Logo

AD FS Features

This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.

Show lesson content
AD FS 3.0
AD FS 3.0 is included in Windows Server 2012 R2. You will not be able to run AD FS 3.0 unless you install or upgrade to Windows Server 2012 R2. AD FS 3.0 comes with a few new features

Workplace Join: This allows a mobile device to join the domain. It is simpler than joining a computer to the domain; however, it does not include all the same features as joining a computer to the domain. For example, group policy is not supported. When you add a device to the domain using Workplace Join, the device is registered in Active Directory so administrators have control over which devices are added and also can remove a device later on if they wanted. Workplace Join could also be used with OS’s like Windows 8.1. This allows a computer to access some Active Directory functions. This is useful for external contractors who need access to certain files, but the administrator does not want to add them to domain functions like a standard user would have.

Enhanced access control risk management tools: This is a collection of features that help secure AD FS clients. For example, it makes it easier to disable remote devices. It also allows features like making sure the users enter in a username and password when accessing certain applications.
No longer requires IIS: AD FS 3.0 no longer requires IIS to be installed. It is now a separate role and does not require additional roles in order to be installed.

UI support for SQL Server: User interface has the ability to configure SQL server. If you are using SQL server with Active Directory Federation Services this makes it easier to configure SQL Server.

Group Managed Service Account Support: Managed services account were already present in Windows, however they were difficult to set up. AD FS 3.0 allows a managed service account to be created in the install wizard to be used with Active Directory Federation Services. A managed service account password is controlled by Active Directory. The password is very long and complex and automatically changed at periodic intervals. Group managed service accounts are different from the regular managed service accounts in that they can be used on multiple servers quite easily.

AD FS 3.0 difference from other version
The component Federation Service Proxy no longer exists. Its functionality has been replaced by a different component called “Web Application Proxy”. This component is found in the Remote Access Role rather than Federation Service role. This role is also used by other services as well as Active Directory Federation Services.

In AD FS 3.0 the web agents have been removed. These provided compatibility between AD FS and other systems. If you upgrade to this version you need to ensure that you do not require these web agents.

AD FS 2.1/AD FS 2.0
AD FS 2.1 is included with Windows Server 2012. There are only very minor changes between it and 2.0. The most significant change is that it is included in the operating system rather than being an optional download.

AD FS 2.0 is available as a free download from Microsoft. It can be installed on Windows Server 2008 and Windows Server 2008 R2.

AD FS 2.1/AD FS 2.0 New Features
Web support across domains: This feature allows Active Directory Federation Services to be used across domains. This feature allows a user in a child domain to access AD FS in a different domain. The user could also access Federation Services while mobile.

Improved federation trust support: Trust support has been improved. This means that Active Directory Federation has better support for working with other non-Microsoft Federation Services.

Improved management interface: The management interface has been improved making it easier to use and manage Federation Services.

AD FS 2.1/AD FS 2.0 Remove Features
AD LDS account store: In order for a user to use Active Directory Federation Services they need to be authenticated. Normally this will be done by a Domain Controller. Previously this could also have been done using an Active Directory Lightweight Directory Store. AD LDS can still be used as an attribute store, which means that it can be used to store data that Active Directory Federation Services will use, however it cannot be used for authentication.

Windows NT Token-based web agent: This is a web agent that allows the old Windows NT tokens to be used. This is no longer supported.

AD FS upgrade from 1.0: If you are using AD FS 1.0, an in-place upgrade is supported to AD FS 2.0. The upgrade is not supported to AD FS 2.0 and there is no upgrade path from AD FS 2.0 to AD FS 2.1

AD FS 1.1/AD FS 1.0
This is the first version of AD FS. It was available as a download for Windows Server 2003 R2 and included in Windows Server 2008 and Windows Server 2008 R2. It provides basic single sign on. It does have some compatibility problems with other non-Microsoft Federation Services which was fixed in later versions.

References
“Active Directory Federation Services 2.0 RTW” http://www.microsoft.com/en-us/download/details.aspx?id=10909
“Planning a Migration to AD FS 2.0” http://technet.microsoft.com/en-us/library/ff678044(v=ws.10).aspx
“Understanding Federation Design” http://technet.microsoft.com/en-us/library/cc753352.aspx
“Active Directory Federation Services Role” http://technet.microsoft.com/en-us/library/cc772313(v=ws.10).aspx
“First Impressions – AD FS and Windows Server 2012 R2 – Part I” http://blog.auth360.net/2013/09/13/first-impressions-ad-fs-and-windows-server-2012-r2-part-i/
“Samsung Knox enabled devices get Microsoft Workplace Join support” http://www.theinquirer.net/inquirer/news/2331546/samsung-knox-enabled-devices-get-microsoft-workplace-join-support
“Enhanced access control risk management tools” http://technet.microsoft.com/en-us/library/hh831502.aspx
“AD FS 2.0 and AD FS 1.x Interoperability” http://blogs.technet.com/b/askds/archive/2010/05/25/ad-fs-2-0-and-ad-fs-1-x-interoperability.aspx
“Features Removed or Deprecated in Windows Server 2012 R2” http://technet.microsoft.com/en-us/library/dn303411.aspx
“Overview of AD FS 2.0” http://technet.microsoft.com/en-us/library/gg274318.aspx

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Federation Services

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons