Windows Server 2016 power-packed with lots of new features and also many of the enhanced features. In this article we will see what is new in Active Directory Federation Services(AD FS) theoretically and will cover practically how does it works in upcoming articles.
Server 2016, AD FS got many new features which are listed.
Sign in with Azure Multi Factor Authentication(Azure MFA):
AD FS 2016 builds upon the multi-factor authentication (MFA) capabilities of AD FS in Windows Server 2012 R2 by allowing sign on using only an Azure MFA code, without first entering a username and password.
- With Azure MFA as the primary authentication method, the user is prompted for their username and the OTP code from the Azure Authenticator app.
- With Azure MFA as the secondary or additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication, username and password, smart card, or user or device certificate), then sees a prompt for text, voice, or OTP based Azure MFA login.
- With the new built-in Azure MFA adapter, setup and configuration for Azure MFA with AD FS has never been simpler.
- Organizations can take advantage of Azure MFA without the need for an on premises Azure MFA server.
- Azure MFA can be configured for intranet or extranet, or as part of any access control policy.
How to Configure Azure MFA, Please refer the Article
Password-less from Complaint Device
Password-Less works based on the Device registration which actually introduced with Server 2012 R2 ADFS 3.0. In Server 2016, it got enahnced with new capabilities.
Users can sign on using the device credential, and compliance is re-evaluated when device attributes change, so that you can always ensure policies are being enforced. This enables policies such as
- Enable Access only from devices that are managed and/or compliant
- Enable Extranet Access only from devices that are managed and/or compliant
- Require multi-factor authentication for computers that are not managed or not compliant
AD FS provides the on premises component of conditional access policies in a hybrid scenario. When you register devices with Azure AD for conditional access to cloud resources, the device identity can be used for AD FS policies as well.
For more information about using device based conditional access with AD FS
Sign in with Microsoft Passport:
Microsoft Passport has introduced with Server 2016. Microsoft Passport allows user to enter PIN which is four digit key. it allows to access the device. Microsoft Passport can be PIN, a bio-metric gesture like fingerprint, or facial recognition
so that users can sign in to AD FS applications from the intranet or the extranet without the need to provide a password.
For more information about using Microsoft Windows Hello for Business in your organization
It also provides secured Access to the applications and developers. I personally experienced that developers are not able to wrote codes easily to get the tokens of earlier versions of the ADFS Deployments. Server 2016 provides those which are really results fruitful results for the application developers.
Windows Server 2016 supports for all the new modern protocols those provides enhanced supportability for Windows 10, Android and IOS Developments.
Access Control Policies:
it is really good feature what i can say. Being ADFS Admin, I have faced many times when some claim rules needs to be configured. Previous versions required the skills to configure the claim rules using claim rule language. it is very complex and need to configure carefully. Wherein in Server 2016 provides simple access control policies, using this built in templates, users can configure common polices such as,
- Permit intranet access only
- Permit everyone and require MFA from Extranet
- Permit everyone and require MFA from a specific group
The templates are easy to customize using a wizard driven process to add exceptions or additional policy rules and can be applied to one or many applications for consistent policy enforcement.
Support for Non-AD LDAP Authentication for Sign on:
By default, Previous ADFS Versions to configure ADFS infrastructure. Wherein many organisations the too have Non-AD LDAP based authentication for the users and applications. Server 2016 provides support for third party Non-LDAP V3-Complaint Authentication stores where user accounts resides.
AD FS can now be used for:
- Users in third party, LDAP v3 compliant directories
- Users in Active Directory forests to which an Active Directory two-way trust is not configured
- Users in Active Directory Lightweight Directory Services (AD LDS)
Please refer the article to know more about Configure AD FS to authenticate users stored in LDAP directories.
Management and operational Enhanced features:
1. Audit Logs for ADFS tokens:
Previously, for single login there will be lots of logs will get generated for single login, you need to follow complete log history to know what is happening for that user. Hence it is really pain for adminisytators from Management front.It is completely solved in the Server 2016.
For more information see Auditing enhancements to AD FS in Windows Server 2016.
2. Improved interoperabilty with SAML 2.0
AD FS 2016 contains additional SAML protocol support, including support for importing trusts based on metadata that contains multiple entities. This enables you to configure AD FS to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard.
For more information see Improved interoperability with SAML 2.0.
3. Password Management simplified for Applications and office365 Users
AD FS 2016 supports for notifying the users about their password expiration. Now a days, users are connecting from multiple locations and depends on their work load their visit to corporate network also varies. in such cases, users will get issues when their password expired where there is no notifications before it expired. Many of the applications are getting migrated to have ADFS Integration, hence users will be very less chance to come to know their password when it is getting expired. AD FS 2016 provides these support using the password expiration claim rule to notify the user before 15 days. hence that user will not get any issues once password expired. it is good for AD FS restricted applications and office 365 users.
For more information see Configure AD FS to send password expiry claims.
AD FS Migration made simple
AD FS 2016 Migration from previous versions are made very simple. Earlier, if you want to migrate from ADFS 2.0 to ADFS 3.0 we need to deploy new ADFS 3.0 and then move the configuration and databases to the new version.
But AD FS 2016 does migration in simple way by adding server 2016 AD FS servers in the AD FS 3.0 Farm and remove the Server 2012 R2 servers one by one when you added Server 2016 AD FS Servers in the Farm. By doing this, Migration is simple and no need to have any down time for the migration.
Add new Windows Server 2016 servers to the farm, verify the functionality and remove the older servers from the load balancer. Once all farm nodes are running Windows Server 2016, you are ready to upgrade the farm behavior level to 2016 and begin using the new features.
For more information see Upgrading to AD FS in Windows Server 2016.