Checklist: Configure extranet access for AD FS on legacy versions of Windows Server

Applies To: Azure, Office 365, Power BI, Windows Intune

The following checklist includes the deployment tasks that are necessary to deploy two federation server proxies that will redirect authentication requests to a federation server in your new federation server farm.

Checklist: Deploy your federation server proxies

Deployment task	Links to topics in this section	Completed
1. Install the AD FS software on the computer that will become the federation server proxy.	Install the AD FS software on the proxy computer
2. Configure the AD FS software on the computer to act in the federation server proxy role by using the AD FS Federation Server Proxy Configuration Wizard.	Configure a computer for the federation server proxy role
3. Using Event Viewer, verify that the federation server proxy service has started.	Verify that the federation server proxy is operational
4. Optional step -Optimize congestion control settings between Web Application Proxy and the AD FS servers.		The extranet facing federation server proxy is able to throttle requests from the extranet if the latency between the federation server proxy and the federation server increases beyond a certain threshold. Based on this feature, the federation server proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the federation server proxy and the federation server to service authentication requests. It is closely related to a similar algorithm employed for congestion control in TCP known as Additive Increase Multiplicative Decrease (AIMD). The solution works by using a congestion window represented by a pool of tokens that it leases out to each incoming request to the federation server proxy. In a high latency DMZ network or a highly loaded federation server proxy, it is possible for authentication requests to be rejected even if the federation server can satisfy these requests successfully based on the default settings that control this algorithm. In such an environment, we strongly recommend modifying the settings to be less aggressive by performing the following steps. On your federation server proxy computer, start an elevated command window. Navigate to the ADFS directory. For Windows Server 2012, it is at %windir%\ADFS. For Windows Server 2008 and Windows Server 2008 R2, it is at %programfiles%\Active Directory Federation Services 2.0. Change the congestion control settings from its default values to ‘<congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64" enabled="true" />’. Save and close the file. Restart the AD FS service by running ‘net stop adfssrv’ and then ‘net start adfssrv’.

See Also

Concepts

Checklist: Use AD FS to implement and manage single sign-on