Category Archives: Active Directory Federation Services

How to check if Azure AD has processed the hybrid authentication method change

Many organizations with Azure AD tenant are currently transitioning from federation to Pass-through Authentication (PTA) and/or authentication based on Password Hash Synchronization (PHS). The Staged Roll-out feature is a straight-forward way to perform this transition. Microsoft has described how to migrate from federation to cloud authentication in Azure Active Directory using this feature. Note: In […]


HOWTO: Enable Seamless Single Sign-on when AD FS is Configured as Sign-in Method

Microsoft has introduced the Staged Rollout functionality to convert the sign-in method for people in your organization from federated authentication to managed authentication. However, there is one slight issue with single sign-on. In this blogpost, I’ll address the issue of having both Seamless Single Sign-on and Federation enabled in Azure AD Connect. About Staged Rollout […]


Adding an AD FS Server to an existing Farm using Azure AD Connect

Setting up an AD FS Farm with Azure AD Connect is easy when you use Azure AD Connect. Its configuration wizard is able to configure all the required AD FS settings and Web Application Proxy settings on two domain-joined servers you point the wizard to. This begs the question: How do you extend the AD […]


Setting up Hybrid Identity with AD FS through Azure AD Connect

When Active Directory on-premises and Azure AD work together, it’s called Hybrid Identity. Hybrid Identity is relatively easy to setup, when you use the Express Settings for Azure AD Connect. However, setting up Hybrid Identity with Active Directory Federation Services (AD FS) is not that hard either. I’ll show you how to achieve this goal […]


On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the Identity-related updates and fixes we saw for January 2021:   Windows Server 2016 We observed the following update for Windows Server 2016: KB4598243 January 12, 2021 […]


Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS

I feel we are at a crossroads. Five years ago, I made the case for token-signing and token-decrypting certificates in Active Directory Federation Services (AD FS) with a validity of 5-year. Today, I’m making the case for 30-day Token-signing and Token-decrypting certificates, based on my understanding of the UNC2452 attack campaign (also known as ‘SolariGate’). […]


From the field: The Case of the Unstable AD FS Farm

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully. Last month, I experienced an issue with an AD FS farm, […]


KnowledgeBase: The WID Service consumes 100% CPU after transitioning AD FS Servers

This week, I encountered unexpected behavior with Active Directory Federation Services (AD FS) on a Windows Server installation that an organization had recently transitioned to from an AD FS server running a previous version of Windows Server. I’m sharing my experiences, so others may benefit from our troubleshooting and solution.   The situation Your organization […]


Ten Things You should know about vCenter Identity Provider Federation

vCenter in VMware vSphere 7 introduces support for role-based access control (RBAC), based on standards-based federation. While this sounds fantastic, there are a couple of things you should know about this vCenter Identity Provider Federation feature, before you blindly implement it.   vCenter 7.0 or later The vCenter Identity Provider Federation feature is only available […]


Azure AD Connect version and older versions are no longer supported

As announced as part of the Azure AD Connect Version Release History page and shared here earlier, yesterday marked the end of Azure AD Connect version and older versions of Azure AD Connect. This way, Microsoft starts enforcing its 18-month support policy for Azure AD Connect versions. For Azure AD Connect admins, running an […]