Your SlideShare is downloading. ×
0
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Ad fs
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ad fs

2,054

Published on

Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de …

Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,054
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Integration of DirectoriesIntegration of Directories and Federationand Federation Javier VasquezJavier Vasquez Senior Technology SpecialistSenior Technology Specialist Federal Platforms TeamFederal Platforms Team MicrosoftMicrosoft
  • 2. Where it all beganWhere it all began  Infrastructure DirectoriesInfrastructure Directories  StreetTalkStreetTalk  NDSNDS  ADAD  Application Specific DirectoriesApplication Specific Directories  X.500X.500  LDAPLDAP  AD/AMAD/AM  Good for EnterprisesGood for Enterprises  Hard to FederateHard to Federate
  • 3. Windows IdMWindows IdM Active Directory – Foundation for Identity ManagementActive Directory – Foundation for Identity Management Central Repository for:Central Repository for: • User Accounts & AttributesUser Accounts & Attributes • System Accounts & AttributesSystem Accounts & Attributes • Organizational & Security GroupsOrganizational & Security Groups • Application & Service LocationsApplication & Service Locations • Management PolicyManagement Policy • Security PolicySecurity Policy • Digital CertificatesDigital Certificates • Network Access PermissionsNetwork Access Permissions • Printer LocationsPrinter Locations • File Shares LocationsFile Shares Locations …… Integrated SecurityIntegrated Security • Kerberos v5Kerberos v5 • Mac OS Kerberos PAMMac OS Kerberos PAM • x.509 Certificates (PKI)x.509 Certificates (PKI) • Security DomainSecurity Domain Directory Access ProtocolsDirectory Access Protocols • LDAP v3 – Standards-based accessLDAP v3 – Standards-based access • ADSI – Simple COM-based InterfaceADSI – Simple COM-based Interface • DSML – XML InterfaceDSML – XML Interface ActiveActive DirectoryDirectory http://www.microsoft.com/business/security/access/whpaper.mspxhttp://www.microsoft.com/business/security/access/whpaper.mspx
  • 4. Reduced Enterprise Sign-onReduced Enterprise Sign-on Extending Windows SSOExtending Windows SSO ActiveActive DirectoryDirectory Logon to ADLogon to AD Services for UNIXServices for UNIX  NIS Server for ADNIS Server for AD  NIS-AD directory syncNIS-AD directory sync  Password synchronizationPassword synchronization  User name mappingUser name mapping UNIXUNIX Host Integration ServerHost Integration Server  Windows to RACF accountsWindows to RACF accounts  Windows to 0S/400 Security SystemWindows to 0S/400 Security System  Bi-Directional Password SynchronizationBi-Directional Password Synchronization 390/AS400390/AS400 KerberosKerberos ApplicationApplication KerberosKerberos  Native AuthN protocolNative AuthN protocol  MIT v5 CompliantMIT v5 Compliant  Carries group info in PACCarries group info in PAC  Windows PAC is openWindows PAC is open  SCO, Vintella, Java SSO throughSCO, Vintella, Java SSO through WindowsWindows
  • 5. Reduced Enterprise IdMReduced Enterprise IdM LDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration Account DirectoryAccount Directory LDAPLDAP SQLSQL EnterpriseEnterprise AppApp Integrate LDAP with ADIntegrate LDAP with AD  LDAP v3 compliantLDAP v3 compliant  Single AD and LDAP user accountSingle AD and LDAP user account  AD/AM for personalization dataAD/AM for personalization data Microsoft Identity IntegrationMicrosoft Identity Integration ServerServer  Directory synchronizationDirectory synchronization  LDAP (eg SunONE & others)LDAP (eg SunONE & others)  Relational databasesRelational databases  DSMLDSML  Application specificApplication specific  Account ProvisioningAccount Provisioning  Automate account creationAutomate account creation  Automate account de-provisioningAutomate account de-provisioning  Password Management (MIIS 2003)Password Management (MIIS 2003)  Self-service password resetSelf-service password reset  Certificate ManagementCertificate Management ExchangeExchange Web ServiceWeb Service File ShareFile Share ApplicationApplicationApplicationApplication ActiveActive DirectoryDirectory MIIS 2003MIIS 2003
  • 6. Extending Active DirectoryExtending Active Directory  Newer conceptsNewer concepts  ADAMADAM  DSML gatewayDSML gateway  Distributed IdMDistributed IdM Web ServicesWeb Services
  • 7. ADAM - Integrating extended LDAP appADAM - Integrating extended LDAP app with ADwith AD  Store app data without extending infra DS schemaStore app data without extending infra DS schema  App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory  Maintain central user repository!Maintain central user repository! ADAMADAM Infrastructure Active DirectoryInfrastructure Active Directory WebWeb appapp Store/Store/ retrieveretrieve datadata ClientClient ServerServer Data specificData specific to portal appto portal app Data sharedData shared by all appsby all apps User (right)User (right) and “shadow” (left)and “shadow” (left)
  • 8. Extending InfrastructureExtending Infrastructure AD with DSMLAD with DSML This is the URL to which we will post Transport could be SOAP HTTP DS Access
  • 9. Distributed IdM technologiesDistributed IdM technologies  How do we distribute IdM services?How do we distribute IdM services?  ADFS and AZ-ManagerADFS and AZ-Manager
  • 10. Security in a Web Services WorldSecurity in a Web Services World –– IBM/MSFT White PaperIBM/MSFT White Paper WS-SecurityWS-Security SpecificationSpecification – Ratified– Ratified April 2004April 2004 SecuritySecuritySecuritySecurity PrivacyPrivacyPrivacyPrivacyTrustTrustTrustTrustPolicyPolicyPolicyPolicy AuthorizationAuthorizationAuthorizationAuthorizationFederationFederationFederationFederationSecureConversationSecureConversationSecureConversationSecureConversation SOAP FoundationSOAP FoundationSOAP FoundationSOAP Foundation TodayToday Web Services ApplicationsWeb Services ApplicationsWeb Services ApplicationsWeb Services Applications Web Services SecurityWeb Services Security WS-Security and Liberty AllianceWS-Security and Liberty Alliance Rich Application stack vs.Rich Application stack vs. IdM stackIdM stack ID-WSF Web Services FrameworkID-WSF Web Services Framework ID-FF – Identity Federation FrameworkID-FF – Identity Federation Framework ID-FFID-FFID-FFID-FF ID-WSFID-WSFID-WSFID-WSF
  • 11. The Vision and Future of SSOThe Vision and Future of SSO B2B Federated Single Sign-onB2B Federated Single Sign-on ExchangeExchange Web ServiceWeb Service CollaborationCollaboration IntranetIntranet ApplicationsApplications ActiveActive DirectoryDirectory Security TokenSecurity Token (eg Kerberos Ticket)(eg Kerberos Ticket) Security TokenSecurity Token User Account/CredentialsUser Account/Credentials WS SecurityWS Security ApplicationApplication WS SecurityWS Security ApplicationApplication Requires XRMLRequires XRML Requires SAMLRequires SAML 1.1. ADFS Creates XRML tokenADFS Creates XRML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends it back to the userSends it back to the user 4.4. Access Supplier with the tokenAccess Supplier with the token 1.1. ADFS Creates SAML tokenADFS Creates SAML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends the token back to the userSends the token back to the user 4.4. Accesses Supplier B using the tokenAccesses Supplier B using the token Supplier ASupplier A Supplier BSupplier B ADFSADFS
  • 12. ADFS Logon ServerADFS Logon Server SOAP rich client proxy for browsersSOAP rich client proxy for browsers Web ServiceWeb Service ActiveActive DirectoryDirectory ADFSADFS Web-basedWeb-based Logon ServerLogon Server Web Front EndWeb Front End Security TokenSecurity Token Security MessageSecurity Message  User authenticates to Logon server (forms based)User authenticates to Logon server (forms based)  ADFS validates credentials with Active DirectoryADFS validates credentials with Active Directory  ADFS creates the requested security tokenADFS creates the requested security token  Logon server returns token to clientLogon server returns token to client  Client forwards token to web front endClient forwards token to web front end  Front end sends WS-Security msg with token to webFront end sends WS-Security msg with token to web serviceservice
  • 13. Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
  • 14. Windows 2003 AzManWindows 2003 AzMan Roles based access control (RBAC)Roles based access control (RBAC) Authorization APIAuthorization API IIS6 URLIIS6 URL AuthorizationAuthorization Policy DefinitionsPolicy Definitions • Global app groupsGlobal app groups • ApplicationsApplications •RolesRoles •TasksTasks •OperationsOperations •Role assignmentsRole assignments •ScopesScopes •App groupsApp groups •BizRulesBizRules Business ProcessBusiness Process ApplicationsApplications (E-Commerce,(E-Commerce, LOB Applications,…)LOB Applications,…) AuthorizationAuthorization AdministrationAdministration ManagerManager Common Management UICommon Management UI Active DirectoryActive Directory or XML (Files, SQL)or XML (Files, SQL) PolicyPolicy StoreStore PolicyPolicy StoreStore • Role definitionsRole definitions • Role assignmentRole assignment Authorization APIAuthorization API .NET Framework.NET Framework
  • 15. DiscussionDiscussion  Where do I extend and where do I Federate?Where do I extend and where do I Federate?  Today Integrate; Tomorrow Integrate and/or FederateToday Integrate; Tomorrow Integrate and/or Federate ExtendExtend
  • 16. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
  • 17. Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
  • 18. Federation ServiceFederation Service ASP.NET-hosted service running on IISv6 - W2K03 ServerASP.NET-hosted service running on IISv6 - W2K03 Server  User authenticationUser authentication  Validates ID/Password via LDAP Bind for Forms-based LogonValidates ID/Password via LDAP Bind for Forms-based Logon  Security token generationSecurity token generation  Retrieves user attributes for claim generation from AD (or ADAM) via LDAP searchRetrieves user attributes for claim generation from AD (or ADAM) via LDAP search  Transforms claims (if required) between internal & federation namespacesTransforms claims (if required) between internal & federation namespaces  Builds security token & Returns to LS via WS-* SOAP messagesBuilds security token & Returns to LS via WS-* SOAP messages  Builds “User SSO” cookie contents for LSBuilds “User SSO” cookie contents for LS  Policy managementPolicy management  Establishes authority to issue security tokens by PKI-based key distributionEstablishes authority to issue security tokens by PKI-based key distribution  Defines supported token/claim typesDefines supported token/claim types  Manages trust and defines shared namespace for Federated security realmsManages trust and defines shared namespace for Federated security realms
  • 19. Logon ServiceLogon Service ASP.NET-hosted service running on IISv6 - W2K03 SeverASP.NET-hosted service running on IISv6 - W2K03 Sever  User authenticationUser authentication  Provides UI for Home Realm Discovery & Forms-based LogonProvides UI for Home Realm Discovery & Forms-based Logon  Authenticates users for Windows integrated authNAuthenticates users for Windows integrated authN (SSL, Kerberos, NTLM)(SSL, Kerberos, NTLM)  Writes “User SSO” cookie to Browser (similar to Kerberos TGT)Writes “User SSO” cookie to Browser (similar to Kerberos TGT)  Security token generationSecurity token generation  Requests security token from FS via WS-* SOAP messagesRequests security token from FS via WS-* SOAP messages  Returns token to web server via “POST redirect” through BrowserReturns token to web server via “POST redirect” through Browser
  • 20. Web Server SSO AgentWeb Server SSO Agent ISAPI extension for IISv6ISAPI extension for IISv6 (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux) User authenticationUser authentication  Intercepts URL GET requests & Redirects un-authenticated clients to LSIntercepts URL GET requests & Redirects un-authenticated clients to LS  Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket) Windows ServiceWindows Service  User authorizationUser authorization  Creates NT Token for impersonation (AD users only)Creates NT Token for impersonation (AD users only) Managed Web ModuleManaged Web Module (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)  Security token processingSecurity token processing  Validates user’s security token and parses claims in tokenValidates user’s security token and parses claims in token  User authorizationUser authorization  Populates ASP.NET iPrincipal context from claims to support IsInRole()Populates ASP.NET iPrincipal context from claims to support IsInRole()  Provides raw claims to applicationProvides raw claims to application
  • 21. Active Directory RolesActive Directory Roles  On Windows Server 2008, ActiveOn Windows Server 2008, Active Directory-related roles have beenDirectory-related roles have been separated into distinct functions:separated into distinct functions:  Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)  Active Directory CertificateActive Directory Certificate Services (AD CS)Services (AD CS)  Active Directory FederationActive Directory Federation Services (AD FS)Services (AD FS)  Active Directory LightweightActive Directory Lightweight DirectoryDirectory Services (AD LDS)Services (AD LDS)  Active Directory RightsActive Directory Rights Management Services (AD RMS)Management Services (AD RMS)
  • 22. Active Directory FederationActive Directory Federation ServicesServices
  • 23. Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS) Es un rol de Windows Server® 2008 permiteEs un rol de Windows Server® 2008 permite crear soluciones de identificación:crear soluciones de identificación:  segurasegura  muy flexiblesmuy flexibles  múltiples plataformasmúltiples plataformas  entornos Windows como no-Windowsentornos Windows como no-Windows  a través de Internet.a través de Internet.
  • 24. Gestión de identidades másGestión de identidades más allá de las fronteras de laallá de las fronteras de la organizaciónorganización  Solución de gestión de la identidad ySolución de gestión de la identidad y accesosaccesos  facilita a clientes basados en navegadorfacilita a clientes basados en navegador Web la posibilidad de identificarse de formaWeb la posibilidad de identificarse de forma transparente "de una sola vez" a una o mástransparente "de una sola vez" a una o más aplicaciones protegidas accesibles desdeaplicaciones protegidas accesibles desde InternetInternet  Redes totalmente diferentes eRedes totalmente diferentes e independientes.independientes.
  • 25. credenciales secundarias???credenciales secundarias???  AD FS las hace innecesarias ya que:AD FS las hace innecesarias ya que:  Permite establecer relaciones de confianzaPermite establecer relaciones de confianza  proyecta la identidad digital y los derechos deproyecta la identidad digital y los derechos de acceso a partners de confianza.acceso a partners de confianza.  En un entorno federado cada organizaciónEn un entorno federado cada organización mantiene el control de su propio conjunto demantiene el control de su propio conjunto de identidades,identidades,  permite un intercambio seguro de las identidadespermite un intercambio seguro de las identidades de organizaciones externasde organizaciones externas  facilita la labor administrativafacilita la labor administrativa  mejora la experiencia del usuario.mejora la experiencia del usuario.
  • 26. Novedades en WindowsNovedades en Windows Server 2008Server 2008 nueva funcionalidad que no existen ennueva funcionalidad que no existen en Windows Server 2003 R2 que facilita laWindows Server 2003 R2 que facilita la labor administrativa y amplia el soportelabor administrativa y amplia el soporte disponible a una serie de aplicacionesdisponible a una serie de aplicaciones fundamentales:fundamentales:  Instalación mejorada: AD FS se incluyeInstalación mejorada: AD FS se incluye dentro de Windows Server 2008 como roldentro de Windows Server 2008 como rol de servidorde servidor  AD FS se integra de forma más estrechaAD FS se integra de forma más estrecha con Microsoft Office SharePoint® Servercon Microsoft Office SharePoint® Server 2007 y con Active Directory Rights2007 y con Active Directory Rights
  • 27.  ith ADFS, each company manages itsith ADFS, each company manages its own identities. But within a federatedown identities. But within a federated environment, each company can acceptenvironment, each company can accept and provide permissions and/or access toand provide permissions and/or access to identities from within another company. Itidentities from within another company. It all comes down to trust. The ability to trustall comes down to trust. The ability to trust accounts from one company withoutaccounts from one company without requiring a local account on your servers.requiring a local account on your servers. This trust is called federated identityThis trust is called federated identity management and is the core behindmanagement and is the core behind ADFS. The biggest concern, logically, isADFS. The biggest concern, logically, is security. All communication from onesecurity. All communication from one
  • 28.  An easier installation as a server role withAn easier installation as a server role with all the necessary services beingall the necessary services being automatically installed with the role itselfautomatically installed with the role itself such as ASP.Net and IIS)such as ASP.Net and IIS)  Tighter integration with ActiveDirectoryTighter integration with ActiveDirectory RMS (Rights Management Services)RMS (Rights Management Services)  ADFS works with MOSS (Microsoft OfficeADFS works with MOSS (Microsoft Office SharePoint Server) 2007 with an easy-to-SharePoint Server) 2007 with an easy-to- configure single-sign-on configuration forconfigure single-sign-on configuration for both intranet and extranet/Internet sitesboth intranet and extranet/Internet sites
  • 29. ADFS configuration is notADFS configuration is not so simpleso simple Explaining ADFS is easy, but the designExplaining ADFS is easy, but the design and configuration of ADFS is a tad bitand configuration of ADFS is a tad bit more complicated than I've made it soundmore complicated than I've made it sound so far. Theso far. The design readingdesign reading alone canalone can take forever because you need totake forever because you need to determine what you are truly looking todetermine what you are truly looking to accomplish, and there are severalaccomplish, and there are several methods to reach those goals. Formethods to reach those goals. For example, do you want a Web single sign-example, do you want a Web single sign- on implementation, a federated Webon implementation, a federated Web single sign-on implementation, or asingle sign-on implementation, or a federated Web single sign-onfederated Web single sign-on
  • 30.  Furthermore, you can deploy federationFurthermore, you can deploy federation servers in multiple organizations toservers in multiple organizations to facilitate business-to-business (B2B)facilitate business-to-business (B2B) transactions between trusted partnertransactions between trusted partner organizations. Federated B2Borganizations. Federated B2B partnerships identify business partners aspartnerships identify business partners as one of the following types of organization:one of the following types of organization:  Resource organization:Resource organization: OrganizationsOrganizations that own and manage resources that arethat own and manage resources that are accessible from the Internet can deployaccessible from the Internet can deploy AD FS federation servers and AD FS-AD FS federation servers and AD FS- enabled Web servers that manage accessenabled Web servers that manage access
  • 31.  AD FS role servicesAD FS role services  The AD FS server role includes federationThe AD FS server role includes federation services, proxy services, and Web agentservices, proxy services, and Web agent services that you configure to enable Webservices that you configure to enable Web SSO, federate Web-based resources,SSO, federate Web-based resources, customize the access experience, andcustomize the access experience, and manage how existing users aremanage how existing users are authorized to access applications.authorized to access applications.  Depending on your organization'sDepending on your organization's requirements, you can deploy serversrequirements, you can deploy servers running any one of the following AD FSrunning any one of the following AD FS
  • 32. Installing the AD FS roleInstalling the AD FS role  fter you finish installing the operatingfter you finish installing the operating system, a list of initial configuration taskssystem, a list of initial configuration tasks appears. To install AD FS, in the list ofappears. To install AD FS, in the list of tasks, clicktasks, click Add rolesAdd roles, and then, and then clickclick Active Directory FederationActive Directory Federation ServicesServices..
  • 33.  Managing the AD FS roleManaging the AD FS role  You can manage server roles withYou can manage server roles with Microsoft Management Console (MMC)Microsoft Management Console (MMC) snap-ins. After you install AD FS, you cansnap-ins. After you install AD FS, you can use the Active Directory Federationuse the Active Directory Federation Services snap-in to manage both theServices snap-in to manage both the Federation Service and FederationFederation Service and Federation Service Proxy role services. To open thisService Proxy role services. To open this snap-in, clicksnap-in, click StartStart, click, click AdministrativeAdministrative ToolsTools, and then click, and then click Active DirectoryActive Directory Federation ServicesFederation Services..
  • 34.  Who will be interested in this feature?Who will be interested in this feature?  AD FS is designed to be deployed inAD FS is designed to be deployed in medium to large organizations that havemedium to large organizations that have the following:the following:  At least one directory service: eitherAt least one directory service: either Active Directory Domain ServicesActive Directory Domain Services (AD DS) or Active Directory Lightweight(AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerlyDirectory Services (AD LDS) (formerly known as Active Directory Applicationknown as Active Directory Application Mode (ADAM))Mode (ADAM))
  • 35. Are there any specialAre there any special considerations?considerations? If you have an existing AD FSIf you have an existing AD FS infrastructure, there are some specialinfrastructure, there are some special considerations to be aware of before youconsiderations to be aware of before you begin upgrading federation servers,begin upgrading federation servers, federation server proxies, and AD FS-federation server proxies, and AD FS- enabled Web servers runningenabled Web servers running Windows Server 2003 R2 to WindowsWindows Server 2003 R2 to Windows Server 2008. These considerations applyServer 2008. These considerations apply only when you have AD FS servers thatonly when you have AD FS servers that have been manually configured to usehave been manually configured to use unique service accounts.unique service accounts.  AD FS uses the Network Service accountAD FS uses the Network Service account
  • 36. What new functionalityWhat new functionality does this feature provide?does this feature provide? For Windows Server 2008, AD FSFor Windows Server 2008, AD FS includes new functionality that was notincludes new functionality that was not available in Windows Server 2003 R2.available in Windows Server 2003 R2. This new functionality is designed to easeThis new functionality is designed to ease administrative overhead and to furtheradministrative overhead and to further extend support for key applications:extend support for key applications:  Improved installation—AD FS is includedImproved installation—AD FS is included in Windows Server 2008 as a server role,in Windows Server 2008 as a server role, and there are new server validationand there are new server validation checks in the installation wizard.checks in the installation wizard.
  • 37. Improved installationImproved installation  AD FS in Windows Server 2008 bringsAD FS in Windows Server 2008 brings several improvements to the installationseveral improvements to the installation experience. To install AD FS inexperience. To install AD FS in Windows Server 2003 R2, you had toWindows Server 2003 R2, you had to useuse Add or Remove ProgramsAdd or Remove Programs to findto find and install the AD FS component.and install the AD FS component. However, in Windows Server 2008, youHowever, in Windows Server 2008, you can install AD FS as a server role usingcan install AD FS as a server role using Server Manager.Server Manager.  You can use improved AD FSYou can use improved AD FS configuration wizard pages to performconfiguration wizard pages to perform server validation checks before youserver validation checks before you
  • 38. Improved applicationImproved application supportsupport AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes enhancements that increase its ability toenhancements that increase its ability to integrate with other applications, such asintegrate with other applications, such as Office SharePoint Server 2007 andOffice SharePoint Server 2007 and AD RMS.AD RMS.
  • 39. Integration with OfficeIntegration with Office SharePoint Server 2007SharePoint Server 2007 Office SharePoint Server 2007 takes fullOffice SharePoint Server 2007 takes full advantage of the SSO capabilities that areadvantage of the SSO capabilities that are integrated into this version of AD FS.integrated into this version of AD FS. AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes functionality to support Officefunctionality to support Office SharePoint Server 2007 membership andSharePoint Server 2007 membership and role providers. This means that you canrole providers. This means that you can effectively configure Officeeffectively configure Office SharePoint Server 2007 as a claims-SharePoint Server 2007 as a claims- aware application in AD FS, and you canaware application in AD FS, and you can administer any Officeadminister any Office SharePoint Server 2007 sites usingSharePoint Server 2007 sites using
  • 40. Integration with AD RMSIntegration with AD RMS  AD RMS and AD FS have been integrated AD RMS and AD FS have been integrated  in such a way that organizations can take in such a way that organizations can take  advantage of existing federated trust advantage of existing federated trust  relationships to collaborate with external relationships to collaborate with external  partners and share rights-protected partners and share rights-protected  content. For example, an organization content. For example, an organization  that has deployed AD RMS can set up that has deployed AD RMS can set up  federation with an external organization federation with an external organization  by using AD FS. The organization can by using AD FS. The organization can  then use this relationship to share rights-then use this relationship to share rights- protected content across the two protected content across the two  organizations without requiring a organizations without requiring a 
  • 41. Better administrativeBetter administrative experience whenexperience when establishing federatedestablishing federated truststrusts  In both Windows Server 2003 R2 and In both Windows Server 2003 R2 and  Windows Server 2008, AD FS Windows Server 2008, AD FS  administrators can create a federated administrators can create a federated  trust between two organizations using trust between two organizations using  either a process of importing and either a process of importing and  exporting policy files or a manual process exporting policy files or a manual process  that involves the mutual exchange of that involves the mutual exchange of  partner values, such as Uniform Resource partner values, such as Uniform Resource  Indicators (URIs), claim types, claim Indicators (URIs), claim types, claim  mappings, display names, and so on. The mappings, display names, and so on. The  manual process requires the administrator manual process requires the administrator  who receives this data to type all the who receives this data to type all the 
  • 42.  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc772313(WS.10).aspxus/library/cc772313(WS.10).aspx
  • 43. What settings have beenWhat settings have been added or changed?added or changed? You configure Windows NT token-based You configure Windows NT token-based  Web Agent settings with the IIS Manager Web Agent settings with the IIS Manager  snap-in. To support the new functionality snap-in. To support the new functionality  that is provided with Internet Information that is provided with Internet Information  Services (IIS) 7.0, Windows Server 2008 Services (IIS) 7.0, Windows Server 2008  AD FS includes user interface (UI) AD FS includes user interface (UI)  updates for the AD FS Web Agent role updates for the AD FS Web Agent role  service. The following table lists the service. The following table lists the  different locations in IIS Manager for different locations in IIS Manager for  IIS 6.0 or IIS 7.0 for each of the AD FS IIS 6.0 or IIS 7.0 for each of the AD FS  Web Agent property pages, depending on Web Agent property pages, depending on  the version of IIS that is used.the version of IIS that is used.
  • 44. AD FS Deployment GuideAD FS Deployment Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc771833(WS.10).aspxus/library/cc771833(WS.10).aspx
  • 45. AD FS Design GuideAD FS Design Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc755132(WS.10).aspxus/library/cc755132(WS.10).aspx
  • 46.  http://www.google.com.ec/imgres?http://www.google.com.ec/imgres? imgurl=http://blog.fpweb.net/wp-imgurl=http://blog.fpweb.net/wp- content/uploads/2009/02/federated-content/uploads/2009/02/federated- 14.gif&imgrefurl=http://blog.fpweb.net/f14.gif&imgrefurl=http://blog.fpweb.net/f ederated-identity-and-microsoft-adfs-ederated-identity-and-microsoft-adfs- illustrated/&usg=__mHc8qi8qn9Tx7JY3illustrated/&usg=__mHc8qi8qn9Tx7JY3 HS5BUhpBQTw=&h=250&w=400&sz=1HS5BUhpBQTw=&h=250&w=400&sz=1 1&hl=es&start=15&um=1&itbs=1&tbnid1&hl=es&start=15&um=1&itbs=1&tbnid =zbd94rEJw2rDNM:&tbnh=78&tbnw=12=zbd94rEJw2rDNM:&tbnh=78&tbnw=12 4&prev=/images%3Fq%3DActive4&prev=/images%3Fq%3DActive %2BDirectory%2BFederation%2BDirectory%2BFederation %2BServices%26um%3D1%26hl%3Des%2BServices%26um%3D1%26hl%3Des

×