Hardware Proxy Server

How it works: server hardware | BLOGeboundhost.com
  • When using x509 user certificate authentication with AD FS, all user certificates must chain up to a root certification authority that is trusted by the AD FS and Web Application Proxy servers.

Hardware requirements

AD FS and Web Application Proxy hardware requirements (physical or virtual) are gated on CPU, so you should size your farm for processing capacity.

The memory and disk requirements for AD FS are fairly static, see the table below:

Hardware requirement Minimum requirement Recommended requirement
Disk space 32 GB 100 GB

SQL Server Hardware Requirements

If you are using SQL Server for your AD FS configuration database, size the SQL Server according to the most basic SQL Server recommendations. The AD FS database size is very small, and AD FS does not put a significant processing load on the database instance. AD FS does, however, connect to the database multiple times during an authentication, so the network connection should be robust. Unfortunately, SQL Azure is not supported for the AD FS configuration database.

Proxy requirements

  • For extranet access, you must deploy the Web Application Proxy role service - part of the Remote Access server role.
  • AD FS 2016 requires Web Application Proxy servers on Windows Server 2016. A downlevel proxy cannot be configured for an AD FS 2016 farm running at the 2016 farm behavior level.
  • A federation server and the Web Application Proxy role service cannot be installed on the same computer.

AD DS requirements

Domain controller requirements

  • AD FS requires Domain controllers running Windows Server 2008 or later.
  • At least one Windows Server 2016 domain controller is required for Microsoft Passport for Work.

Domain functional-level requirements

  • All user account domains and the domain to which the AD FS servers are joined must be operating at the domain functional level of Windows Server 2003 or higher.
  • A Windows Server 2008 domain functional level or higher is required for client certificate authentication if the certificate is explicitly mapped to a user's account in AD DS.

Schema requirements

  • New installations of AD FS 2016 require the Active Directory 2016 schema (minimum version 85).
  • Raising the AD FS farm behavior level (FBL) to the 2016 level requires the Active Directory 2016 schema (minimum version 85).

Service account requirements

  • Any standard domain account can be used as a service account for AD FS. Group Managed Service accounts are also supported. The permissions required at runtime will be added automatically when you configure AD FS.
  • Group Managed service accounts require at least one domain controller running Windows Server 2012 or higher.
  • For Kerberos authentication, the service principal name ‘HOST\/’ must be registered on the AD FS service account. By default, AD FS will configure this when creating a new AD FS farm. If this fails, such as in the case of a collision or insufficient permissions, you'll see a warning and you should add it manually. \_service\_name>

Domain Requirements

  • All AD FS servers must be a joined to an AD DS domain.
  • All AD FS servers within a farm must be deployed in the same domain.

Multi Forest Requirements

  • The domain to which the AD FS servers are joined must trust every domain or forest that contains users authenticating to the AD FS service.
  • The AD FS service account must have permissions to read user attributes in every domain that contains users authenticating to the AD FS service.

Configuration database requirements

This section describes the requirements and restrictions for AD FS farms that use respectively the Windows Internal Database (WID) or SQL Server as the database:


  • The artifact resolution profile of SAML 2.0 is not supported in a WID farm.
  • Token replay detection is not supported a WID farm. (This functionality is only used only in scenarios where AD FS is acting as the federation provider and consuming security tokens from external claims providers.)

The following table provides a summary of how many AD FS servers are supported in a WID vs a SQL Server farm.

1 - 100 relying party (RP) trusts configured in AD FS More than 100 RP trusts configured
1 - 30 AD FS servers WID Supported Not supported using WID - SQL Server required
More than 30 AD FS servers

SQL Server

  • For AD FS in Windows Server 2016, SQL Server 2008 and higher versions are supported.
  • Both SAML artifact resolution and token replay detection are supported in a SQL Server farm.

Browser requirements

When AD FS authentication is performed via a browser or browser control, your browser must comply to the following requirements:

  • JavaScript must be enabled
  • For single sign on, the client browser must be configured to allow cookies
  • Server Name Indication (SNI) must be supported
  • For user certificate & device certificate authentication, the browser must support SSL client certificate authentication
  • For seamless sign on using Windows Integrated Authentication, the federation service name (such as https:\/\/fs.contoso.com) must be configured in local intranet zone or trusted sites zone.

    Network requirements

Firewall Requirements

Both the firewall located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.

In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required and the certauth endpoint on port 443 is not enabled, AD FS 2016 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).

CISCO SYSTEMS - ENTERPRISE Cisco SF300-48PP 48-port 10/100 PoE+ Managed Switch with Gig Uplinks
  • Support for up to 4096 VLANs simultaneously Port-based and 802.1Q tag-based VLANs MAC-based VLAN Management VLAN Private VLAN Edge (PVE), also known as protected...
  • Filters out DHCP messages with unregistered IP addresses and/or from unexpected or untrusted interfaces. This prevents rogue devices from behaving as a DHCP Server.
  • Power 100-240V 50-60 Hz, internal, universal
  • Wirespeed routing of IPv4 packets Up to 512 static routes and up to 128 IP interfaces
  • SSH is a secure replacement for Telnet traffic. SCP also uses SSH. SSH v1 and v2 are supported

Related posts: