ADFS auth with trusts…
Posted by BPuhl on April 4, 2008
This post falls under my “been asked 3 times in the past few days” rule…so it must qualify as a blog post:
1. If you have multiple AD DOMAINs and they are Forest and Trees (Parent Child sub-domain relationships) how many ADFS server(s) do you need? (one per DOMAIN or can a single server handle sub-domains?)
2. If you have multiple AD DOMAINs and these DOMAINs have established Trust relationships, but they are not sub-domains (each DOMAIN is separate. How many ADFS server(s) do you need? (one per DOMAIN or can a single server handle multiple Trusted DOMAINs) (How does ADFS handle AD Trust relationships?)
3. If you have multiple AD DOMAINs and there is no Trust relationships between the DOMAINs how many ADFS server(s) do you need? (one per DOMAIN or can a single server handle multiple DOMAINs)
Answer: (check this out, kill 3 birds with one stone)
First, note that the context of these questions is about “FS-A”‘s, or the user authentication portion of ADFS.
So the answer is, that ADFS works wonderfully across Windows trusts (regardless of type). The requirements for ADFS, are that the user needs to be able to authenticate to the ADFS server. Because ADFS is a web service which runs in IIS, this is analogous to saying that if a user could authenticate to ANY web application, then they are good to go. The next thing that’s required, is that the ADFS server has to be able to query the directory of the user account, to get any claims information. So if you’re passing something like first name, last name, and/or e-mail address – then the server will query the corresponding directory for that info.
With trusts in place, you can satisfy both the “user auth” and the “query AD” functions from any application, so ADFS will work.
Internally at Microsoft, we have a single ADFS instance which is used to authenticate all of our employee’s out to business partners. Their user accounts live in 1 of 4 production forests (15 domains total), any of which are (or have) been running Windows 2000, Windows Server 2003, and/or Windows Server 2008 (all mixes of domain and forest functional modes) at any given time. No problems!
(so if you want specific answers:
1) 1 – single ADFS instance can service all domains in the forest
2) 1 – single AFDS instance can handle all domains and forests with trusts
3) 1 per forest – All domains in a forest have implicit trust relationships, but if there are no trusts between domains of different forests, then each forest will need their own ADFS instance