ADFS or DirSync?

timvan007 · 2014-03-20T16:10:49.000Z

So I was tasked with implementing SSO for an upcoming move to Office 365. I am trying to find some solid uses for ADFS that make it worth the hassle. From my understanding, the big features are the ability to reset passwords externally, 2 factor auth, immediate access disabling, no passwords hashed outside your network, and true Single Sign-On for internal use.

Though, Same Sign On through Azure AD with Directory Synch doesn’t seem to be that bad. 1 server, no redundancy required, no SSL Cert, no public domain registration.

Internally, might be a slightly better experience for users that log into O365 for webmail. For everything else, Outlook, external OWA, I don’t see a big plus.

Does anyone have an opinion on what would still make it worth setting up ADFS in a highly available topology (2 ADFS Servers, 2 Proxy, 1 DirSynch, gro-redundancy) as opposed to a simple Windows Azure AD with Directory Synch+Password Synch?

servermonkey8064 · 2014-03-20T16:19:37.000Z

I never quite got the point of ADSF tbh. From what I understand of it (and I may be very wrong) you move all your stuff to cloud because of the bulletproof reliability, then you make the ability to access any of it depend on your servers and internet connection being available?

timvan007 · 2014-03-20T16:28:10.000Z

Well there are a few scenarios. If I go down the route of ADFS, mine would all be on-premesis, not in the cloud. Pretty much goes 2 proxy servers in the DMZ, 1 on each physical ESX host, 2 ADFS servers on the LAN, again 1 on each ESX host, and 1 Directory Synch server on the LAN (doesn’t need redundancy). You CAN put these all as VMs in Windows Azure for cloud based reliability, but I have the infrastructure to handle it and don’t want the site to Azure VPN.

You build in as much redunancy/reliability as you need per the business. But you do not offload anything to the cloud unless you want.

I’m just wondering if it is even worth it. 5 VMs, redundancy, DMZ/firewall/network/DNS/SSL changes, repeat in another site for geo-redundancy, and for what, so my users don’t have to type a password when they’re on site?

servermonkey8064 · 2014-03-20T16:33:39.000Z

I’d have said go with DirSync and monitor it - you can migrate to ADFS or you may just find nobody says anything and you’ve saved yourself a lot of time and simplest is often best IMO

prochon · 2014-03-20T17:13:55.000Z

DirSync- 100% - no need for ADFS - the new DirSync allows you to sync passwords so you have a single password solution.

The ADFS is just to much trouble to configure when a little app does the same thing.

Paul

ps. This is what I use for all my users and have had no issues to date.

timvan007 · 2014-03-20T17:18:01.000Z

Thanks Paul. I think I’m all for DirSync at the moment, just trying to solidify and then convince mgmt. I did find this comparison of user experience.

http://office365evangelist.com/?p=1144

Honestly, if the only thing it adds is not entering a password internally for signing into Office 365 Web only (we will only be using it for email, not web apps, sharepoint, etc), then it’s a no brainer. They have to put their passwords in for outlook either way, and I don’t have to build a gagillion servers with dirsynch.

davidgerber8216 · 2014-03-20T17:59:59.000Z

DirSync doesn’t give you the true SSO experience. It’s basically just there to copy your accounts into O365 so users can use their username and passwords to authenticate. So users will need to cache passwords for things like Outlook, if they don’t want to be prompted every time they open Outlook for a username and password. With full blown ADFS this is not supposed to happen. From my understanding this is new for Server 2012 R2. The username and password id supposed to get passed through. We are currently looking to deploy this with the help of a vendor.

timvan007 · 2014-03-20T18:07:45.000Z

Everything I read states that Office 2010 & 2013 will still prompt you for a password on first launch, and every subsequent password change, but you are able to cache the password (for both ADFS and DirSync options). Office 2007 can cache password, but it has had numerous reports that it prompts for the password periodically. It provides SSO, but not passthrough as you are expecting. Might want to take another look before you shell out for a vendor. This is 2-4 hours of work for a skilled in house tech and not much maintenance from what I can see. (Unless the vendor software will provide pass through, then go for it)

scottlewis2512 · 2014-03-21T07:21:49.000Z

I was going to look at Dirsync myself. ADFS is just too painful to setup. But I am now looking at centrify as its does the same but gives a centralised control aswell but has more control of mobile apps. Still just looking but as most of our staff are in remote places, this to me seems to a good solution.

darrellsturdivant5349 · 2014-03-27T15:47:51.000Z

Hello. My name is Darrell and im the GreenGuy for Centrify. Im glad that you are looking at our SasS Product as a replacement for the complexity for ADFS. If you have any questions, please reach out to me. Best Regards, Darrell.

buckykoehler6644 · 2014-03-28T17:47:38.000Z

DirSync is a good solution for small deployments or situations where you just need to extend authentication to Office 365, and your security requirements allow externally stored passwords vs. tokens. ADFS is a good solution when you want to provide centralized authentication to multiple external services.

ADFS is slick for internal OWA Kerberos pass-through authentication. Other email clients (e.g. Outlook, Android, etc.) still require entering a password.

timvan007 · 2014-03-28T19:40:54.000Z

Thanks bkoehler. Honestly, if the pass through auth worked for all applications, I would definitely sway back towards ADFS. The fact that everyone internally uses outlook, and they need to enter their password with either implementation leads me to believe the minimal work required for DirSynch is the best solution. If they use OWA, it’s going to be off the LAN, and at that point, ADFS would still redirect them to a login page. If I had more employees, I would consider a cloud/on-premesis hybrid ADFS, but for less than 1000 employees, it doesn’t seem worth it.

buckykoehler6644 · 2014-03-29T01:11:07.000Z

I agree; outside of needing ADFS for other services DirSync would be a better solution.

luc23 · 2014-12-05T16:54:34.000Z

Coming from someone who supports ADFS and DirSync, I’d go just DirSync. But there were lofty goals that have yet to be realized in my implementation that may have required ADFS. We were planning on using Sharepoint Online for some pretty hefty web apps.

Now it is looking like we have decided that Sharepoint Online couldn’t handle what we were planning on throwing at it so it doesn’t matter. Not so easy to back out of ADFS from what I’ve read…

timvan007 · 2014-12-05T18:04:59.000Z

I’d agree with Luc23. It’s much easier to implement DirSync and move to ADFS when you need to integrate authentication with more services than start with ADFS and revert to DirSync. If there’s any question, start with DirSync. If you know up front you’ll need all the auth integration of ADFS, plan it out completely before implementing. HA ADFS requires some redundancy that needs to be built in. DirSync can be installed in an hour, and even if the server hosting it fails, you still have auth from the last sync until you repair it. Perfect for any SMB.