An AD FS server is responsible for issuance of claims and user authentication. This server must be able to connect to a Domain Controller. It authenticates users from multiple domains by using Windows Trust.

In our example deployment, “Kemp Demo” has deployed AD FS 3.0 in their environment to facilitate claims-based authentication for their Microsoft Exchange 2013 infrastructure and allow for SSO capabilities across applications. The deployment contains the following:

  • Two AD FS 3.0 servers
  • Two Microsoft Exchange 2013 Multi-Role servers
  • A LoadMaster High Availability (HA) cluster

A name space of owa.Kempdemo.com is used for access to the Microsoft Exchange environment. A name space of adfs.Kempdemo.com is used for access to the AD FS environment.

  1. The client accesses the workload at https://owa.kempdemo.com/owa.
  2. The client is directed to the AD FS URL, https://adfs.kempdemo.com, which is a VS on LoadMasters for internal AD FS.
  3. The LoadMaster sends traffic to a healthy AD FS server based on scheduling method.
  4. The AD FS server authenticates the user against Active Directory.
  5. The AD FS server returns a SAML token to the client through the LoadMaster for authentication.
  6. The client connects to Microsoft Exchange 2016 with a SAML token for authentication and accesses the workload.