vege - Fotolia

Get started Bring yourself up to speed with our introductory content.

ADFS 2012 R2 changes give Office 365 users a huge advantage

The changes and features in the latest version of ADFS are attractive for Exchange admins looking to use it with Office 365.

Active Directory Federation Services was updated in the Windows Server 2012 R2 release. The new version -- ADFS 2012 R2 -- has a number of benefits for single sign-on with Office 365 and other features that will appeal to Exchange admins.

ADFS 2012 R2, also known as ADFS 3.0, no longer depends on Internet Information Server, so a dedicated ADFS server doesn't need all the Web components to be installed as a prerequisite (Figure 1).

ADFS prerequisite changes

This change improves performance and reduces the footprint of services on the server. This becomes most noticeable when you have ADFS on a domain controller.

SQL Server. If you belong to a medium- or large-sized organization, you probably want a full SQL Server as the backend for ADFS. Although this was possible in previous versions of ADFS, your only option was to configure the full version of SQL Server from the command line. With ADFS 2012 R2, admins can have a full SQL database as the backend through the graphical user interface (Figure 2).

SQL database with GUI

Federation server farms. Because ADFS is a crucial server role in your Office 365 deployment, you should always to have more than one server running ADFS for redundancy purposes. None of your end users will be able to use the online services if the ADFS server goes offline because all authentication requests to Office 365 redirect to the ADFS infrastructure. With the latest version of ADFS, the option to install a standalone ADFS server has been removed. The only options are to create the first federation server in a federation server farm, and add the federation server to a federation server farm (Figure 3).

Federation server farm options

You can still have a federation server farm with just one server, but Microsoft is trying to get its recommendation across by offering the option to only have a federation server farm. Previous releases had an ADFS proxy server role, which was configured in the demilitarized zone for secure access from the Internet. The recommendation was to have more than one proxy server. But in ADFS 2012 R2, the ADFS proxy role was completely removed. Instead, the recommendation is to use Web Application Proxy (WAP) to publish ADFS to the Internet (Figure 4). The WAP is also the recommended method to externally publish Exchange Server 2013 services.

WAP external publishing Exchange 2013

Additional ADFS 2012 R2 changes

Group Managed Service Accounts. ADFS 2012 R2 supports the use of a Group Managed Service Account instead of using a normal service account. This enables ADFS to run with service accounts and without the need to manage expiring service account passwords. The option to use a regular service account still exists.

Merge replication. In ADFS 2012 R2, ADFS supports SQL Server merge replication when deploying ADFS across globally dispersed data centers.

Server Manager roles. When using ADFS 2.0, admins had to download from the Microsoft website and then install and configure the roles. In Windows Server 2012, the ADFS deployment was made easier by adding it as a role that can be installed using the Server Manager; the Server Manager will also install required features such as IIS. In Windows Server 2012 R2, ADFS 3.0 remote installation and configuration is possible using Server Manager.

Sign-in experience. ADFS 2012 R2 improves the sign-on experience, including the addition of controls to customize the company logo, illustration images and standard links for IT support, the homepage or privacy on the ADFS login page. Other controls include customizable error messages and Web themes as well as updated sign-on pages, which automatically scale.

Protection from brute force attacks. ADFS 2012 R2 also bundles a much-awaited feature -- a native option for brute force attacks. In previous ADFS releases, an external source hammering the ADFS logon page could lockout the AD account if AD had an internal account lockout policy. The workaround was to only allow HTTP Secure traffic from Office 365 IP addresses through the firewall in front of the ADFS infrastructure. In the latest release of ADFS, the Extranet Lockout feature allows the AD account to be "soft" locked; the AD account isn't actually locked, but ADFS blocks authentication for a set period, making brute force attacks harder to execute.

Next Steps

New ADFS features are cloud-ready

Why is ADFS becoming more important?

How to care for your new ADFS server

Dig Deeper on Office 365 and Microsoft SaaS setup and management