the internet get forms based auth, and have to enter credentials
So for your DA users, what kind of experience should they have? Initially, when we first started rolling out DA, it made sense to me that DA enabled clients on the internet should have the “corpnet” experience. In other words, even though I’m at home, I should still get integrated authentication.
Just recently though, we ran into some issues where DA enabled users would be in situations (client issues, behind firewalls, etc…) where they were able to traverse the internet but were not able to get the DA connection back to corpnet. In these cases, users were actually able to hit the internet based, federated resource. But because the client thought that the ADFS servers were internal (and DA wasn’t working), they were failing to authenticate. They could see the app, just not get into it.
So we had the DNS policy on DA clients changed, and now our DA clients believe that the ADFS servers are external. This takes us back to our pre-DA behavior, where clients physically on corpnet (DA or not) will get integrated auth, but clients on the internet (DA or not) will always get FBA. At least with FBA though, they can get access to the resources.
The change hasn’t been in place long enough, and we don’t have a critical mass of users on our DA pilot yet, so I haven’t heard the rumblings about the change to see whether anyone has noticed. Yet. I’m sure this won’t be the last time we need to think about ADFS and DA, but all other things considered, right now I think the best thing to do is keep the 2 separate.