Servers in an AD FS relationship must rely on certificates to create a
chain of trust between each other and to ensure that all traffic
transported over the trust relationships is encrypted at all times. The best way to ensure that this chain of trust is valid and trusted in
all locations is to obtain certificates from a trusted third-party CA
or through the creation of a linked AD CS implementation that uses a
third-party CA as its root.
This is only one of the aspects
of the AD FS configuration that must be completed. When you deploy AD
FS, you also must configure your AD FS–aware applications, configure
trust policies between partner organizations, and configure claims for
your users and groups. Then you can begin to run and manage AD FS.
1. Finalizing the Configuration of AD FS
When you deploy AD FS, you must perform the following actions to complete the configuration:
Import a server
authentication certificate to the default website on the servers in your
configuration. This certificate is essential to the operation of AD FS.
You use a self-signed certificate for the purposes of this exercise.
Configure the federation servers and the federation server proxies (FSPs) in each AD DS domain.
Configure the token-signing and token-decrypting certificates on the federation servers.
Verify that the Federation Service is operational.
Each of these operations requires the computers in your setup to be operational.
2. Using and Managing AD FS
When the configuration of the
identity federation is complete, you move on to regular administration
and management of the AD FS services and server roles. You rely on the
Active Directory Federation Services console to perform these tasks.
Administration tasks include:
Other operations
include adding or removing web-based applications, adding or removing
federation partners, and general monitoring of the AD FS processes.
When you work with FSPs, you can rely on the AD FS console to configure:
Preparing and
putting in place an identity federation through AD FS requires care and
planning. Because of this, take the time to practice and prepare
thoroughly in a laboratory before you move this technology into
production.
2.1. Working with Windows PowerShell
AD FS is administered with
Windows PowerShell on Windows Server 2008 or Windows Server 2008 R2. AD
FS 2.0 automatically registers the PowerShell module for AD FS during
installation. Run the following cmdlet to add AD FS support in your
PowerShell session:
Add-PSSnapin Microsoft.Adfs.Powershell
After the module is
imported, you can manage and administer AD FS components through
PowerShell. One great advantage PowerShell gives you is that you can
easily automate AD FS administration through its cmdlets. The AD FS
module for Windows PowerShell includes 15 cmdlet objects that let you
manage everything from the attribute store to AD FS certificates and
trusts.
2.2. Ongoing AD FS 2.0 Administration
You can and will use the AD FS
2.0 Management Console to administer your AD FS 2.0 implementation after
it is complete, but you also have to rely on Windows PowerShell. For
example, the console does not provide any means to manage or update
federation server proxies; these can be managed only through PowerShell.
Become familiar with the PowerShell cmdlets for AD FS 2.0. Table 1
describes the PowerShell cmdlets for AD FS 2.0. Note that AD FS 2.0
includes both cmdlets and resources—convenience utilities that gather a
set of control functions within a single cmdlet.
Table 1. AD FS 2.0 PowerShell cmdlets
| CMDLET | PURPOSE |
|---|
| ADFSRelyingPartyTrust | Administer trusts with relying parties |
| ADFSClaimsProviderTrust | Administer trusts with claims providers |
| ADFSAttributeStore | Control the attribute store within an AD FS implementation |
| ADFSClaimDescription | Manage claim types supported by AD FS 2.0 |
| ADFSEndpoint | Manage endpoints in a Federation Service |
| ADFSCertificate | Manage certificates in an AD FS 2.0 implementation |
| ADFSProxyProperties | Manage the properties of a federation server proxy |
| ADFSProperties | Manage the properties of a federation server |
| RESOURCE | PURPOSE |
| ADFSClaimRuleSet | Authors and updates AD FS policies |
| ADFSSAMLEndpoint | Encapsulates SAML endpoints and endpoint bindings |
| ADFSContactPerson | Encapsulates the contact information for a trust partner |
| ADFSOrganization | Encapsulates organization information for a trust partner |
| ADFSCertSharingContainer | Manages
the service account that is used to share private keys of token signing
and token decrypting certificates, as well as the SSL certificates used
in an AD FS 2.0 deployment |
| ADFSSyncProperties | Controls the frequency of configuration database synchronization when using the Windows Internal Database instead of SQL Server |
2.2.1. Practice Finalizing the AD FS 2.0 Configuration
In this practice, you finalize
the AD FS installation you performed in Lesson 1, and you rely on the
same computers you used in that practice. You begin by configuring the
IIS server on each of the federation servers and completing the AD FS
configuration on each server. Then you configure the federation servers
for each partner organization. You finish the AD FS configuration by
creating the federation trust.
EXERCISE 1 Configure the Default Web Sites on Each Server
In this exercise, you
configure the default websites on each server. Make sure that all
servers are running. This includes SERVER01, SERVER03, SERVER06, and
SERVER07.
Log on to SERVER03 with the domain Administrator account.
Launch
IIS Manager (Start, All Programs, Administrative Tools, Internet
Information Services (IIS) Manager), select the server name, and then
scroll down and select Server Certificates in the Features view of the
details pane.
In the Action pane, click the Open Feature link. In the Action pane, click the Create Self-signed Certificate link.
Type
a friendly name for the certificate and click OK. In this instance, use
the service name for each certificate. For example, use FS.contoso.com for SERVER03 and FS.woodgrovebank.com for SERVER07.
Bind
the certificate to the default website on port 443. To do so, expand
SERVER03 in the tree pane and click Sites. Click Default Web Site in the
details pane. Click the Bindings link in the Actions pane. Click Add.
Choose HTTPS from the Type drop-down list and All Unassigned from the IP
Address drop-down list. Make sure 443 is entered as the Port value.
Choose your self-signed certificate in the SSL Certificate drop-down
list. Click OK, and then click Close.
Repeat this operation for SERVER07.
EXERCISE 2 Configure the Federation Servers
In this exercise, you
configure the federation servers for operation. Make sure that all
servers are running. This includes SERVER01, SERVER03, SERVER06, and
SERVER07.
Log on to SERVER03 with the domain Administrator account.
If
it isn’t already open, launch the AD FS Management Console (Start, All
Programs, Administrative Tools, AD FS 2.0 Management), and then launch
the AD FS 2.0 Federation Server Configuration Wizard from the details
pane.
On the Welcome page, select Create A New Federation Service. Click Next.
On
the Select Stand-Alone Or Farm Deployment page, select Stand-Alone
Federation Server. Note that this deployment will rely on the WID as a
database. Click Next.
The Federation Service Name is automatically obtained from the certificate you assigned to the default website. Click Next.
Note that in a production environment, you would require a certificate from a trusted root.
On the Ready To Apply Settings page, click Next to begin the configuration.
When the Configuration Results page appears, click Close.
Repeat the process for SERVER07.
EXERCISE 3 Prepare the Certificate Share Location
One of the most important
factors in setting up federation partnerships is integrating
certificates from the servers in the Federation Service to link the
servers that must communicate with each other. To do this, you need to
perform several tasks:
Create a file share that each server can access to simplify the transfer of certificate files from one server to another.
Export the server authentication certificate of the account federation server (SERVER03) to a file.
Export the server authentication certificate of the resource federation server (SERVER07) to a file.
Assign a token-signing certificate to the account federation server (SERVER03).
Assign a token-decrypting certificate to the account federation server (SERVER03).
You
perform these tasks mostly because you are using self-signed
certificates. If you were using trusted root certificates, you would
only need to assign them to the federation servers.
First you must create the
file share you will use to store the certificates. The other actions are
performed in the exercises that follow.
Log on to SERVER03 with the domain Administrator account.
Launch Windows Explorer and move to the C drive. Create a new folder and name it Temp.
Right-click the Temp folder, point to Share With, and click Specific People.
In the File Sharing dialog box, select Everyone in the drop-down list, click Add, and assign Read/Write permission.
Click Share, and then click Done.
Your shared folder is ready. Proceed with the remaining exercises.
EXERCISE 4 Export the SSL Server Certificate
Beginning with SERVER03, you will export the SSL server and client authentication certificates to a file on each server.
Log on to SERVER03 with domain Administrator credentials.
Launch Internet Information Services (IIS) Manager from the Administrative Tools program group.
In the tree pane, click the server name.
In the details pane in the Features view, scroll to the IIS section and double-click Server Certificates.
Double-click the FS.contoso.com certificate.
On the Details tab, click Copy To File. Click Next.
On the Export Private Key page, select No, Do Not Export The Private Key and click Next.
On the Export File Format page, ensure that DER Encoded Binary X.509 (.CER) is selected and click Next.
On the File To Export page, click Browse and move to the C:\Temp folder. Name the certificate SERVER03SSL.cer and click Save. Click Next.
On the Completing The Certificate Export Wizard page, verify the information and click Finish.
Click OK when you get the Certificate Export Was Successful message. Click OK again to close the Certificate dialog box.
Now move to SERVER07 and repeat the procedure, as follows:
Log on to SERVER07 with domain Administrator credentials.
Launch Internet Information Services (IIS) Manager from the Administrative Tools program group.
In the details tree pane, click the server name.
In the details pane in Features view, scroll to the IIS section and double-click Server Certificates.
Double-click the FS.woodgrovebank.com certificate.
On the Details tab, click Copy To File. Click Next.
On the Export Private Key page, select No, Do Not Export The Private Key and click Next.
On the Export File Format page, ensure that DER Encoded Binary X.509 (.CER) is selected and click Next.
On the File To Export page, click Browse and in the address bar at the top of the Browse window, type \\SERVER03.Contoso.com\temp, and then press Enter. Name the certificate SERVER07SSL.cer, click Save, and then click Next.
On the Completing The Certificate Export Wizard page, verify the information and click Finish.
Click OK when you get the Certificate Export Was Successful message. Click OK again to close the Certificate dialog box.
Your certificates are now all in a shared folder.
EXERCISE 5 Assign and Export Federation Certificates
Proceed to the assignment of certificates. Perform this operation on SERVER03.
Launch
Windows PowerShell Modules from the Administrative Tools program group.
If this is the first time you have used this module on this server,
PowerShell will import all existing modules, including the module for AD FS. If the module is not present, execute the following cmdlet:
Add-PSSnapin Microsoft.ADFS.PowerShell
You must disable the AD FS Automatic Certificate Rollover feature to manually add certificates to your configuration.
This feature allows AD FS to automatically manage the certificates it
requires to operate. Remember to turn this feature back on when you are
done. Execute the following cmdlet:
Set-ADFSProperties -AutoCertificateRollover $false
Minimize the PowerShell window when done.
Launch
the AD FS 2.0 Management Console from the Administrative Tools program
group. Double-click Service in the console tree and click Certificates.
In the Action pane, click the Add Token-Signing Certificate link.
Select the FS.Contoso.Com certificate in the Windows Security dialog box and click OK.
In
production, you would ensure that the private key for this certificate
is exported and available to other servers you configure in an AD FS
farm. In this case, you did not export the private key because your
configuration includes only a single server. Click OK in the warning
message dialog box.
In the Action pane, click the Add Token-Decrypting Certificate link.
Select
the FS.Contoso.Com certificate in the Windows Security dialog box and
click OK. Click OK again to close the warning dialog box.
Note that AD
FS automatically assigned a Service Communications Certificate. This
certificate is the same as the SSL certificate assigned to the default
website.
Reactivate
the Automatic Certificate Rollover feature. Return to the Windows
PowerShell Modules window and execute the following cmdlet:
Set-ADFSProperties -AutoCertificateRollover $true
Close the PowerShell window.
Repeat this procedure on SERVER07, this time selecting the FS.Woodgrovebank.com certificate for each service.
EXERCISE 6 Configure the Federation Servers
You are now ready to configure both of your federation servers. The configuration
for account partners (claims providers) and resource partners (relying
parties) is very similar, with only minor differences. Table 2 describes the activities that you must perform for each partner.
Table 2. Configuring Federation Servers
| ACTIVITY | ACCOUNT PARTNER | RESOURCE PARTNER |
|---|
| Determine your federated application strategy. | None | The resource partner must determine how shared applications will be accessed. |
| Add an attribute store. | The attribute store is required by both parties. | The attribute store is required by both parties. |
| Create a trust policy. | The trust policy is required to form the partnership. The account partner requires a Claims Provider trust. | The trust policy is required to form the partnership. The resource partner requires a Relying Party trust. |
| Create claim rules. | Claim rules are required to properly issue claims. | Claim rules are required to properly process claims. |
| Prepare client computers. | The account partner must prepare client computers to have them interoperate with the claims partnership. | No action required |
Begin with the federated application strategy in the resource partner. AD
FS 2.0 supports ASP.NET applications as well as Windows Communications
Foundation services. Applications can be accessed through Windows
Integrated Authentication, simplifying access for end users. AD FS 2.0
also supports WS* standards and, because of this, supports a wide range
of both Windows-based and non-Windows-based applications. When you
configure a federated trust in your organization, you should determine
the following:
Which applications will be accessed through federation?
What type of applications are they?
Will your internal, corporate users have access to these applications?
Will non-corporate users (Internet users) have access?
Will partner users have access?
The answer to these questions will help determine your application strategy.
After you have
determined the application strategy, you are ready to configure the
federation servers. At this point, you normally configure the attribute
store, but because AD FS 2.0 automatically generates an AD DS attribute
store by default, you do not need to perform this operation in either
environment.
Therefore, you can move on to
create the trust policies. You will create the trusts manually, but in
production, you can obtain a metadata file from your partners to create
the trust automatically. These files might be available on the web as
well. Begin with the account partner and claims provider, or SERVER03.
Log on to SERVER03 with the domain Administrator account.
In this step, you need to use domain administrator credentials to identify the attribute store.
Launch AD FS 2.0 Management from the Administrative Tools program group.
Note that the Overview in the Details pane indicates that you must perform a required task before the configuration of your AD FS server is complete. Click the Required: Add A Trusted Relying Party link.
On the Welcome page, click Start.
On the Select Data Source page, select Enter Data About The Relying Party Manually and click Next.
Type Woodgrove Bank under Display Name, enter a description in the Notes section, and then click Next.
Select AD FS 2.0 Profile and click Next.
Click Browse on the Configure Certificate page, move to the C:\Temp folder, select SERVER07SSL, click Open, and then click Next.
Do not make any selections on the Configure URL page; click Next.
AD
FS 2.0 supports WS-Trust, WS-Federation, and SAML Web SSO protocols for
trusts. You select either WS-Federation and/or SAML Web SSO if your
partners are relying on them and enter the appropriate URLs. But because
WS-Trust is enabled by default, you do not need to select either of the
other protocols for your trust to work in this exercise.
Specify the relying party’s URL, in this case HTTP://woodgrovebank.com/adfs/services/trust, click Add, and then click Next.
Choose the issuance authorization rules. Select Permit All Users To Access This Relying Party and click Next.
In
production environments, you might choose to deny all users and then
assign specific authorization rules afterward. In this exercise, to
simplify the process we allow all users.
On
the Ready To Add Trust page, click Next, make sure that the Open The
Edit Claim Rules Dialog For This Relying Party Trust When The Wizard
Closes check box is selected, and then click Close.
The
Edit Claim Rules dialog box opens, allowing you to finalize the trust
and add mappings between the claims and the data within AD DS.
Click Add Rule. Choose Send LDAP Attributes As Claims from the drop-down list and click Next.
Type a name for the rule, in this case Group Membership Rule, and make sure the attribute store is set to Active
Directory. Then choose Token-Groups – Unqualified Names from the
drop-down list under LDAP Attribute and choose Role under Outgoing Claim
Type; then click Finish and click OK.
Your relying party trust is configured. Proceed to the configuration of the resource provider. Repeat the same operation, but this time on SERVER07, as follows:
Log on to SERVER07 with the domain Administrator account.
In this step, you need to use domain administrator credentials to identify the attribute store.
Launch AD FS 2.0 Management from the Administrative Tools program group.
Note
once again that you must still complete the configuration of the server
for the Federation Service to work properly. Click the Required: Add A
Trusted Relying Party link.
On the Welcome page, click Start.
On the Select Data Source page, select Enter Data About The Relying Party Manually and click Next.
Type Contoso under Display Name, enter a description in the Notes section, and then click Next.
Select AD FS 2.0 Profile and click Next.
Click Browse on the Configure Certificate page, and in the address bar at the top of the Browse window type \\SERVER03.Contoso.com\temp; then press Enter. Select SERVER03SSL, click Open, and then click Next.
Do not make any selections on the Configure URL page; click Next.
Specify the relying party’s URL, in this case HTTP://contoso.com/adfs/services/trust, click Add, and then click Next.
Choose the issuance authorization rules. Select Permit All Users To Access This Relying Party and click Next.
In
production environments, you might choose to deny all users, and then
assign specific authorization rules afterward. In this exercise, to
simplify the process we allow all users.
On
the Ready To Add trust page, click Next, make sure the Open The Edit
Claim Rules Dialog For This Relying Party Trust When The Wizard Closes
check box is selected, and then click Close.
The
Edit Claim Rules dialog box opens, allowing you to finalize the trust
and add mappings between the claims and the data within AD DS.
Click Add Rule. Choose Send LDAP Attributes As Claims from the drop-down list and click Next.
Type a name for the rule, in this case Group Membership Rule, and make sure the attribute store is set to Active
Directory. Then select Token-Groups – Unqualified Names from the
drop-down list under LDAP Attribute and choose Role from the Outgoing
Claim Type drop-down list; then click Finish and click OK.
Your AD
FS 2.0 trust is almost complete. AD FS 2.0 is working, but your clients
do not yet have access to the service. You must configure your client
computers in the claims provider to grant them access to the Federation
Service.
Preparing client
computers requires two major actions: You must enable Internet Explorer
to access and trust the account federation server, and you must
distribute the federation certificates to your client computers. Both
operations are performed through Group Policy.
Configuring Internet Explorer to trust the federation server is performed through the user configuration
section of Group Policy and relies on the Security section of Internet
Explorer Maintenance (User Configuration, Policies, Windows Settings,
Internet Explorer Maintenance, Security). It is a matter of adding the
federation server URL to the intranet sites in Internet Explorer.
Ideally, you will perform this operation on a management computer
running a client operating system such as Windows 7, because you must
import the settings from the current computer to be able to modify the
Security Zones And Content Ratings setting. Import the settings, click
Modify Settings, move to the Security tab, and click Local Intranet.
Click Sites and add the URL for the federation servers.
Distribution of the
federation certificates to client computers is also performed through
Group Policy, but through the Computer Configuration section under
Policies\Windows Settings\Security Settings\Public Key Policies. Select
Trusted Root Certification Authorities, right-click in the details pane,
and click Import. This launches the Certificate Import Wizard that you
use to import the certificates into the Trusted Root Certification
Authorities container. The certificate for each federation server in the
Federation Service must be added to this store for client computers to
trust each member server of the service.
After clients are
configured and your new Group Policy settings have been applied, your
Federation Service will be functional and users will have access to
federated applications and services.
