This video will look at the different components that can be installed with Active Directory Federation Services. The components are mostly the same in each version, in most cases the main difference between the different components is that they have slightly different names.
AD FS ComponentsThe main role of Active Directory Federation Services remains much the same throughout the different versions. In Windows Server 2012 R2 Active Directory Federation Services is a role with no component. In all the other versions Federation Services is a component in the role.
AD FS has a proxy component that you can install in a DMZ to provide access to Federation Users from the internet. This component is called “Federation Service Proxy” except in Windows Server 2012 R2 where the component has been moved to the “Remote Access Role” and called “Web Application Proxy”. Even though the component has moved and the name has changed, the component provided the same basic functionality as the “Federation Service Proxy” component.
AD FS has a number of web agents. These are optional and allow AD FS to communicate with different systems. In different versions of AD FS the name of the component may have changed to include the version number of 1.1; however, the functionality of the component is still the same. In Windows Server 2012 R2 the web agents have been removed.
Web Application Proxy
In Windows Server 2012 R2 the Federation Service Proxy has change its name to “Web Application Proxy” and is found in the Remote Access Role. It provides the same functionality as the previous component but also has some additional functionality added. For this reason you may find that this component is used with other services, not just Active Directory Federation Services.
Web Application Proxy/Federation Service Proxy
This component is normally installed on a DMZ. If you consider that the user that is accessing the Active Directory Federation Service may not work for your company, you may not want them accessing your internal network directly. Since Active Directory Federation Services needs to be a member of the domain, accessing it directly does present some security issues. The application proxy does not need to be a member of the domain. The user would access the proxy server on the DMZ which would then pass on the request to the federation server. The Federation Server would then send the result back to the proxy server which would pass this on to the user. The user would most likely be receiving a claim. Once the user has a claim, they are able to use this claim to access a claim aware application. The claim aware application is most likely to be found on the DMZ.
AD FS Web Agents
Web agents are not available in Windows Server 2012 R2 as they have been removed. In the other version of AD FS the name may be slightly different, but they form the same function. A vendor is free to add their own agents however the two web agents provided by Microsoft are “Claims-aware Agent” or “AD FS 1.1 Claims-aware Agent” and “Windows Token-based Agent” or “AD FS 1.1 Windows Token-based Agent”.
AD FS Web Agents
Essentially a web agent converts a claim from one format to another. Given the example of the Windows Token-based Agent, this takes an AD FS claim and converts it into an NT Token. AD FS used to require IIS to operate, however it no longer requires it. Web agents were generally used with IIS. This may be the reason that Microsoft removed this feature in IIS as it is no longer required in Windows Server 2012 R2 for AD FS.
References
“Web Application Proxy” http://msdn.microsoft.com/en-us/library/windows/desktop/dn323740(v=vs.85).aspx
“Understanding the AD FS 2.0 Proxy” http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
“ADFS Web Agent” http://technet.microsoft.com/en-us/library/cc783116(v=ws.10).aspx
Credits