ADFS Implementation

Last updated: January 14, 2026

📚 Reference: This guide aligns with AD FS Overview

My First ADFS Deployment

I remember my first ADFS project vividly. The organization had just signed contracts with three major SaaS providers, and each vendor was asking for different authentication methods. The CEO wanted "single sign-on like Google has" without understanding the complexity behind it.

After weeks of planning, testing, and late nights troubleshooting claim rules, we launched a working ADFS infrastructure. Users could access Office 365, Salesforce, and our custom web applications with their domain credentials. That project taught me that ADFS isn't just "install and configure" – it's an architecture that requires careful planning and understanding.

What is Active Directory Federation Services?

ADFS is Microsoft's federated identity and access management solution. In my deployments, ADFS serves as the bridge between internal Active Directory and external applications that need to authenticate users.

Why I Deploy ADFS

Single Sign-On (SSO): Users log in once and access multiple applications

Office 365 / Microsoft 365
Salesforce, ServiceNow, Workday
Custom web applications
Partner organization resources

Federated Trust: Establish trust relationships without sharing passwords

Business partners can access specific resources
Customers can access portals
Vendors can access ticketing systems

Claims-Based Authentication: Flexible identity assertions

Send custom attributes to applications
Transform identities based on rules
Support multiple identity providers

ADFS Architecture and Components

The Four Key Components

1. Active Directory (Claims Provider)

The identity store that validates credentials and provides user attributes.

2. Federation Servers (ADFS Servers)

Issue security tokens after authenticating users. In production, I always deploy at least two servers for high availability.

3. Web Application Proxy (Federation Server Proxy)

DMZ-based reverse proxy that protects ADFS servers from direct internet exposure.

4. Relying Parties (Applications)

Applications that trust tokens issued by ADFS.

ADFS Authentication Flow

Planning ADFS Deployment

Sizing and Capacity

From my experience, here's how I size ADFS farms:

Small Environment (< 1,000 users)

2 ADFS Servers:
- 4 vCPU
- 8 GB RAM
- 100 GB disk
- Windows Internal Database (WID)

2 WAP Servers:
- 2 vCPU
- 4 GB RAM
- 100 GB disk

Medium Environment (1,000 - 10,000 users)

3-4 ADFS Servers:
- 8 vCPU
- 16 GB RAM
- 200 GB disk
- SQL Server (Standard Edition)

3-4 WAP Servers:
- 4 vCPU
- 8 GB RAM
- 100 GB disk

Large Environment (> 10,000 users)

6+ ADFS Servers:
- 16 vCPU
- 32 GB RAM
- 500 GB disk
- SQL Server (Enterprise Edition)

6+ WAP Servers:
- 8 vCPU
- 16 GB RAM
- 100 GB disk

SSL Certificate Requirements

ADFS requires proper SSL certificates. Here's what I obtain:

Public Certificate (Required)

Subject Name: adfs.company.com
Subject Alternative Names (SANs):
- adfs.company.com
- enterpriseregistration.company.com (for device registration)
- certauth.adfs.company.com (for certificate authentication)
Issued by: Public CA (DigiCert, Let's Encrypt, etc.)
Key Length: 2048-bit minimum (4096-bit preferred)

Token-Signing Certificate (Auto-generated)

ADFS generates this automatically
Auto-rollover enabled by default
Internal use only

# Request certificate from internal CA
$cert = Get-Certificate -Template WebServer `
    -SubjectName "CN=adfs.company.com" `
    -DnsName "adfs.company.com","enterpriseregistration.company.com" `
    -CertStoreLocation Cert:\LocalMachine\My

# Or import purchased certificate
$pfxPassword = ConvertTo-SecureString "CertPassword123!" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:\Certs\adfs.company.com.pfx" `
    -CertStoreLocation Cert:\LocalMachine\My `
    -Password $pfxPassword

DNS Configuration

# Internal DNS A Records (point to ADFS load balancer or servers)
Add-DnsServerResourceRecordA -Name "adfs" -ZoneName "company.com" -IPv4Address "10.1.10.50"
Add-DnsServerResourceRecordA -Name "enterpriseregistration" -ZoneName "company.com" -IPv4Address "10.1.10.50"

# External DNS A Records (point to DMZ load balancer or WAP servers)
# These are configured at your public DNS provider
# adfs.company.com -> 203.0.113.10 (Public IP)
# enterpriseregistration.company.com -> 203.0.113.10

Service Account (gMSA Recommended)

# Create gMSA for ADFS service
New-ADServiceAccount -Name "svc-ADFS" `
    -DNSHostName "svc-ADFS.company.com" `
    -ServicePrincipalNames "http/adfs.company.com" `
    -PrincipalsAllowedToRetrieveManagedPassword "ADFS-Servers" `
    -Description "ADFS Service Account (gMSA)"

# Install on ADFS servers
Install-ADServiceAccount -Identity "svc-ADFS"

# Test installation
Test-ADServiceAccount -Identity "svc-ADFS"

Installing ADFS

Prerequisites Checklist

Before installation, I verify:

Domain-joined Windows Server 2019/2022
Member of domain (not domain controller)
SSL certificate installed in LocalMachine\My
Service account (gMSA) created and installed
DNS records configured
Firewall rules configured (TCP 443, 80)
SQL Server available (for WID, nothing needed)

First ADFS Server Installation

# Install ADFS role
Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools

# Import ADFS module
Import-Module ADFS

# Get SSL certificate
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*adfs.company.com*"} | 
    Select-Object -First 1

# Get service account credential (for non-gMSA)
# For gMSA, we'll specify the account name directly
$serviceAccountName = "COMPANY\svc-ADFS$"

# Install ADFS farm (first server)
Install-AdfsFarm `
    -CertificateThumbprint $cert.Thumbprint `
    -FederationServiceName "adfs.company.com" `
    -FederationServiceDisplayName "Company Federation Service" `
    -ServiceAccountCredential (Get-Credential) `
    -OverwriteConfiguration

# Or with gMSA (recommended)
Install-AdfsFarm `
    -CertificateThumbprint $cert.Thumbprint `
    -FederationServiceName "adfs.company.com" `
    -FederationServiceDisplayName "Company Federation Service" `
    -GroupServiceAccountIdentifier "COMPANY\svc-ADFS$" `
    -OverwriteConfiguration

# Server will reboot

Adding Additional ADFS Servers to Farm

# On second/third ADFS server
Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools
Import-Module ADFS

# Get certificate
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*adfs.company.com*"} | 
    Select-Object -First 1

# Get credential of primary ADFS server's local admin
$primaryAdminCred = Get-Credential ADFS01\Administrator

# Join existing farm
Add-AdfsFarmNode `
    -CertificateThumbprint $cert.Thumbprint `
    -ServiceAccountCredential (Get-Credential) `
    -PrimaryComputerName "ADFS01.company.com" `
    -PrimaryComputerPort 80 `
    -Credential $primaryAdminCred

# Or with gMSA
Add-AdfsFarmNode `
    -CertificateThumbprint $cert.Thumbprint `
    -GroupServiceAccountIdentifier "COMPANY\svc-ADFS$" `
    -PrimaryComputerName "ADFS01.company.com" `
    -PrimaryComputerPort 80 `
    -Credential $primaryAdminCred

Using SQL Server for Configuration Database

For larger deployments, I use SQL Server instead of Windows Internal Database:

# Create SQL database first
# On SQL Server:
CREATE DATABASE ADFSConfiguration;
GO

# Install ADFS with SQL
Install-AdfsFarm `
    -CertificateThumbprint $cert.Thumbprint `
    -FederationServiceName "adfs.company.com" `
    -FederationServiceDisplayName "Company Federation Service" `
    -GroupServiceAccountIdentifier "COMPANY\svc-ADFS$" `
    -SQLConnectionString "Data Source=SQL01;Initial Catalog=ADFSConfiguration;Integrated Security=True" `
    -OverwriteConfiguration

Post-Installation Configuration

Enable Modern Authentication

# Enable OAuth 2.0
Set-AdfsProperties -EnableOAuthDeviceFlow $true

# Enable modern authentication endpoints
Enable-AdfsEndpoint -TargetAddressPath "/adfs/oauth2/authorize"
Enable-AdfsEndpoint -TargetAddressPath "/adfs/oauth2/token"

# View all endpoints
Get-AdfsEndpoint | Select-Object FullUrl, Enabled | Sort-Object FullUrl

Configure Token Lifetime

# Set token lifetimes (in minutes)
Set-AdfsProperties -SSOLifetime 480      # 8 hours
Set-AdfsProperties -TokenLifetime 60     # 1 hour

# Verify settings
Get-AdfsProperties | Select-Object SSOLifetime, TokenLifetime

Enable Extranet Lockout Protection

Critical for security – I enable this on every deployment:

# Enable Extranet Smart Lockout
Set-AdfsProperties -ExtranetLockoutEnabled $true `
    -ExtranetLockoutThreshold 5 `
    -ExtranetObservationWindow (New-TimeSpan -Minutes 30) `
    -ExtranetLockoutRequirePDC $false

# Enable account lockout (blocks at ADFS, not AD)
Set-AdfsProperties -EnableExtranetLockout $true

# Check settings
Get-AdfsProperties | Select-Object ExtranetLockout*

Configure Device Registration

For Windows 10/11 workplace join:

# Initialize device registration
Initialize-ADDeviceRegistration -ServiceAccountName "COMPANY\svc-ADFS$"

# Enable device registration
Enable-AdfsDeviceRegistration

# Verify
Get-AdfsDeviceRegistrationUpnSuffix

Configuring Relying Party Trusts

Relying parties are applications that trust ADFS for authentication.

Office 365 / Microsoft 365

# Install Azure AD PowerShell
Install-Module -Name MSOnline

# Connect to Azure AD
Connect-MsolService

# Convert domain to federated
$dom = "company.com"
$fedBrandName = "Company Corporation"
$issuerUri = "http://adfs.company.com/adfs/services/trust/"
$passiveLogonUri = "https://adfs.company.com/adfs/ls/"
$logoffUri = "https://adfs.company.com/adfs/ls/"
$certData = (Get-AdfsCertificate -CertificateType Token-Signing)[0].Certificate
$certString = [Convert]::ToBase64String($certData.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))

Set-MsolDomainAuthentication `
    -DomainName $dom `
    -FederationBrandName $fedBrandName `
    -Authentication Federated `
    -IssuerUri $issuerUri `
    -PassiveLogOnUri $passiveLogonUri `
    -SigningCertificate $certString `
    -LogOffUri $logoffUri `
    -PreferredAuthenticationProtocol WsFed

# Verify federation
Get-MsolDomainFederationSettings -DomainName $dom

Custom SAML Application

# Add relying party trust (manual configuration)
$relyingPartyIdentifier = "https://webapp.company.com/saml"
$samlEndpoint = "https://webapp.company.com/saml/acs"

Add-AdfsRelyingPartyTrust `
    -Name "Company Web Application" `
    -Identifier $relyingPartyIdentifier `
    -SamlEndpoint (New-AdfsSamlEndpoint -Binding POST -Protocol SAMLAssertionConsumer -Uri $samlEndpoint) `
    -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'

# Or import from federation metadata
Add-AdfsRelyingPartyTrust `
    -Name "Salesforce" `
    -MetadataUrl "https://company.my.salesforce.com/services/saml/metadata"

Claim Rules

Claims are assertions about users sent to applications.

Understanding Claim Flow

Common Claim Rule Patterns

1. Pass Through UPN

$ruleName = "Pass through UPN"
$ruleTemplate = @"
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(claim = c);
"@

Add-AdfsRelyingPartyTrustClaimRule `
    -TargetName "Company Web Application" `
    -RuleName $ruleName `
    -ClaimRule $ruleTemplate `
    -RuleType IssuanceTransform

2. Send Email as NameID

$ruleName = "Transform Email to NameID"
$ruleTemplate = @"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
         Issuer = c.Issuer, 
         OriginalIssuer = c.OriginalIssuer, 
         Value = c.Value, 
         ValueType = c.ValueType, 
         Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
"@

Add-AdfsRelyingPartyTrustClaimRule `
    -TargetName "Salesforce" `
    -RuleName $ruleName `
    -ClaimRule $ruleTemplate `
    -RuleType IssuanceTransform

3. Send AD Groups as Roles

$ruleName = "Send AD Groups as Roles"
$ruleTemplate = @"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
   Value =~ "^(?i)S-1-5-21-"] 
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", 
         Issuer = c.Issuer, 
         OriginalIssuer = c.OriginalIssuer, 
         Value = c.Value, 
         ValueType = c.ValueType);
"@

Add-AdfsRelyingPartyTrustClaimRule `
    -TargetName "Company Web Application" `
    -RuleName $ruleName `
    -ClaimRule $ruleTemplate `
    -RuleType IssuanceTransform

4. Conditional Access Based on Group

# Only allow IT-Users group to access application
$ruleName = "Allow Only IT Users"
$ruleTemplate = @"
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
        Value == "S-1-5-21-123456789-123456789-123456789-1234"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", 
         Value = "true");
"@

Set-AdfsRelyingPartyTrust `
    -TargetName "Admin Portal" `
    -IssuanceAuthorizationRules $ruleTemplate

# To get group SID:
# Get-ADGroup "IT-Users" | Select-Object SID

5. Multi-Factor Authentication Based on Location

# Require MFA for external access
$ruleName = "Require MFA for External Access"
$ruleTemplate = @"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", 
         Value = "http://schemas.microsoft.com/claims/multipleauthn");
"@

Set-AdfsRelyingPartyTrust `
    -TargetName "Sensitive Application" `
    -AdditionalAuthenticationRules $ruleTemplate

Exporting and Backing Up Claim Rules

# Export all claim rules for a relying party
$rpName = "Company Web Application"
$rp = Get-AdfsRelyingPartyTrust -Name $rpName

# Export to file
$rules = @{
    IssuanceTransform = $rp.IssuanceTransformRules
    IssuanceAuthorization = $rp.IssuanceAuthorizationRules
    DelegationAuthorization = $rp.DelegationAuthorizationRules
}

$rules | ConvertTo-Json | Out-File "C:\Backups\ADFS\$rpName-ClaimRules.json"

# Import claim rules
$imported = Get-Content "C:\Backups\ADFS\$rpName-ClaimRules.json" | ConvertFrom-Json

Set-AdfsRelyingPartyTrust -TargetName $rpName `
    -IssuanceTransformRules $imported.IssuanceTransform `
    -IssuanceAuthorizationRules $imported.IssuanceAuthorization

Multi-Factor Authentication (MFA)

Azure MFA Integration

# Register ADFS with Azure MFA
# Install Azure MFA Server Adapter
$regkey = "HKLM:\Software\Microsoft\ADFS"
Set-ItemProperty -Path $regkey -Name "FederationServiceDisplayName" -Value "Company ADFS"

# Configure Azure MFA as additional authentication provider
Register-AdfsAuthenticationProvider `
    -Name "AzureMFA" `
    -TypeName "Microsoft.AzureMfa.AuthenticationProvider" `
    -Enabled $true

# Require MFA globally for extranet
Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules 'c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

# Per-application MFA
Set-AdfsRelyingPartyTrust -TargetName "Sensitive App" `
    -AdditionalAuthenticationRules 'c:[] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

Certificate-Based Authentication

# Enable certificate authentication
Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

# Configure certificate authentication endpoint
Enable-AdfsEndpoint -TargetAddressPath "/adfs/services/trust/13/certificatemixed"

# Require certificate for specific application
Set-AdfsRelyingPartyTrust -TargetName "High Security App" `
    -AdditionalAuthenticationRules 'c:[] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/certificatemethod");'

Web Application Proxy (WAP) Configuration

Installing WAP

# On DMZ server (NOT domain-joined)
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

# Import WAP module
Import-Module WebApplicationProxy

# Get ADFS trust certificate (from ADFS server)
$trustCert = Get-AdfsCertificate -CertificateType Token-Signing
Export-Certificate -Cert $trustCert[0].Certificate -FilePath "C:\Temp\adfs-trust.cer"

# Copy to WAP server and import
Import-Certificate -FilePath "C:\adfs-trust.cer" -CertStoreLocation Cert:\LocalMachine\Root

# Get SSL certificate for WAP
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*adfs.company.com*"}

# Install WAP
$adfsCredential = Get-Credential
Install-WebApplicationProxy `
    -FederationServiceTrustCredential $adfsCredential `
    -CertificateThumbprint $cert.Thumbprint `
    -FederationServiceName "adfs.company.com"

Publishing Applications Through WAP

# Publish ADFS (always first)
Add-WebApplicationProxyApplication `
    -Name "ADFS" `
    -ExternalUrl "https://adfs.company.com/" `
    -BackendServerUrl "https://adfs.company.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -ADFSRelyingPartyName "ADFS"

# Publish custom web application with preauthentication
Add-WebApplicationProxyApplication `
    -Name "Company Intranet" `
    -ExternalUrl "https://intranet.company.com/" `
    -BackendServerUrl "https://internal-web01.company.local/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -ADFSRelyingPartyName "Company Intranet" `
    -EnableHTTPRedirect $true

# List published applications
Get-WebApplicationProxyApplication | Select-Object Name, ExternalUrl

Monitoring and Troubleshooting

Health Checks

# ADFS service status
Get-Service ADFSSRV | Select-Object Name, Status, StartType

# ADFS farm status
Get-AdfsSyncProperties

# Certificate expiration
Get-AdfsCertificate | Select-Object CertificateType, Thumbprint, NotAfter | 
    Where-Object {$_.NotAfter -lt (Get-Date).AddDays(60)}

# Endpoint status
Get-AdfsEndpoint | Where-Object {$_.Enabled -eq $false} | 
    Select-Object FullUrl, Enabled

Event Logs

# ADFS Admin log
Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 50 | 
    Select-Object TimeCreated, Id, Message | 
    Format-Table -Wrap

# Authentication failures
Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 100 | 
    Where-Object {$_.Id -eq 411} | 
    Select-Object TimeCreated, Message

# Token issuance events
Get-WinEvent -LogName "AD FS/Admin" | 
    Where-Object {$_.Id -in @(1200, 1202)} | 
    Select-Object TimeCreated, Id, Message

# Audit events
Get-WinEvent -LogName "Security" -MaxEvents 100 | 
    Where-Object {$_.Id -in @(4624, 4625)} | 
    Select-Object TimeCreated, Id, Message

Common Issues and Solutions

1. Users Can't Authenticate

# Check service account
Test-ADServiceAccount -Identity "svc-ADFS"

# Verify SPN
setspn -L COMPANY\svc-ADFS$

# Test ADFS endpoint
Invoke-WebRequest -Uri "https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx" -UseBasicParsing

# Check certificate binding
netsh http show sslcert

# Verify time sync
w32tm /query /status

2. Token Signing Certificate Issues

# Check auto-rollover
Get-AdfsProperties | Select-Object AutoCertificateRollover

# Enable auto-rollover
Set-AdfsProperties -AutoCertificateRollover $true

# Manual rollover
Update-AdfsCertificate -CertificateType Token-Signing -Urgent

# Update Office 365 with new certificate
Update-MsolFederatedDomain -DomainName company.com

3. Slow Authentication

# Enable performance counters
$counters = @(
    "\AD FS\Token Requests"
    "\AD FS\Federation Metadata Requests"
    "\AD FS\SQL Queries"
    "\Process(Microsoft.IdentityServer.ServiceHost)\% Processor Time"
)

Get-Counter -Counter $counters -SampleInterval 5 -MaxSamples 10

# Check SQL connectivity (if using SQL)
Test-NetConnection -ComputerName SQL01 -Port 1433

# Verify DNS resolution
Resolve-DnsName adfs.company.com

Performance Monitoring

# Key performance counters I monitor
$perfCounters = @(
    "\AD FS\Token Requests/Sec"
    "\AD FS\Artifact Resolution Requests/Sec"
    "\AD FS\Federation Metadata Requests/Sec"
    "\Memory\Available MBytes"
    "\Processor(_Total)\% Processor Time"
    "\Network Interface(*)\Bytes Total/sec"
)

# Collect baseline
Get-Counter -Counter $perfCounters -SampleInterval 10 -MaxSamples 360 | 
    Export-Counter -Path "C:\PerfLogs\ADFS-Baseline.blg" -FileFormat BLG

# Real-time monitoring
while ($true) {
    Clear-Host
    Get-Counter -Counter $perfCounters -SampleInterval 1 -MaxSamples 1 | 
        ForEach-Object {$_.CounterSamples} | 
        Format-Table Path, CookedValue -AutoSize
    Start-Sleep -Seconds 5
}

Backup and Recovery

Backup ADFS Configuration

# Backup ADFS configuration
$backupPath = "C:\ADFS-Backups\$(Get-Date -Format 'yyyy-MM-dd')"
New-Item -Path $backupPath -ItemType Directory -Force

# Export ADFS properties
Get-AdfsProperties | Export-Clixml "$backupPath\ADFS-Properties.xml"

# Export all relying party trusts
Get-AdfsRelyingPartyTrust | Export-Clixml "$backupPath\RelyingPartyTrusts.xml"

# Export claim provider trusts
Get-AdfsClaimsProviderTrust | Export-Clixml "$backupPath\ClaimsProviderTrusts.xml"

# Export certificates
Get-AdfsCertificate | Export-Clixml "$backupPath\ADFS-Certificates.xml"

# Backup to file
Backup-WebApplicationProxyConfiguration -Path "$backupPath\WAP-Config.xml"

Restore ADFS Configuration

# Restore relying party trusts
$rpts = Import-Clixml "C:\ADFS-Backups\2026-01-14\RelyingPartyTrusts.xml"

foreach ($rpt in $rpts) {
    Add-AdfsRelyingPartyTrust `
        -Name $rpt.Name `
        -Identifier $rpt.Identifier `
        -IssuanceTransformRules $rpt.IssuanceTransformRules `
        -IssuanceAuthorizationRules $rpt.IssuanceAuthorizationRules
}

# Restore WAP configuration
Restore-WebApplicationProxyConfiguration -Path "C:\ADFS-Backups\2026-01-14\WAP-Config.xml"

High Availability and Disaster Recovery

Load Balancing Configuration

In my deployments, I use either hardware load balancers or Windows NLB:

F5 / NetScaler / Azure Load Balancer (Preferred)

Configuration:
- VIP: 10.1.10.50 (adfs.company.com)
- Pool Members: ADFS01 (10.1.10.51), ADFS02 (10.1.10.52)
- Health Probe: https://adfs.company.com/adfs/probe
- Session Persistence: Source IP
- SSL Offloading: Disabled (pass-through)

Windows Network Load Balancing

# On each ADFS server
Install-WindowsFeature NLB -IncludeManagementTools

# Create NLB cluster (run on first server)
New-NlbCluster -InterfaceName "Ethernet" `
    -ClusterName "ADFS-Cluster" `
    -ClusterPrimaryIP 10.1.10.50 `
    -SubnetMask 255.255.255.0 `
    -OperationMode Multicast

# Add second server to cluster
Add-NlbClusterNode -InterfaceName "Ethernet" `
    -NewNodeInterface "ADFS02" `
    -NewNodeName "10.1.10.52"

# Configure port rule for HTTPS
Add-NlbClusterPortRule -Protocol Tcp `
    -Mode Multiple `
    -Affinity Single `
    -StartPort 443 `
    -EndPort 443

Disaster Recovery Plan

My standard DR runbook:

# 1. Document current state
$drDoc = @{
    FederationServiceName = (Get-AdfsProperties).HostName
    Certificates = Get-AdfsCertificate | Select-Object CertificateType, Thumbprint, NotAfter
    RelyingParties = Get-AdfsRelyingPartyTrust | Select-Object Name, Identifier
    ServiceAccount = (Get-WmiObject Win32_Service -Filter "Name='adfssrv'").StartName
}
$drDoc | ConvertTo-Json | Out-File "C:\DR\ADFS-State.json"

# 2. Backup database (if using SQL)
Backup-SqlDatabase -ServerInstance SQL01 -Database ADFSConfiguration `
    -BackupFile "\\BackupServer\SQL\ADFSConfiguration.bak"

# 3. Backup certificates
$certs = Get-ChildItem Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*adfs.company.com*"}

foreach ($cert in $certs) {
    Export-PfxCertificate -Cert $cert `
        -FilePath "\\BackupServer\Certs\$($cert.Thumbprint).pfx" `
        -Password (ConvertTo-SecureString "BackupP@ss!" -AsPlainText -Force)
}

Security Best Practices

1. Secure Service Account

# Use gMSA (shown earlier)
# If using standard account, enforce strong password
$password = ConvertTo-SecureString "$(New-Guid)$(New-Guid)" -AsPlainText -Force
Set-ADAccountPassword -Identity "svc-ADFS" -NewPassword $password

# Disable interactive logon
Set-ADUser -Identity "svc-ADFS" -CannotChangePassword $true -PasswordNeverExpires $true

2. Restrict ADFS Admin Access

# Create dedicated ADFS admin group
New-ADGroup -Name "ADFS-Administrators" -GroupScope Global -GroupCategory Security

# Grant permissions
Add-ADGroupMember -Identity "ADFS-Administrators" -Members "jsmith", "kjones"

# Use Just-In-Time admin access
# Remove permanent Domain Admin access

3. Enable Auditing

# Enable ADFS auditing
Set-AdfsProperties -AuditLevel Verbose

# Enable detailed security auditing
auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

4. Implement IP Whitelisting (if applicable)

# Restrict ADFS access by IP (for B2B scenarios)
$ruleName = "Block Untrusted Networks"
$rule = @"
c1:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", 
    Value =~ "^(?!10\.1\.|192\.168\.).*"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
"@

Set-AdfsRelyingPartyTrust -TargetName "Partner Application" `
    -IssuanceAuthorizationRules $rule

Real-World Integration Scenarios

Scenario 1: Salesforce SAML SSO

# Add Salesforce relying party trust
Add-AdfsRelyingPartyTrust `
    -Name "Salesforce Production" `
    -Identifier "https://company.my.salesforce.com" `
    -SamlEndpoint (New-AdfsSamlEndpoint `
        -Binding POST `
        -Protocol SAMLAssertionConsumer `
        -Uri "https://company.my.salesforce.com/saml/acs")

# Claim rules for Salesforce
$nameIDRule = @"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", 
         Issuer = c.Issuer, 
         OriginalIssuer = c.OriginalIssuer, 
         Value = c.Value, 
         ValueType = c.ValueType, 
         Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
"@

$emailRule = @"
c:[Type == "http://schemas.xmlsoap.org/claims/emailaddress"]
=> issue(claim = c);
"@

Set-AdfsRelyingPartyTrust -TargetName "Salesforce Production" `
    -IssuanceTransformRules "$nameIDRule`n$emailRule"

Scenario 2: AWS Console Access

# Add AWS relying party trust
$awsMetadata = "https://signin.aws.amazon.com/static/saml-metadata.xml"
Add-AdfsRelyingPartyTrust -Name "AWS Console" -MetadataUrl $awsMetadata

# Claim rules for AWS
$roleRule = @"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
   Value == "S-1-5-21-123456789-1234567890-1234567890-1234"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", 
         Value = "arn:aws:iam::123456789012:role/ADFS-Admin,arn:aws:iam::123456789012:saml-provider/ADFS");
"@

$sessionDurationRule = @"
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/SessionDuration", 
         Value = "28800");
"@

Set-AdfsRelyingPartyTrust -TargetName "AWS Console" `
    -IssuanceTransformRules "$roleRule`n$sessionDurationRule"

Conclusion

ADFS is a powerful federated identity solution that, when properly implemented, provides seamless single sign-on across cloud and on-premises applications. From my experience deploying ADFS in organizations from 100 to 50,000 users, the key to success is:

Plan thoroughly: Understand your applications' requirements
Design for scale: Start with high availability even if you're small
Security first: Enable MFA, extranet lockout, and auditing
Monitor proactively: Don't wait for users to report issues
Document everything: Claim rules, certificates, integrations

In the next article, we'll explore Public Key Infrastructure (PKI) with Active Directory Certificate Services – the foundation for ADFS certificates and secure communications.

hashtagMy First ADFS Deployment

hashtagWhat is Active Directory Federation Services?

hashtagWhy I Deploy ADFS

hashtagADFS Architecture and Components

hashtagThe Four Key Components

hashtag1. Active Directory (Claims Provider)

hashtag2. Federation Servers (ADFS Servers)

hashtag3. Web Application Proxy (Federation Server Proxy)

hashtag4. Relying Parties (Applications)

hashtagADFS Authentication Flow

hashtagPlanning ADFS Deployment

hashtagSizing and Capacity

hashtagSSL Certificate Requirements

hashtagDNS Configuration

hashtagService Account (gMSA Recommended)

hashtagInstalling ADFS

hashtagPrerequisites Checklist

hashtagFirst ADFS Server Installation

hashtagAdding Additional ADFS Servers to Farm

hashtagUsing SQL Server for Configuration Database

hashtagPost-Installation Configuration

hashtagEnable Modern Authentication

hashtagConfigure Token Lifetime

hashtagEnable Extranet Lockout Protection

hashtagConfigure Device Registration

hashtagConfiguring Relying Party Trusts

hashtagOffice 365 / Microsoft 365

hashtagCustom SAML Application

hashtagClaim Rules

hashtagUnderstanding Claim Flow

hashtagCommon Claim Rule Patterns

hashtag1. Pass Through UPN

hashtag2. Send Email as NameID

hashtag3. Send AD Groups as Roles

hashtag4. Conditional Access Based on Group

hashtag5. Multi-Factor Authentication Based on Location

hashtagExporting and Backing Up Claim Rules

hashtagMulti-Factor Authentication (MFA)

hashtagAzure MFA Integration

hashtagCertificate-Based Authentication

hashtagWeb Application Proxy (WAP) Configuration

hashtagInstalling WAP

hashtagPublishing Applications Through WAP

hashtagMonitoring and Troubleshooting

hashtagHealth Checks

hashtagEvent Logs

hashtagCommon Issues and Solutions

hashtag1. Users Can't Authenticate

hashtag2. Token Signing Certificate Issues

hashtag3. Slow Authentication

hashtagPerformance Monitoring

hashtagBackup and Recovery

hashtagBackup ADFS Configuration

hashtagRestore ADFS Configuration

hashtagHigh Availability and Disaster Recovery

hashtagLoad Balancing Configuration

hashtagDisaster Recovery Plan

hashtagSecurity Best Practices

hashtag1. Secure Service Account

hashtag2. Restrict ADFS Admin Access

hashtag3. Enable Auditing

hashtag4. Implement IP Whitelisting (if applicable)

hashtagReal-World Integration Scenarios

hashtagScenario 1: Salesforce SAML SSO

hashtagScenario 2: AWS Console Access

hashtagConclusion

hashtagFurther Reading