locked
ADFS 2.0 compatibility with ADFS 3.0 RRS feed

  • Question

  • We are using ADFS 2.0 for SSO and we want to upgrade to server 2012 and it uses native 3.0.  We are using an outside vender that uses the ADFS 2.0. If we do the upgrade to server 2012 and ADFS 3.0 will it break the connection to the vender. 

    My Question is are they compatible?

    Monday, July 22, 2013 4:23 PM

Answers

  • Hello,

    according to http://technet.microsoft.com/en-us/library/hh831502.aspx it include version 2 with enhancements:

    For Windows Server 2012, the AD FS server role(version 2.1 instead 3) includes the same functionality and feature set that is available in AD FS 2.0.

    It also includes the following list of new functionality that was not available in AD FS 2.0:

    • Integration with Dynamic Access Control scenarios - AD FS can be used with the user and device claims that are issued using Active Directory Domain Services (AD DS) in Windows Server 2012 for various Dynamic Access Control scenarios. This integration enables AD FS to consume AD DS claims that are included in Kerberos tickets as a result of domain authentication. For more information about using claims from Kerberos tickets, see Using AD DS Claims with AD FS.
    • Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012 you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation. These services include Microsoft ASP.NET and other services that are part of the Web Server (IIS) server role.
    • Additional Windows PowerShell cmdlet tools - In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.

    In your case built a lab and test it to be sure. Which should always be done with major changes.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    • Edited by Meinolf Weber Tuesday, July 23, 2013 8:14 AM change
    • Marked as answer by Vivian_Wang Monday, July 29, 2013 8:21 AM
    Tuesday, July 23, 2013 6:57 AM
  • ADFS in W2K12 is ADFS v2.1

    ADFS in W2K12 R2 is, I think, ADFS v3.0

    You should be able to upgrade from ADFS v2.0 to ADFS v2.1 (never tried it myself though) and otherwise perform an export of the config of ADFS v2.0 and import the config into ADFS v2.1. With "upgrade from ADFS v2.0 to ADFS v2.1" I mean adding an ADFS v2.1 STS (W2K12) to the existing ADFS v2.0 farm, therefore replacing one by one

    I'm sure you will not be able to upgrade ADFS v2.0 to ADFS v3.0. That for sure is a rebuild with the export and import of config

    When rebuilding/migrating, the connections with other federation will be impacted for an amount of time


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by Vivian_Wang Monday, July 29, 2013 8:21 AM
    Tuesday, July 23, 2013 1:07 PM

All replies

  • Hello,

    according to http://technet.microsoft.com/en-us/library/hh831502.aspx it include version 2 with enhancements:

    For Windows Server 2012, the AD FS server role(version 2.1 instead 3) includes the same functionality and feature set that is available in AD FS 2.0.

    It also includes the following list of new functionality that was not available in AD FS 2.0:

    • Integration with Dynamic Access Control scenarios - AD FS can be used with the user and device claims that are issued using Active Directory Domain Services (AD DS) in Windows Server 2012 for various Dynamic Access Control scenarios. This integration enables AD FS to consume AD DS claims that are included in Kerberos tickets as a result of domain authentication. For more information about using claims from Kerberos tickets, see Using AD DS Claims with AD FS.
    • Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012 you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation. These services include Microsoft ASP.NET and other services that are part of the Web Server (IIS) server role.
    • Additional Windows PowerShell cmdlet tools - In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.

    In your case built a lab and test it to be sure. Which should always be done with major changes.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    • Edited by Meinolf Weber Tuesday, July 23, 2013 8:14 AM change
    • Marked as answer by Vivian_Wang Monday, July 29, 2013 8:21 AM
    Tuesday, July 23, 2013 6:57 AM
  • ADFS in W2K12 is ADFS v2.1

    ADFS in W2K12 R2 is, I think, ADFS v3.0

    You should be able to upgrade from ADFS v2.0 to ADFS v2.1 (never tried it myself though) and otherwise perform an export of the config of ADFS v2.0 and import the config into ADFS v2.1. With "upgrade from ADFS v2.0 to ADFS v2.1" I mean adding an ADFS v2.1 STS (W2K12) to the existing ADFS v2.0 farm, therefore replacing one by one

    I'm sure you will not be able to upgrade ADFS v2.0 to ADFS v3.0. That for sure is a rebuild with the export and import of config

    When rebuilding/migrating, the connections with other federation will be impacted for an amount of time


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

    • Marked as answer by Vivian_Wang Monday, July 29, 2013 8:21 AM
    Tuesday, July 23, 2013 1:07 PM