Are there any advantages for using federated services versus forest trusts. RRS feed

  • Question

  • Are there any advantages of using a federated services for different forest to interact with each other versus using domain trust relationships?   Is one option more secure than the other?  Is there better performance and simplicity with one option versus the other.  

    We are wanting organizations in their own forest to be able to both share data as well as allow sharing of systems to include both forest to be able to administer the systems.


    • Edited by kimdav111 Wednesday, February 12, 2020 8:11 PM
    Wednesday, February 12, 2020 8:00 PM

All replies

  • Federation allows you to remove trusts and also to expand outwards to other IDP and allow applications that use standards like SAML rather than Kerberos.

    Also by using the WAP you have protection for external users e.g. extranet lockout.

    It also allows Connect Health reporting etc. via Azure.

    Thursday, February 13, 2020 5:51 PM
  • Do trust relationships require the use of the same LAN?,... Do the forests in a forest trust need to be on the same LAN or a connect network which does not go via the Internet?   I am thinking of a company that has merged with another company whereby a private fiber is connecting each forest to each other.

    Does it make sense to have a federated relation (ADFS servers at each company's LAN) if we use a trust?   This connection essentially travels on a dedicated fiber between the two company LANs.


    Friday, February 14, 2020 3:40 PM
  • AD trusts requires network connectivity between DCs of both sides.

    Federation doesn't.

    If you have 2 forests/domain, and they trust each other (bi-directional trust). You can just have ADFS in one of these forest. The ADFS will be to authenticate users with the same scope as Windows.

    If you currently do not have a trust, because of security reasons, or network limitation, you can install ADFS in each forest and have them trust each others. The "trust" will just require the exchange of metadata. This can use the network, but you can also use the FederationMetadata.xml file offline (export on one side and import on the other side).

    The ADFS server has to be reachable by all users it needs to ive token too. But just on port TCP 443. So your network connectivite requirement would be:

    With Forest A NOT trusting Forest B and with ADFS-A in Forest A and ADFS-B in Forest B. With Users in A in need of accessing application trusted by ADFS-B.

    Forest A
    Users of A needs to be able to reach DCs of Forest A.
    Users of A need to be able to reach ADFS of Forest A.
    Users of B need to be able to reach ADFS of Forest B (port 443).
    Users of B need to be able to reach the applications trusted by ADFS-B (very likely running on port TCP 443).

    Forest B
    Users of B needs to be able to reach DCs of Forest B.
    Users of B need to be able to reach ADFS of Forest B.
    Users of B need NOT to be able to reach ADFS of Forest A. Unless you also want user from B to access application using ADFS in Forest A.

    Make sense?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 14, 2020 4:22 PM