Active Directory Federation Services is another bullet on the long list of enhancements coming soon with Windows Server 2016. Active Directory Federation Services, generally referred to as AD FS, has quickly gained popularity as the go-to method for federating authentication with Microsoft’s Office 365 platform. What many IT administrators may not know, is that it’s a fully functional federation server, capable of supplying single sign-on (SSO) features for a variety of applications and deployments.
Like most Microsoft products, AD FS started off rather inconspicuously as a limited Windows server role. Over the past few iterations, the feature set has increased, making it much more robust than the original version. While this is not an all inclusive list, a couple of features to note in 2016 are:
- Support for LDAP version 3
- Support for custom sign-in experience
- Farm upgrades from 2012 R2 are possible without a cut/migration progress
With support for LDAP version 3, AD FS goes beyond supporting typical AD and AD LDS directories and now supports a much broader spectrum of non-Microsoft directory products for which it can do federation. This is a great benefit for organizations that want to use AD FS as their single federating server for SSO, but were unable to do so because of the limited LDAP support.
The ability to customize the login page for browsers using forms-based authentication is a great addition for those organizations who may use different branding for child/sister organizations. They can now differentiate the forms-based sign-on experience by determining which relying party the request is coming from.
The process of upgrading an AD FS farm wasn’t terribly difficult with prior releases of AD FS, however no true migration process existed. Instead, administrators had to build a new farm, configure additional load balancing, export the configuration and import it, test authentication, and then cutover. To remedy this, Microsoft has taken their “functional level” theory they use for Active Directory and applied it to AD FS in Server 2016. While the theory behind it is the same, they are actually calling it a “farm behavior level” instead of a functional level. This allows an IT administrator to follow a somewhat familiar process to add migrate to the new version:
- Place the new AD FS server running Server 2016 into the same Farm as their Server 2012 R2 AD FS servers
- Retire the 2012 R2 AD FS servers
- Work through the process to raise the functional level up to 2016
- Start using the new 2016 features of AD FS
We touched on just three of the new features of AD FS in Server 2016. There are several more features and enhancements that have been added, and those can be found in this Technet article.
Microsoft Server 2016 has a plethora of new features coming with it, and these are a couple centered around just one of the server roles available. I would encourage you to take a few minutes to review the comprehensive list published on TechNet to see what Microsoft’s newest operating system can do for your organization’s environment.