Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing and Administering AD FS

Published byBarnaby Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing and Administering AD FS"— Presentation transcript:

1 Implementing and Administering AD FS
Presentation: 90 minutes Lab: 90 minutes After completing this module, students will be able to: Describe Active Directory Federation Services (AD FS). Describe how to deploy AD FS. Describe how to implement AD FS for a single organization. Describe how to deploy AD FS in a business-to-business federation scenario. Describe how to extend AD FS to external clients. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10969A_10.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, some features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who might experience difficulties in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 10 Implementing and Administering AD FS (More notes on the next slide)

2 Extending AD FS to External Clients
Module Overview 10: Implementing and Administering AD FS Extending AD FS to External Clients

3 Lesson 1: Overview of AD FS
10: Implementing and Administering AD FS What Is New in Windows Server 2012 R2?

4 What Is Identity Federation?
10: Implementing and Administering AD FS Identity federation: Enables identification, authentication, and authorization across organizational and platform boundaries Requires a federated trust relationship between two organizations or entities Enables organizations to retain control over who can access resources Enables organizations to retain control of their user and group accounts As you start this lesson and this topic, emphasize that identity federation addresses authentication and authorization scenarios that are not addressed easily by traditional means. Within most organizations, users authenticate to Active Directory Domain Services (AD DS) by using Kerberos version 5 protocol, and they are granted access to most services and applications based on that authentication. In most of these deployment scenarios, AD FS is not used. Instead, AD FS enables authentication and authorization across boundaries where AD DS authentication does not work. For example, two organizations might want to enable access to applications, but maintain strict security requirements that prevent cross-forest trusts. Identity federation also is becoming increasingly popular in the cloud deployment scenario. Cloud deployment does not have traditional options for enabling authentication and authorization, so an alternative means is necessary to enable access to cloud applications.

5 What Is Claims-Based Identity?
10: Implementing and Administering AD FS Claims provide information about users Information is provided by the user’s identity provider, and is accepted by the application provider Use this topic to describe how claims-based authentication makes it possible to implement identity federation. As organizations define their business processes with partner organizations, they define which users will be granted access, and what applications or data the users can access. Claims are a way to transmit agreed upon information between organizations. If the application provider wants to allow access based on specific groups or some other attribute, the identity provider has to make sure that information is included in the claims that are sent to the application provider. Security Token Service Application Security Token (Outgoing Claims) Security Token (Incoming Claims) Identity Provider Application Provider

6 Web services typically:
Web Services Overview 10: Implementing and Administering AD FS Web services are a standardized set of specifications used to build applications and services Web services typically: Transmit data as XML Use SOAP to define the XML message format Use WSDL to define valid SOAP messages Use UDDI to describe available web services SAML is a standard for exchanging identity claims Emphasize that Web services are an industry-standard solution, and not merely a Microsoft solution. The standards have been developed over the last several years. The goal of Web services specifications is to enable organizations to use almost any authentication mechanism and almost any application platform. Web services specifications define how the two components communicate. Mention that there are many more specifications included with Web services than those that are listed in the Workbook. This topic describes the current Web services security specifications as they are implemented in AD FS. You should emphasize that user account properties can be made available to other organizations, but only as defined by the administrator. Any information about the user accounts not specifically defined as being visible is never available.

7 10969A What Is AD FS? 10: Implementing and Administering AD FS AD FS is the Microsoft identity federation product that can use claim-based authentication AD FS has the following features: SSO for web-based applications Interoperability with web services on multiple platforms Support for many clients, such as web browsers, mobile devices, and applications Extensibility to support customized claims from third-party applications Delegation of account management to the user’s organization Windows Server 2012 AD FS features: Integration with DAC Windows PowerShell cmdlets for administration Consider briefly describing the history of AD FS. AD FS 1.0 originally shipped with Windows Server R2, and it included many of the same features that are available in the current version of AD FS. AD FS 1.0 required AD FS Web Agents to be installed on all Web servers that used AD FS, and it provided both claims-aware and NT token–based authentication. AD FS 1.x supported both AD DS and Active Directory Lightweight Directory Services (AD LDS) as an account provider. AD FS 1.0 did not support active clients, and it did not support the Security Assertion Markup Language (SAML) protocol. AD FS 1.1 shipped with Windows Server 2008, and it included just a few minor changes from AD FS AD FS 2.0 shipped as a separate product. It includes support for SAML, WS-Trust protocols, and smart clients. Many vendors, including IBM, Netegrity, Oblix, Open Network, RSA, and Ping Identity, have demonstrated two-way interoperability with AD FS.

8 How AD FS Enables SSO in a Single Organization
10: Implementing and Administering AD FS Perimeter Network Corporate Network Start this topic by describing the scenarios where AD FS might be used within an organization. Students might mention that they use AD FS to connect to a cloud service. Mention that this is definitely a valid single-organization scenario, but as it requires a different infrastructure, it is described later in this lesson.. Then use the build slide to describe the communication flow in this scenario. The goal is not necessarily for students to understand all the details of how AD FS works in this scenario. Instead, keep the discussion at a fairly high level so that students can see the overall communication flow. Highlight that the Web server in this scenario does not communicate directly with the Federation Service Proxy or the federation server. Rather, the client computer initiates all the communication steps. AD DS Domain Controller 7 Federation Service Proxy 4 3 6 5 2 Federation Server 1 External Client 8 Web Server

9 How AD FS Enables SSO in a Business-to-Business Federation
10: Implementing and Administering AD FS Trey Research A. Datum AD DS Federation Trust Resource Federation Server When you describe this scenario, emphasize the areas of control in each organization. Trey Research, which is the account partner—or claims provider—has complete control over their user accounts and authentication mechanisms. A. Datum Corporation has no control over how Trey Research implements its user accounts. On the other hand, A. Datum, as the relying party, has complete control over the application and what access it grants to the application. To enable the relationship, the organizations must agree on what kind of claims are provided and accepted by each party, and they must exchange certificates and public keys. 6 Account Federation Server 7 10 4 Internal Client Computer 8 5 9 Web Server 3 2 1 11

10 How AD FS Enables SSO with Online Services
10: Implementing and Administering AD FS On-Premises Microsoft Exchange Online AD DS Federation Trust Microsoft Online Services Federation Server Stress the similarity between the business-to-business scenario and the cloud-based services scenario. The communication flow between client computers and AD FS servers is exactly the same. Highlight that the Microsoft Exchange Online example could be extended to any cloud-based service that uses claims- based authentication. Account Federation Server 6 7 10 4 9 5 Microsoft Outlook Web App Server 3 8 2 Internal Client Computer 1 11

11 What Is New in Windows Server 2012 R2?
10: Implementing and Administering AD FS Installation: No IIS 8.5 required Can install on domain controllers Enhanced authentication: Authentication policies with scope Multifactor authentication New claims types: Mostly device and certificate related Web Application Proxy: Provides secure remote access to web-based applications Replaces AD FS proxy Try to keep the description of the new AD FS features in Windows Server 2012 R2 at a relatively high level. Students might not completely understand some of the details provided at this point in the description of AD FS. This content is covered in detail later in this module. Try to defer detailed student questions until that point.

12 Lesson 2: Deploying AD FS
10: Implementing and Administering AD FS Demonstration: Installing the AD FS Server Role

13 AD FS Components AD FS components: Federation server Relying parties
10: Implementing and Administering AD FS AD FS components: Federation server Relying parties Federation server proxy Claims provider trust Claims Relying party trust Claim rules Certificates Attribute store Endpoints Claims providers The goal of this topic is to provide students with an overview of the terminology and components that are explained in more detail throughout the rest of the module. Do not spend a lot of time on this topic, and avoid going into too much detail on any of the terms. Tell the students that most of the components are described in much more detail in the rest of the module.

14 10969A AD FS Prerequisites 10: Implementing and Administering AD FS Successful AD FS deployment includes the following critical infrastructure: TCP/IP network connectivity AD DS Attribute stores DNS Compatible operating systems If students are not very familiar with Domain Name System (DNS), you could go back to the slide that describes the business-to-business deployment scenario, and point out all of the places where client computers must resolve DNS names. You also might need to discuss the concept of split DNS with students. In most cases, organizations implement a split DNS to enable users, both internal and external to the network, to resolve DNS names differently. For example, if the organization is deploying a federation server proxy, the federation server fully qualified domain name (FQDN) from the Internet must point to the public IP of the federation server proxy. That same FQDN from the perimeter network resolves to the federation server on the internal network. Therefore, split DNS is required to ensure that the perimeter network has access to something other than Internet DNS.

15 PKI and Certificate Requirements
10: Implementing and Administering AD FS Certificates used by AD FS: Service communication certificates Token-signing certificates Token-decrypting certificates When choosing certificates, ensure that the service communication certificate is trusted by all federation partners and clients The students must understand the role of certificates in an AD FS deployment, so be prepared to spend some extra time on this topic. If students are not familiar with certification authority (CA) options, describe the differences between a public CA, such as Verisign or DigiCert, and an internal CA deployment by using Active Directory Certificate Services (AD CS). Emphasize the concept of certificate trust. For certificates to be trusted by federation servers and clients, they must be issued by a CA that is trusted by the servers and clients, or the servers and clients must be explicitly configured to trust the certificates. If students are not familiar with AD CS, spend some time discussing the option of using AD CS to deploy an internal, private CA. Discuss the advantages of this deployment, such as lower cost, complete control of the CA deployment, and autoenrollment of certificates, but also mention that the deployment must be planned carefully to ensure that it provides the right services while maintaining maximum security.

16 Federation Server Roles
10: Implementing and Administering AD FS Claims provider federation server: Authenticates internal users Issues signed tokens containing user claims Relying party federation server: Consumes tokens from the claims provider Issues tokens for application access Federation server proxy: Is deployed in a perimeter network Provides a layer of security for internal federation servers This topic is essential to understand the rest of this module because the terms claims provider and relying party are used throughout the rest of this module. Make it clear that the claims provider is the server that issues claims and authenticates users. The relying party is where the application is located, and it consumes the claims issued by the claims provider. Ensure that students understand that a single AD FS federation server can be both a claims provider and a relying party. In a single-organization deployment of AD FS, the federation server will authenticate users and create claims, but also will consume those claims and issue tokens for application access. In a business-to-business deployment scenario, the AD FS federation server can be the claims provider for one partner company, and also be the relying party for the same company, or for another company.

17 Demonstration: Installing the AD FS Server Role
10: Implementing and Administering AD FS In this demonstration, you will see how to install and configure the AD FS server role During the demonstration, you can create the KDS root key while you are waiting for the installation of AD FS to complete. Note to students that the name used for AD FS is different from the server name. This ensures that load balancing can be used. Preparation Steps To complete this demonstration, the 10969A-LON-DC2 virtual machine must be running. Sign in to the server as Adatum\Administration with password Pa$$w0rd. Demonstration Steps Install AD FS On LON-DC2, in Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next. On the Select destination server page, click LON-DC2.Adatum.com, and then click Next. On the Select server roles page, select the Active Directory Federation Services check box, and then click Next. On the Select features page, click Next. On the Active Directory Federation Services (AD FS) page, click Next. On the Confirm installation selections page, click Install. Wait until installation is complete, and then click Close. (More notes on the next slide)

18 10: Implementing and Administering AD FS
Create a KDS root key to enable Managed Service Accounts On the taskbar, click Windows PowerShell. At the Windows PowerShell command-line interface command prompt, type Add-KdsRootKey – EffectiveTime (Get-Date).AddHours(-10), and then press Enter. Close Windows PowerShell. Add a DNS record for AD FS In Server Manager, click Tools, and then click DNS. In DNS Manager, expand LON-DC2, expand Forward Lookup Zones, and then click Adatum.com. Right-click Adatum.com, and then click New Host (A or AAAA). In the New Host window, in the Name box, type adfs. In the IP address box, type , and then click Add Host. In the DNS window, click OK, and then click Done. Close DNS Manager. Configure AD FS In Server Manager, click the Notifications icon, and then click Configure the federation service on this server. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create the first federation server in a federation server farm, and then click Next. On the Connect to Active Directory Domain Services page, click Next to use Adatum\Administrator to perform the configuration. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next. On the Specify Service Account page, click Create a Group Managed Service Account. (More notes on the next slide)

19 10: Implementing and Administering AD FS
In the Account Name box, type ADFS, and then click Next. On the Specify Configuration Database page, click Create a database on this server using Windows Internal Database, and then click Next. On the Review Options page, click Next. On the Pre-requisite Checks page, click Configure. On the Results page, click Close.

20 Lesson 3: Implementing AD FS for a Single Organization
10: Implementing and Administering AD FS Demonstration: Configuring Claims Provider and Relying Party Trusts

21 10969A What Are AD FS Claims? 10: Implementing and Administering AD FS Claims provide information about users from the claims provider to the relying party AD FS: Provides a default set of built-in claims Enables the creation of custom claims Requires that each claim have a unique URI Claims can be: Retrieved from an attribute store Calculated based on retrieved values Transformed into alternate values The concept of claims should be fairly simple for students to understand. You can use the passport example to describe claims. A passport is issued by a country (the claims provider) to its citizens. When a user travels to another country, the user presents the passport (the claim) to an immigration official (the relying party). If the immigration official deems the passport trustworthy, the user is admitted into the country. The passport might even be used to make additional decisions. For example, if the passport is issued by a specific country, the user might have to provide additional information, such as a visa, to enter the country. Spend some time on the options for populating claims. Most of the students will not have trouble understanding the role AD DS information might play in providing retrievable values, but you might have to spend additional time describing the calculated and transformed values.

22 What Are AD FS Claim Rules?
10: Implementing and Administering AD FS Claim rules define how claims are sent and consumed by AD FS servers Claims provider rules are acceptance transform rules Relying party rules can be: Issuance transform rules Issuance authorization rules Delegation authorization rules AD FS servers provide default claim rules, templates, and a syntax for creating custom claim rules The easiest way for students to understand claim rules might be to describe them as applying business logic to claims. In the previous topics, students learned about all the possible claims that could be defined on an AD FS server. When you define the claim rules, you decide which of all the possible claims your organization will actually use. If you are the claims provider organization, the claim rules define which attributes you use to populate the claim before sending the claim to the relying party. If you are the relying party organization, the claim rules define which claims you will accept.

23 What Is a Claims Provider Trust?
10: Implementing and Administering AD FS Claims provider trusts: Are configured on the relying party federation server Identify the claims provider Configure the claim rules for the claims provider In a single-organization scenario, a claims provider trust called Active Directory defines how AD DS user credentials are processed Additional claims provider trusts can be configured by: Importing the federation metadata Importing a configuration file Configuring the trust manually Describe a claims provider trust as one half of setting up an AD FS federation between organizations, with the relying party trust being the second half. Point out that the claims provider trust actually configures much of what has been covered in the module so far, and that this configuration object defines how a relying party accepts claims from an AD FS partner organization. Point out that in a single-organization deployment of AD FS, there is no need for additional claims provider trusts beyond the Active Directory claims provider trust. In this scenario, all users authenticate by AD DS, and the claims provider trust simply defines what AD DS attributes are accepted by AD FS, and how those attributes are used in AD FS.

24 What Is a Relying Party Trust?
10: Implementing and Administering AD FS Relying party trusts: Are configured on the claims provider federation server Identify the relying party Configure the claim rules for the relying party In a single-organization scenario, a relying party trust defines the connection to internal applications Additional relying party trusts can be configured by: Importing the federation metadata Importing a configuration file Manually configuring the trust Mention that the relying party trust is the second part of the AD FS configuration. This component defines how the claims provider sends information to the relying party. Point out that the options for creating new relying party trusts are identical to those for configuring claims provider trusts.

25 Demonstration: Configuring Claims Provider and Relying Party Trusts
10: Implementing and Administering AD FS In this demonstration, you will see how to: Configure a claims provider trust Configure a WIF application for AD FS Configure a relying party trust Preparation Steps To complete this demonstration, the 10969A-LON-DC2 and 10969A-LON-SVR1 virtual machines must be running. Sign in to both servers as Adatum\Administrator with password Pa$$w0rd. You must have completed the previous demonstration before starting this demonstration. Demonstration Steps Configure a Claims Provider Trust On LON-DC2, in Server Manager, click Tools, and then click AD FS Management. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider Trusts. Right-click Active Directory, and then click Edit Claim Rules. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule template box, select Send LDAP Attributes as Claims, and then click Next. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute store drop-down list, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for the LDAP Attribute and the Outgoing Claim Type: -Addresses : Address User-Principal-Name: UPN Click Finish, and then click OK. (More notes on the next slide)

26 10: Implementing and Administering AD FS
Configure a WIF application for AD FS On LON-SVR1, in Server Manager, click Tools, and then click Windows Identity Foundation Federation Utility. On the Welcome to the Federation Utility Wizard page, in the Application configuration location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the sample web.config file. In the Application URI box, type to indicate the path to the sample application that will trust the incoming claims from the federation server, and then click Next to continue. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation metadata document location box, type 06/federationmetadata.xml, and then click Next to continue. On the STS signing certificate chain validation error page, click Disable certificate chain validation, and then click Next. On the Security token encryption page, click No encryption, and then click Next. On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. On the Summary page, review the changes that will be made to the sample application by the Federation Utility Wizard, scroll through the items to understand what each item is doing, and then click Finish. In the Success window, click OK. Configure a Relying Party Trust On LON-DC2, in the AD FS console, click Relying Party Trusts. In the Actions pane, click Add Relying Party Trust. In the Relying Party Trust Wizard, on the Welcome page, click Start. (More notes on the next slide)

27 10: Implementing and Administering AD FS
On the Select Data Source page, click Import data about the relying party published online or on a local network. In the Federation Metadata address (host name or URL) box, type svr1.adatum.com/adatumtestapp, and then click Next. This downloads the metadata configured in the previous section. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and then click Next. On the Configure Multi-factor Authentication Now page, click I do not want to configure multi- factor authentication settings for the relying party trust at this time, and then click Next. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next. On the Finish page, click Close. Leave the Edit Claim Rules for A. Datum Test App window open for the next demonstration.

28 Demonstration: Configuring Claim Rules
Lesson 4: Deploying AD FS in a Business-to-Business Federation Scenario 10: Implementing and Administering AD FS Demonstration: Configuring Claim Rules

29 Configuring an Account Partner
10: Implementing and Administering AD FS An account partner is a claims provider in a B2B federation scenario To configure an account partner: Implement the physical topology Add an attribute store Configure a relying party trust Add a claim description Prepare client computers for federation Explain to students that the account partner is simply another name for the claims provider, which was discussed in the previous lesson. In addition, explain that the process for implementing the account partner side of the federation has not changed significantly from the single-organization scenario. The only real difference is that the relying party trust now references the AD FS servers in another organization, rather than a Web server within the organization.

30 Configuring a Resource Partner
10: Implementing and Administering AD FS A resource partner is a relying party in a business- to-business federation scenario To configure an relying partner: Implement the physical topology Add an attribute store Configure a claims provider trust Create claim rule sets for the claims provider trust Point out the similarities between this process and configuring the account partner side of the federation.

31 Configuring Claims Rules for Business-to-Business Scenarios
10: Implementing and Administering AD FS B2B scenarios may require more complex claims rules You can create claims rules by using the following templates: Send LDAP Attributes as Claims Send Group Membership as a Claim Pass Through or Filter an Incoming Claim Transform an Incoming Claim Permit or Deny Users Based on an Incoming Claim You can also create custom rules by using the AD FS claim rule language This topic can get complicated for students because there are many variations or ways to use these rules. Unless students are interested in this topic, consider just listing the claim rule templates and focusing on examples for when you would use each. Another option for teaching this content is to move ahead to the Configuring Claims Rules demonstration, using the demonstration to show the options for creating each type of rule by using the provided templates.

32 How Home Realm Discovery Works
10: Implementing and Administering AD FS Home realm discovery identifies the AD FS server responsible for providing claims about a user There are two methods for home realm discovery: Prompt users during their first authentication Include a WHR string in the application URL SAML applications can use a preconfigured profile for home realm discovery Focus on the conceptual component of this topic rather than how home realm discovery is actually implemented. Students should not have trouble understanding that home realm discovery is required in the scenario where users access a resource partner’s website from many different account partners. Point out that configuring home realm discovery likely is included in the web application.

33 Demonstration: Configuring Claim Rules
10: Implementing and Administering AD FS In this demonstration, you will see how to configure claim rules Preparation Steps To complete this demonstration, the 10969B-LON-DC1 and 10969B-LON-SVR1 virtual machines must be running. Sign in to both servers as Adatum\Administrator with password Pa$$w0rd. You must have completed the previous demonstrations before starting this demonstration. Demonstration Steps On LON-DC2, in AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the Issuance Transform Rules tab, click Add Rule. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click Next. In the Claim rule name box, type Send Group Name Rule. In the Incoming claim type drop-down list, click Group, and then click Finish. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab, click the rule named Permit Access to All Users, and then click Remove Rule. Click Yes to confirm. Note: With no rules, users are not permitted access. On the Issuance Authorization Rules tab, click Add Rule. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users Based on an Incoming Claim, and then click Next. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule. In the Incoming claim type drop-down list, select Group. In the Incoming claim value box, type Production, click Permit access to users with this incoming claim, and then click Finish. (More notes on the next slide)

34 10: Implementing and Administering AD FS
On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users Based on an Incoming Claim, and then click Next. On the Configure Rule page, in the Claim rule name box, type Allow A. Datum Users. In the Incoming claim type drop-down list, select UPN. In the Incoming claim value box, click Permit access to users with this incoming claim, and then click Finish. Click the Allow A. Datum Users rule, and then click Edit Rule. In the Edit Rule – Allow Adatum Users dialog box, click View Rule Language. Note: Note that students will be editing the rule language in the lab. Click OK, and then click Cancel. In the Edit Claim Rules for A. Datum Test App window, click OK.

35 Lesson 5: Extending AD FS to External Clients
10: Implementing and Administering AD FS Demonstration: Installing and Configuring Web Application Proxy

36 What Is Web Application Proxy?
10: Implementing and Administering AD FS Web Application Proxy secures remote access to web-based applications on an internal network Preauthentication types: AD FS Pass-through There are two functions of a Web Application Proxy server. This slide addresses the application proxy functionality. In this scenario, Web Application Proxy is a reverse proxy server that has the ability to perform preauthentication for an application by using AD FS. This ensures that a user authenticates before requests are passed to an internal network. Use the network diagram to show the location of Web Application Proxy server and to show the firewall locations. Intranet Application Web Application Proxy Internet

37 Web Application Proxy and AD FS
10: Implementing and Administering AD FS Web Application Proxy is an AD FS proxy The same certificate is used on the AD FS server and Web Application Proxy Split DNS allows the same name to resolve to different IP addresses This topic builds on the content presented earlier in this module, providing additional details about the importance of DNS resolution and certificates. Be sure that students understand these points because they are critical for real-world implementation of AD FS connectivity to the Internet. Web Application Proxy adfs.adatum.com Internet AD FS Server

38 High Availability for AD FS
10: Implementing and Administering AD FS AD FS Server adfs.adatum.com Web Application Proxy Load Balancer Use this topic to discuss the importance of high availability for AD FS. Once AD FS is implemented, it is a critical service in most organizations and needs to be highly available. Any organization implementing AD FS needs to be aware of this fact and how to make AD FS highly available. The section on geographic high availability is simplified greatly to provide a quick overview that is understood easily. The second location also would need to have at least one AD FS proxy in place. There also would need to be a mechanism to redirect users to the alternate location. In some cases, you could do this by changing the DNS records. In other cases, you might have a load-balancing solution that can redirect clients between locations automatically. For more information about Geographic High Availability, go to resiliency-walkthrough.aspx.

39 Demonstration: Installing and Configuring Web Application Proxy
10: Implementing and Administering AD FS In this demonstration, you will see how to: Install Web Application Proxy Export the certificate from the AD FS server Import the certificate to the Web Application Proxy server Configure Web Application Proxy Demonstration Steps Install Web Application Proxy On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next. On the Select server roles page, select the Remote Access check box, and then click Next. On the Select features page, click Next. On the Remote Access page, click Next. On the Select role services page, select Web Application Proxy. In the Add Roles and Features Wizard, click Add Features. On the Select role services page, click Next. On the Confirm installation selections page, click Install. On the Installation progress page, click Close. Export the adfs.adatum.com certificate from LON-DC2 On LON-DC2, on Start screen, type mmc, and then press Enter. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates. In the Certificates snap-in window, click Computer account, and then click Next. (More notes on the next slide)

40 10: Implementing and Administering AD FS
In the Select Computer window, click Local Computer (the computer this console is running on), and then click Finish. In the Add or Remove Snap-ins window, click OK. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal, and then click Certificates. Right-click adfs.adatum.com, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Next. On the Export Private Key page, click Yes, export the private key, and then click Next. On the Export File Format page, click Next. On the Security page, select the Password check box. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the success message. Close the Microsoft Management Console, and then do not save the changes. Import the adfs.adatum.com certificate on LON-SVR2 On LON-SVR2, on Start screen, type mmc, and then press Enter. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click Certificates. In the Certificates snap-in window, click Computer account, and then click Next. (More notes on the next slide)

41 10: Implementing and Administering AD FS
In the Select Computer window, click Local Computer (the computer this console is running on), and then click Finish. In the Add or remove Snap-ins window, click OK. In the Microsoft Management Console, expand Certificates (Local Computer), and then click Personal. Right-click Personal, point to All Tasks, and then click Import. In the Certificate Import Wizard, click Next. On the File to Import page, in the File name box, type \\LON-DC2\c$\adfs.pfx, and then click Next. On the Private key protection page, in the Password box, type Pa$$w0rd. Select the Mark this key as exportable check box, and then click Next. On the Certificate Store page, click Place all certificates in the following store. In the Certificate store box, select Personal, and then click Next. On the Completing the Certificate Import Wizard page, click Finish. Click OK to clear the success message. Close the Microsoft Management Console, and then do not save the changes. Configure Web Application Proxy In Server Manager, click the Notifications icon, and then click Open the Web Application Proxy Wizard. In the Web Application Proxy Wizard, on the Welcome page, click Next. On the Federation Server page, enter the following, and then click Next: Federation service name: adfs.adatum.com User name: Adatum\Administrator Password: Pa$$w0rd (More notes on the next slide)

42 10: Implementing and Administering AD FS
On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS proxy box, select adfs.adatum.com, and then click Next. On the Confirmation page, click Configure. On the Results page, click Close.

43 Lab: Implementing AD FS
10: Implementing and Administering AD FS Exercise 4: Configuring Web Application Proxy Exercise 1: Installing and Configuring AD FS To start the AD FS implementation, you need to install AD FS on an A. Datum domain controller. During the initial deployment, you will configure it as the first server in a farm with the option to expand the farm at a later time. The certificate for AD FS has been installed on LON-DC2 already. Exercise 2: Configure an Internal Application for AD FS The first scenario for implementing the proof-of-concept AD FS application is to ensure that internal users can use SSO to access the web application. You plan to configure the AD FS server and a web application to enable this scenario. You also want to verify that internal users can access the application. The main tasks in this exercise are: Configure the Active Directory claims provider trust. Configure the application to trust incoming claims. Configure a relying party trust for the claims-aware application. Configure claim rules for the relying party trust. Test access to the claims-aware application. Configure Internet Explorer to pass local credentials to the application automatically. Exercise 3: Configuring AD FS for a Federated Business Partner The second deployment scenario is to enable Trey Research users to access the web application. You plan to configure the integration of AD FS at Trey Research with AD FS at A. Datum, and then verify that Trey Research users can access the application. You also want to confirm that you can configure access that is based on user groups. You must ensure that all users at A. Datum, and only users who are in the Production group at Trey Research, can access the application. Configure DNS forwarding between TreyResearch.net and Adatum.com. Configure certificate trusts between TreyResearch.net and Adatum.com. Create a KDS root key to enable managed service accounts. Logon Information Virtual machines: B-LON-DC1, 20417B-LON-SVR1, 20417B-LON-CL1, 20417B-MUN-DC1 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 90 minutes (More notes on the next slide)

44 10: Implementing and Administering AD FS
Create a DNS record for AD FS. Install AD FS for TreyResearch.net. Configure AD FS for TreyResearch.net. Add a claims provider trust for the TreyResearch.net AD FS server. Configure a relying party trust in TreyResearch.net for the A. Datum application. Test access to the application. Exercise 4: Configuring Web Application Proxy The third scenario for implementing the proof-of-concept AD FS application is to increase security for AD FS authentication by implementing an AD FS proxy for the AD FS and a reverse proxy for the application. You will implement Web Application Proxy to fulfill both of these roles. The main tasks in this exercise are: Install Web Application Proxy. Add the adfs.adatumc.om certificate to LON-SVR2. Add the LON-SVR1.adatum.com certificate to LON-SVR2. Configure Web Application Proxy. Configure the AD FS proxy for the test application. Test Web Application Proxy.

45 10969A Lab Scenario 10: Implementing and Administering AD FS A. Datum Corporation has set up a variety of business relationships with other companies and customers. Some of these partner companies and customers must access business applications that are running on the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality and access to these companies. The Security and Operations departments want to ensure that the partners and customers can access only the resources to which they require access, and that implementing the solution does not increase the workload for the

46 10969A Lab Scenario 10: Implementing and Administering AD FS Operations team significantly. A. Datum also is working on migrating some parts of its network infrastructure to Microsoft Online Services, including Windows Azure and Office 365. To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the company plans to use AD FS to implement SSO for internal users who access an application on a Web server. A. Datum also has entered into a partnership with another company, Trey Research. Trey Research users must be able to access the same application.

47 10969A Lab Scenario 10: Implementing and Administering AD FS As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS solution. As a proof-of-concept, you plan to deploy a sample claims-aware application, and you will configure AD FS to enable both internal users and Trey Research users to access the application.

48 How can you test whether AD FS is functioning properly?
Lab Review 10: Implementing and Administering AD FS How can you test whether AD FS is functioning properly? Question Why was it important to configure adfs.adatum.com to use as a host name for the AD FS service? Answer If you use the host name of an existing server for the AD FS server, you will not be able to add additional servers to your server farm. All servers in the server farm must share the same host name when providing AD FS services. The host name for AD FS also is used by AD FS proxy servers. How can you test whether AD FS is functioning properly? You can access on the AD FS server.

49 Module Review and Takeaways
10: Implementing and Administering AD FS Review Questions Review Question(s) Question Your organization is planning to implement AD FS. In the short term, only internal clients will be using AD FS to access internal applications. However, in the long run, you will be providing access to web-based applications that are secured by AD FS to users at home. How many certificates should you obtain from a third-party CA? Answer The only AD FS certificate that needs to be trusted is the service communication certificate. The token signing and token decrypting certificates can be left as self-signed. Therefore, only a single certificate from a third-party is required. Your organization has an application for customers that allows them to view their orders and invoices. At the present time, all customers have a user name and password that is managed within the application. To simplify access to the application and reduce support calls, your organization has rewritten the application to support AD FS for authentication. What do you need to configure to support the application? Your organization has an application for customers that allows them to view their orders and invoices. At the present time, all customers have a user name and password that is managed within the application. To simplify access to the application and reduce support calls, your organization has rewritten the application to support AD FS for authentication. A Web Application Proxy is being configured to support application access over the Internet. Internally, your AD FS server uses the host name adfs.contoso.com and resolves to How will you allow external partners to resolve adfs.contso.com to the external IP address of Web Application Proxy? Use split DNS to allow the proper resolution of adfs.contoso.com to the correct IP address internally and externally. The internal DNS server resolves adfs.contoso.com to the internal IP address of the AD FS server. The external DNS server resolves adfs.contoso.com to the external IP address of Web Application Proxy. (More notes on the next slide)

50 10: Implementing and Administering AD FS
Question Your organization has implemented a single AD FS server and a single Web Application Proxy successfully. Initially, AD FS was used for only a single application, but now it is being used for several business-critical applications. AD FS must be configured to be highly available. During the installation of AD FS, you selected to use the Windows Internal Database. Can this database be used in a highly available configuration? Answer Yes, the Windows Internal Database can be used to support up to five AD FS servers. The first AD FS server is the primary server where all configuration changes take place. Changes in the primary server are replicated to the other AD FS servers.

Download ppt "Implementing and Administering AD FS"

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Understanding Active Directory

Understanding Active Directory
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory

Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Chapter 12: Additional Active Directory Server Roles

Chapter 12: Additional Active Directory Server Roles
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
Overview of Access and Information Protection

Overview of Access and Information Protection
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google