Return to site
Return to site

Azure Application Gateway Adfs

broken image


We are converting a ASP.NET Web Application to Azure. The Authentication process is handled using LDAP call in the existing code, but we are planning for ADFS integration. The ADFS server already exposing the claims to Microsoft Federation Gateway to consume by other applications.

  • When to use Azure Load Balancer or Application Gateway 10th of April, 2017 / Simon Waight / No Comments. Category: Uncategorized. Previous Post: Being a Kloudie in our Brave New World. Next Post: Joining Identities between Active Directory and Azure Active Directory using Microsoft Identity Manager.
  • In Part 1 of Configuring Azure Application Gateway with AD FS we covered the existing architecture AD FS and the target AD FS architecture. Finally we deployed an Application Gateway with a basic configuration. So lets have a look at the logical configuration of what AD FS with a Application Gateway running a Web Application Firewall will look like.
  • The ability to open cloud based resources which integrate with Azure Active Directory without having to sign on again has been the domain of ADFS up until this point. With the latest release of Azure AD Connect and Windows 10 1511 on-wards however we can now achieve a similar experience.

Availability Sets

Some time ago i wrote up a post (located here) explaining how you can setup traffic manager with ADFS and have proper monitoring of the service. Today i will go over how to setup ADFS behind the Azure Application Gateway. This will enable you to protect your ADFS service and monitor it with the WAF provided by the application gateway.

Before we begin one prerequisite which i am still not sure if its really needed but i had problems and i believe this fixed it:

You need to set the default HTTPS Binding, i believe this is required as i am not sure if the health probe is truly SNI compliant, i might be wrong here but it doesn’t hurt to set this. To set it you simply need to run the following command on the WAP servers (just change the cert hash):

Internet Facing Load Balancer</h2><p>Ones that’s done create a Application gateway in Azure and do the following:</p><ol><li>Create a Frontend listener with thew following settings:<ul><li>HTTPS Protocol</li><li>Listen on port 443</li><li>Multi-Site type, you can do basic but that will limit your application gateway to only the ADFS service for port 443</li><li>Provide a PFX file of your ADFS certificate. make sure you include the private key and a strong password</li></ul></li><li>Create a Health Probe with thew following settings (just change the host):<ul><li>The path (so you can copy and paste): /adfs/ls/IdpInitiatedSignOn.aspx</li></ul></li><li>Create a HTTP Setting with thew following settings<ul><li>HTTPS Protocol</li><li>Cookie based affinity: Disabled (you really don’t need that for ADFS)</li><li>Port 443</li><li>Export your ADFS certificate as a base 64 format (do not include the private key) and add it.</li><li>Tick the “Custom probe” and select the probe we created earlier</li></ul></li><li>Create a Backendpool which includes all your WAP servers</li><li>Crete a Basic Rule using the objects created earlier.</li></ol>
Application

Azure Application Gateway Configuration

And that’s it, this is not only a secure solution but it will give you a proper monitoring of both the WAP and ADFS servers. Works great with loadbalancing between on-prem and Azure.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save