3

Currently looking to federate servers that use AD. First thought was to use ADFS to manage service requests across domains and realms. That being said the application must have access to Kerberos tickets for a specific use case.

Does AD FS use Kerberos at any point or is it it's own totally redesigned ticketing system? If so can you create a hybrid application that can authenticate using ADFS and request tickets using Kerberos?

baksyl
  • 67
  • 1
  • 2
  • 8

1 Answers1

6

ADFS simply provides a federation service on top of AD i.e. support for protocols like WS-Fed and SAML.

The Kerberos protocol remains part of AD.

Once authenticated ADFS provides either a SAML 1.1 or 2.0 token that contains the claims.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • So what actually happens, does the ADFS server ingest the Kerberos ticket and turn it into a SAML token / SAML claim which gets sent where - to an ADFS server at the other organization? – John R Smith May 22 '17 at 14:46
  • 1
    Pretty much. The token gets sent to whoever started the federation flow. This is typically an application. – rbrayb May 22 '17 at 19:36
  • So it essentially encapsulates the kerberos ticket into a saml token which is then upacked at the application? Much like the same way tcp packets are encapsulated in IP packets? – baksyl May 24 '17 at 16:32
  • What about ADFS Proxy servers authenticating to the ADFS Server proper? Isn't that Kerberos or is it something else? – HerbM Jul 25 '18 at 10:22
  • If it's a pass-through application i.e. legacy - not claims enabled, then yes. – rbrayb Jul 25 '18 at 18:33