locked
ADFS 3.0 and WAP on Windows Server 2012 R2 RRS feed

  • Question

  • Hi All,

    I'm in the planning and process to deploy WAP with ADFS 3.0. I have purchased the SSL VeriSign Certificate adfs.company.com.

    We have Windows 2012 DC R2 Active Directory and Exchange 2010 SP3 ( DAG, CAS Array, Shadow Redundancy ) on Windows 2008 R2. our Outlook Web App Certificate is already existing as a webmail.company.com/owa.

    We have 3500 users in our organization.

    =============================================

    My Plan is:

    • Two Web Application Proxies will be in DMZ
    • Two ADFS Servers will be in Corporate Network

    =============================================

    Which Database is recommended for ADFS .?

    Shall I install Windows Internal Database for ADFS ( for 3500 users.? ) .?

    WAP and ADFS must be High Available. 

    I'm not expert in this technologies but I have to deploy this at any circumstances. Hence, I need your expertise comments and valuable advises to succeed this task.

    I've gone through the reference links but little bit confusion. Appreciated if you can provide the minimal and major requirement and steps.

    Thank You for your precious time.


    Regards,Ali

    Friday, December 25, 2015 6:15 PM

Answers

  • If you're running Exchange 2010, which is non-claims aware, then I believe you'll need to also use enable Kerberos on your CAS and then use Alternate Service Accounts (ASA). From the WAP you can then use Kerberos-Constrained Delegation (KCD) to publish your OWA service as a non-claims aware web app.

    http://blog.auth360.net

    Tuesday, December 29, 2015 11:38 PM
  • Hi Owner,

    Thank You for your reply. I'm planning to deploy two ADFS ( ADFS1 & ADFS2 ) Servers in Corporate Network with WNLB { adfs.company.com } joined into Domain. Two WAP { WAP1 & WAP2 }Servers in DMZ with WNLB ( wap.company.com ) without joining into domain.

    I have two Certificates :

    1 - Newly Purchased Certificate for ADFS : adfs.company.com which I'm going to install on ADFS ( ADFS1 & ADFS2 ) Servers.

    Certificate & WNLB & Cluster Name is adfs.company.com

    2 - We have existing Certificate using for Exchange CAS ( CAS1 & CAS2 ) Servers webmail.company.com.

    Certificate & WNLB & Cluster Name is webmail.company.com.

    Hence,

    The Web Application Proxy WNLB or Cluster Name will be wap.company.com. And I'm going to export and import or Install the webmail.company.com certificate on both WAP ( WAP1 & WAP2 : Cluster name wap.company.com ) servers which are in DMZ.

    Please advise whether I'm planning & going into correct way or not .?

    Thanks Again ...!!!


    Regards,Ali

    Wednesday, December 30, 2015 6:47 AM

All replies

  • You can go for WID (differences explained here: Configuration database requirements https://technet.microsoft.com/en-US/library/dn554247.aspx#BKMK_5). The design will look like this: Federation Server Farm Using WID and Proxies https://technet.microsoft.com/en-us/library/dn554244.aspx

    In term of infrastructure, you will need:

    • Load Balancer in front of your ADFS servers
    • Load Balancer in front of your ADFS Proxies (WAP)
    • Split Horizon DNS (aka split brain DNS)

    ... this is described in the link I mentioned above.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 29, 2015 10:29 AM
  • If you're running Exchange 2010, which is non-claims aware, then I believe you'll need to also use enable Kerberos on your CAS and then use Alternate Service Accounts (ASA). From the WAP you can then use Kerberos-Constrained Delegation (KCD) to publish your OWA service as a non-claims aware web app.

    http://blog.auth360.net

    Tuesday, December 29, 2015 11:38 PM
  • Hi Mylo,

    Can you please provide the reference links for " use enable Kerberos on your CAS and then use Alternate Service Accounts (ASA). From the WAP you can then use Kerberos-Constrained Delegation (KCD) to publish your OWA service as a non-claims aware web app "

    Thanks for your precious time.


    Regards,Ali

    Wednesday, December 30, 2015 6:17 AM
  • Hi Owner,

    Thank You for your reply. I'm planning to deploy two ADFS ( ADFS1 & ADFS2 ) Servers in Corporate Network with WNLB { adfs.company.com } joined into Domain. Two WAP { WAP1 & WAP2 }Servers in DMZ with WNLB ( wap.company.com ) without joining into domain.

    I have two Certificates :

    1 - Newly Purchased Certificate for ADFS : adfs.company.com which I'm going to install on ADFS ( ADFS1 & ADFS2 ) Servers.

    Certificate & WNLB & Cluster Name is adfs.company.com

    2 - We have existing Certificate using for Exchange CAS ( CAS1 & CAS2 ) Servers webmail.company.com.

    Certificate & WNLB & Cluster Name is webmail.company.com.

    Hence,

    The Web Application Proxy WNLB or Cluster Name will be wap.company.com. And I'm going to export and import or Install the webmail.company.com certificate on both WAP ( WAP1 & WAP2 : Cluster name wap.company.com ) servers which are in DMZ.

    Please advise whether I'm planning & going into correct way or not .?

    Thanks Again ...!!!


    Regards,Ali

    Wednesday, December 30, 2015 6:47 AM
  • Feel free to mark some of the posts as answers!

    @Mylo: Can you please ping me through my blog? Thanks!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, December 30, 2015 10:59 AM
  • Hi Pierre,

    Done.

    Regards,

    Mylo


    http://blog.auth360.net

    Thursday, December 31, 2015 9:34 AM