BPuhl’s Blog

A little bit of everything without actually being much of anything

Federation Services and Direct Access

Posted by BPuhl on August 6, 2009

Now here’s an interesting combination.  What do you do when you have a service which has both an internal and internet facing components, with different behavior for each, and then you deploy Direct Access?

Quick aside:  For those not aware, Direct Access is a feature which allows domain joined Win7 laptops to behave as though they were on the corporate network and have full access to internal resources, regardless of where they are.

The important detail here, is that one of the control mechanisms is an idea of split DNS.  Internal domains are flagged as such, so that clients route that traffic internally, and everything else is considered “internet”.

So the question is, if you have your ADFS servers deployed in a unique namespace (we use *.sts.microsoft.com), then do you call that an internal namespace or an external one?  I’m not sure of the right answer at this point, but I’ve been bouncing around and just recently (this past week) requested a change.

Another quick note:  Remember, that we’ve got ADFS deployed so that users who are on corpnet get integrated authentication – no prompts – when they hit the ADFS servers.  Users on the internet get forms based auth, and have to enter credentials

So for your DA users, what kind of experience should they have?  Initially, when we first started rolling out DA, it made sense to me that DA enabled clients on the internet should have the “corpnet” experience.  In other words, even though I’m at home, I should still get integrated authentication. 

Just recently though, we ran into some issues where DA enabled users would be in situations (client issues, behind firewalls, etc…) where they were able to traverse the internet but were not able to get the DA connection back to corpnet.  In these cases, users were actually able to hit the internet based, federated resource.  But because the client thought that the ADFS servers were internal (and DA wasn’t working), they were failing to authenticate.  They could see the app, just not get into it.

So we had the DNS policy on DA clients changed, and now our DA clients believe that the ADFS servers are external.  This takes us back to our pre-DA behavior, where clients physically on corpnet (DA or not) will get integrated auth, but clients on the internet (DA or not) will always get FBA.  At least with FBA though, they can get access to the resources.

The change hasn’t been in place long enough, and we don’t have a critical mass of users on our DA pilot yet, so I haven’t heard the rumblings about the change to see whether anyone has noticed. Yet.  I’m sure this won’t be the last time we need to think about ADFS and DA, but all other things considered, right now I think the best thing to do is keep the 2 separate.


One Response to “Federation Services and Direct Access”

  1. Ariel Gordon said

    If the apps relied on infocard logon, then you could setup your STS so that CS would try integrated auth first then fall back to U/P (or cert). This way you’d get a best and consistent user experience regardless of connectivity. Correct?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: