What is Active Directory Federation Services (AD FS)

What Is Active Directory Federation Services (AD FS)?

Active Directory Federation Services (AD FS) is a single sign on (SSO) feature developed by Microsoft that provides safe, authenticated access to any domain, device, web application or system within the organization’s active directory (AD), as well as approved third-party systems.

AD FS is federated, meaning that it centralizes the user’s identity, which allows each person to use existing AD credentials to access applications within a corporate network and by trusted sources outside the organization, such as a cloud network, SaaS application or another company’s extranet. AD FS also lets users access AD-integrated applications while working remotely via the cloud.

The purpose of AD FS is to simplify the user experience while also allowing the organization to maintain strong security policies. With AD FS, users need only create and remember a single online credential in order to access a multitude of applications, systems and assets.

How Does AD FS Work

AD FS works much like a general SSO in that it authenticates the user’s identity and verifies the user’s access privileges.

Verifying the UserIdentity

AD FS SSO leverages information found in the company’s data repository to confirm the user’s identity using two or more pieces of information, such as the user’s full name, employee number, phone number, employee ID or email address.

Managing User Claims

AD FS follows a claims-based authentication model. This means that the system produces a secure token that contains the access rights, or claims, related to each user. When the user attempts to access a system, the AD FS will check the request against a list of systems and applications that the user is approved to use within the AD or Azure AD (now known as Entra ID). This check includes the organization’s internal assets, as well as third-party systems.

Federated Trust

AD FS authentication for third-party systems is completed through a proxy service used by the active directory and external application, which combines both the user identity and the claim rule. This capability, known as Federated Trust or party trust, enables the user to bypass authenticating their identity with each application directly.

AD FS Authentication Process

The AD FS authentication process consists of five basic steps:

1. The user accesses a link associated with the AD FS service and enters their user credentials.
2. The AD FS service authenticates the user’s identity.
3. The AD FS tool produces a personalized authentication claim for the user, which lists those assets that the user is approved to use.
4. The AD FS service forwards this claim to other applications if and when the user attempts to access them.
5. The target application grants or denies the action based on the terms outlined in the claim.

Why Do Organizations Use AD FS

Employees routinely access hundreds of applications to perform their job. This strengthens the desire for an authentication or identity management tool to both remove the need to individually authenticate sign on for each application and preserve security. SSO services such as AD FS provide many benefits to both the end user and the organization.

AD FS Benefits for End Users

• Simplicity. With AD FS, the end user can use a single set of credentials across a number of internal and external applications and systems, saving the user from creating and remembering multiple credentials.
• Improved user experience. Once their identity is authenticated by the AD FS, users can move seamlessly between both internal and external applications. This identity management tool eliminates the need for the user to enter passwords or otherwise interrupt the flow of their work.
• Efficiency gains. The AD FS provides seamless access across any number of web applications, systems or devices. For the end user, this means that they can move fluidly from one task to the next.

Why Use AD FS: AD FS Benefits for Organizations

• Reduction in IT support. One of the most common help desk requests is to reset forgotten, lost or expired passwords. With an AD FS, the IT function can reduce the time spent on routine password issues and focus on higher-value work. IT will also spend less time setting up credentials for new accounts.
• Simplified deactivation. In the event of an employee departure, AD FS provides a simple and efficient deactivation process for all related services and assets. Rather than de-credentialing each account individually, which is time consuming and prone to error, IT can deactivate the user and associated claims within the AD FS.
• Organizational efficiency. When employees are more efficient at their jobs, the organization becomes more efficient as well. AD FS eliminates friction within the employee user experience, which leads to higher productivity.
• Improved security. Using an AD FS naturally reduces the need for end users to recycle old passwords, use the same password across applications or write down their passwords. This decreases the likelihood that digital adversaries can use a cracked password to access a multitude of associated accounts.

AD FS Limitations and Disadvantages

AD FS has several important limitations and disadvantages that organizations must consider as part of their business strategy.

Infrastructure costs. While AD FS is available on the Windows Server as a free feature, it requires a Windows Server license and dedicated server to operate.

Operational and maintenance costs. Beyond the infrastructure investments like licenses and servers, operating and maintaining the AD FS introduces additional costs to the organization. Most notably, maintaining the party trust between AD domains and external applications requires a deep technical expertise and support from the IT organization. This can be further complicated in the Azure environment. AD FS also generates high maintenance and operation costs related to infrastructure upgrades, federation management and security investments such as secure sockets layer (SSL) certificate costs.

Complexity. While AD FS simplifies the user experience, it is typically very complicated to configure, deploy and operate, especially in the cloud or Microsoft Azure. Adding target applications to the service requires significant technical skills. Ironically, the user experience for the AD FS is not intuitive and must be managed by a specially trained IT professional.

Additional AD FS Limitations

• AD FS does not support file sharing between users or groups
• AD FS does not support print servers
• AD FS does not support most remote desktop connections
• AD FS cannot access Active Directory resources

AD FS Components and Design Elements

ADFS Components:

Entra ID (Azure AD): Microsoft’s proprietary directory services that allows network administrators to assign and manage account privileges to all network resources.

AD FS Server: A dedicated server that maintains and stores security tokens and other authentication assets, such as cookies.

Azure AD Connect: The module that connects Active Directory with the Azure AD, commonly used in hybrid deployments.

Federation Server: A SSO tool that provides authentication and access services to multiple systems across different enterprises through a common security token based on the host’s AD.

Federation Server Proxy: A gateway between the AD and external targets that coordinates access requests with the federation server.

AD FS vs Cloud Identity

AD FS is far from the only SSO/Federation tool available on the market today. Some organizations may be able to generate the same functionalities at a lower cost through a third-party cloud identity service or cloud-based identity management tool.

Cloud identity authenticators tend to be more cost effective because of the lower operational costs associated with the cloud. These tools also offer seamless integration with hundreds of applications.

Organizations should work with their cybersecurity partner to determine which authentication tool is ideal for their business.

AD FS and Cybersecurity

Given the shift to remote work as well as the growing reliance on the cloud, companies must reconsider how to authenticate users and provide access privileges. While AD FS provides seamless and efficient access, it comes with potentially serious security risks.

It is important to work with your cybersecurity partner to ensure that the AD FS is continuously monitored and patched and that other security risks are also addressed within the cybersecurity strategy.

CrowdStrike offers the following three best practices for organizations leveraging AD FS in a secure way:

1. Unify AD forest visibility both on-premise and in Microsoft Azure. Determine any security gaps in authentication policies, user roles, access privileges and human and service accounts, as well as any access deviations across both the on-prem and Microsoft Entra ID.
2. Reinforce AD security with conditional access. Leverage a cybersecurity toolset that continuously assesses risks based on user behavior tied to entities such as endpoints, servers, applications, location, user roles and groups. The tool should also enforce conditional access in the event of an anomaly. This will prevent high-risk access and remove friction for trusted access.
3. Centralize incident investigation and response. Ensure the cybersecurity solution produces a full report of any suspicious or anomalous activity, including timestamp, activity, source and destination.