• Like


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Ad fs

Uploaded on

Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de …

Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • 11/29/10 13:14 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


  • 1. Integration of Directories and Federation Javier Vasquez Senior Technology Specialist Federal Platforms Team Microsoft
  • 2. Where it all began
    • Infrastructure Directories
      • StreetTalk
      • NDS
      • AD
    • Application Specific Directories
      • X.500
      • LDAP
      • AD/AM
    • Good for Enterprises
    • Hard to Federate
  • 3. Windows IdM Active Directory – Foundation for Identity Management
    • Central Repository for:
    • User Accounts & Attributes
    • System Accounts & Attributes
    • Organizational & Security Groups
    • Application & Service Locations
    • Management Policy
    • Security Policy
    • Digital Certificates
    • Network Access Permissions
    • Printer Locations
    • File Shares Locations
    • Integrated Security
    • Kerberos v5
    • Mac OS Kerberos PAM
    • x.509 Certificates (PKI)
    • Security Domain
    • Directory Access Protocols
    • LDAP v3 – Standards-based access
    • ADSI – Simple COM-based Interface
    • DSML – XML Interface
    http://www.microsoft.com/business/security/access/whpaper.mspx Active Directory
  • 4. Reduced Enterprise Sign-on Extending Windows SSO Logon to AD
    • Services for UNIX
    • NIS Server for AD
    • NIS-AD directory sync
    • Password synchronization
    • User name mapping
    • Host Integration Server
    • Windows to RACF accounts
    • Windows to 0S/400 Security System
    • Bi-Directional Password Synchronization
    • Kerberos
    • Native AuthN protocol
    • MIT v5 Compliant
    • Carries group info in PAC
    • Windows PAC is open
    • SCO, Vintella, Java SSO through Windows
    Active Directory UNIX 390/AS400 Kerberos Application
  • 5. Reduced Enterprise IdM LDAP Authentication & Directory Integration
    • Integrate LDAP with AD
    • LDAP v3 compliant
    • Single AD and LDAP user account
    • AD/AM for personalization data
    • Microsoft Identity Integration Server
    • Directory synchronization
      • LDAP (eg SunONE & others)
      • Relational databases
      • DSML
      • Application specific
    • Account Provisioning
      • Automate account creation
      • Automate account de-provisioning
    • Password Management (MIIS 2003)
      • Self-service password reset
    • Certificate Management
    Account Directory MIIS 2003 LDAP SQL Enterprise App Exchange Web Service File Share Application Application Active Directory
  • 6. Extending Active Directory
    • Newer concepts
      • ADAM
      • DSML gateway
      • Distributed IdM Web Services
  • 7. ADAM - Integrating extended LDAP app with AD
    • Store app data without extending infra DS schema
    • App data keyed off identifier from infra directory
    • Maintain central user repository!
    Infrastructure Active Directory Store/ retrieve data Client Server Data specific to portal app Data shared by all apps User (right) and “shadow” (left) ADAM Web app
  • 8. Extending Infrastructure AD with DSML This is the URL to which we will post Transport could be SOAP HTTP DS Access
  • 9. Distributed IdM technologies
    • How do we distribute IdM services?
    • ADFS and AZ-Manager
  • 10. Web Services Security WS-Security and Liberty Alliance Rich Application stack vs. IdM stack ID-WSF Web Services Framework ID-FF – Identity Federation Framework ID-FF ID-WSF Security in a Web Services World – IBM/MSFT White Paper WS-Security Specification – Ratified April 2004 Security Privacy Trust Policy Authorization Federation SecureConversation SOAP Foundation Today Web Services Applications
  • 11. The Vision and Future of SSO B2B Federated Single Sign-on Security Token (eg Kerberos Ticket) Requires XRML Requires SAML
    • ADFS Creates XRML token
    • Signs it with company’s private key
    • Sends it back to the user
    • Access Supplier with the token
    • ADFS Creates SAML token
    • Signs it with company’s private key
    • Sends the token back to the user
    • Accesses Supplier B using the token
    Supplier A Supplier B ADFS Exchange Web Service Collaboration Intranet Applications Active Directory Security Token User Account/Credentials WS Security Application WS Security Application
  • 12. ADFS Logon Server SOAP rich client proxy for browsers ADFS Security Token Security Message
    • User authenticates to Logon server (forms based)
      • ADFS validates credentials with Active Directory
    • ADFS creates the requested security token
      • Logon server returns token to client
    • Client forwards token to web front end
    • Front end sends WS-Security msg with token to web service
    Web Service Active Directory Web-based Logon Server Web Front End
  • 13. Active Directory Federation Service Architecture
    • Federation Service (FS)
    • Issues security tokens for users
    • Manages policy between federated security realms
    • Logon Service (LS)
    • Provides UI to authenticate users
    • Proxies WS-*/SOAP protocols for passive (dumb) clients
    • Web Server SSO Agent
    • Enforces user authentication
    • Creates user authorization context
    • Note:
    • SSO Agent, LS & FS require IISv6-W2K03
    • LS and FS can be co-located
    • Supports W2K or W2K03 forests
  • 14. Windows 2003 AzMan Roles based access control (RBAC) Authorization API IIS6 URL Authorization
    • Policy Definitions
    • Global app groups
    • Applications
      • Roles
      • Tasks
      • Operations
      • Role assignments
      • Scopes
      • App groups
      • BizRules
    Business Process Applications (E-Commerce, LOB Applications,…) Authorization Administration Manager Common Management UI Active Directory or XML (Files, SQL) Policy Store
    • Role definitions
    • Role assignment
    Authorization API .NET Framework
  • 15. Discussion
    • Where do I extend and where do I Federate?
      • Today Integrate; Tomorrow Integrate and/or Federate
  • 16. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
  • 17. Active Directory Federation Service Architecture
    • Federation Service (FS)
    • Issues security tokens for users
    • Manages policy between federated security realms
    • Logon Service (LS)
    • Provides UI to authenticate users
    • Proxies WS-*/SOAP protocols for passive (dumb) clients
    • Web Server SSO Agent
    • Enforces user authentication
    • Creates user authorization context
    • Note:
    • SSO Agent, LS & FS require IISv6-W2K03
    • LS and FS can be co-located
    • Supports W2K or W2K03 forests
  • 18. Federation Service
    • ASP.NET-hosted service running on IISv6 - W2K03 Server
    • User authentication
      • Validates ID/Password via LDAP Bind for Forms-based Logon
    • Security token generation
      • Retrieves user attributes for claim generation from AD (or ADAM) via LDAP search
      • Transforms claims (if required) between internal & federation namespaces
      • Builds security token & Returns to LS via WS-* SOAP messages
      • Builds “User SSO” cookie contents for LS
    • Policy management
      • Establishes authority to issue security tokens by PKI-based key distribution
      • Defines supported token/claim types
      • Manages trust and defines shared namespace for Federated security realms
  • 19. Logon Service
    • ASP.NET-hosted service running on IISv6 - W2K03 Sever
    • User authentication
      • Provides UI for Home Realm Discovery & Forms-based Logon
      • Authenticates users for Windows integrated authN (SSL, Kerberos, NTLM)
      • Writes “User SSO” cookie to Browser (similar to Kerberos TGT)
    • Security token generation
      • Requests security token from FS via WS-* SOAP messages
      • Returns token to web server via “POST redirect” through Browser
  • 20. Web Server SSO Agent
    • ISAPI extension for IISv6 (Need functional equivalent for Unix/Linux)
    • User authentication
      • Intercepts URL GET requests & Redirects un-authenticated clients to LS
      • Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)
    • Windows Service
    • User authorization
      • Creates NT Token for impersonation (AD users only)
    • Managed Web Module (Need functional equivalent for Unix/Linux)
    • Security token processing
      • Validates user’s security token and parses claims in token
    • User authorization
      • Populates ASP.NET iPrincipal context from claims to support IsInRole()
      • Provides raw claims to application
  • 21. Active Directory Roles
    • On Windows Server 2008, Active Directory-related roles have been separated into distinct functions:
      • Active Directory Domain Services (AD DS)
      • Active Directory Certificate Services (AD CS)
      • Active Directory Federation Services (AD FS)
      • Active Directory Lightweight Directory Services (AD LDS)
      • Active Directory Rights Management Services (AD RMS)
  • 22. Active Directory Federation Services
  • 23. Active Directory Federation Services (AD FS)
    • Es un rol de Windows Server® 2008 permite crear soluciones de identificación:
    • segura
    • muy flexibles
    • múltiples plataformas
    • entornos Windows como no-Windows
    • a través de Internet.
  • 24. Gestión de identidades más allá de las fronteras de la organización
    • Solución de gestión de la identidad y accesos
    • facilita a clientes basados en navegador Web la posibilidad de identificarse de forma transparente "de una sola vez" a una o más aplicaciones protegidas accesibles desde Internet
    • Redes totalmente diferentes e independientes.
  • 25. credenciales secundarias???
    • AD FS las hace innecesarias ya que:
    • Permite establecer relaciones de confianza
    • proyecta la identidad digital y los derechos de acceso a partners de confianza.
    • En un entorno federado cada organización mantiene el control de su propio conjunto de identidades,
    • permite un intercambio seguro de las identidades de organizaciones externas
    • facilita la labor administrativa
    • mejora la experiencia del usuario.
  • 26. Novedades en Windows Server 2008
    • nueva funcionalidad que no existen en Windows Server 2003 R2 que facilita la labor administrativa y amplia el soporte disponible a una serie de aplicaciones fundamentales:
    • Instalación mejorada: AD FS se incluye dentro de Windows Server 2008 como rol de servidor
    • AD FS se integra de forma más estrecha con Microsoft Office SharePoint® Server 2007 y con Active Directory Rights Management Services (AD RMS).
    • Una experiencia de administración mejor cuando se establecen relaciones de confianza federadas: una funcionalidad más evolucionada de importación y exportación de políticas de confianza contribuyen a eliminar muchos de los problemas de configuración que suelen surgir a la hora de establecer federaciones entre organizaciones.
  • 27.
    • ith ADFS, each company manages its own identities. But within a federated environment, each company can accept and provide permissions and/or access to identities from within another company. It all comes down to trust. The ability to trust accounts from one company without requiring a local account on your servers. This trust is called federated identity management and is the core behind ADFS. The biggest concern, logically, is security. All communication from one company's Active Directory to the other's ADFS is encrypted, and client access to through their browser is also encrypted using SSL.
    • It's important to mention that ADFS is only for Web-based applications (like SharePoint). It's really a solution only for allowing external business partners or clients to access your Web application, while still allowing the partner or client to manage their identities.
  • 28.
    • An easier installation as a server role with all the necessary services being automatically installed with the role itself such as ASP.Net and IIS)
    • Tighter integration with ActiveDirectory RMS (Rights Management Services)
    • ADFS works with MOSS (Microsoft Office SharePoint Server) 2007 with an easy-to-configure single-sign-on configuration for both intranet and extranet/Internet sites
  • 29. ADFS configuration is not so simple
    • Explaining ADFS is easy, but the design and configuration of ADFS is a tad bit more complicated than I've made it sound so far. The  design reading  alone can take forever because you need to determine what you are truly looking to accomplish, and there are several methods to reach those goals. For example, do you want a Web single sign-on implementation, a federated Web single sign-on implementation, or a federated Web single sign-on implementation with Forest Trust? Knowing your goal is the key to getting started.
    • The implementation side depends not only on your design solution but also on the Web application you are looking to provide access to. Is it a SharePoint, which already comes with claims-aware features, or will you  create your own claims-aware application ?
  • 30.
    • Furthermore, you can deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization:
    • Resource organization:  Organizations that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
    • Account organization:  Organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that federation servers in the resource organization use later to make authorization decisions.
    • The process of authenticating to one network while accessing resources in another network—without the burden of repeated logon actions by users—is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session.
  • 31.
    • AD FS role services
    • The AD FS server role includes federation services, proxy services, and Web agent services that you configure to enable Web SSO, federate Web-based resources, customize the access experience, and manage how existing users are authorized to access applications.
    • Depending on your organization's requirements, you can deploy servers running any one of the following AD FS role services:
    • Federation Service:  The Federation Service comprises one or more federation servers that share a common trust policy. You use federation servers to route authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.
    • Federation Service Proxy:  The Federation Service Proxy is a proxy to the Federation Service in the perimeter network (also known as a demilitarized zone and screened subnet). The Federation Service Proxy uses WS-Federation Passive Requestor Profile (WS-F PRP) protocols to collect user credential information from browser clients, and it sends the user credential information to the Federation Service on their behalf.
    • Claims-aware agent:  You use the claims-aware agent on a Web server that hosts a claims-aware application to allow the querying of AD FS security token claims. A claims-aware application is a Microsoft ASP.NET application that uses claims that are present in an AD FS security token to make authorization decisions and personalize applications. 
    • Windows token-based agent:  You use the Windows token-based agent on a Web server that hosts a Windows NT token-based application to support conversion from an AD FS security token to an impersonation-level, Windows NT access token. A Windows NT token-based application is an application that uses Windows-based authorization mechanisms.
  • 32. Installing the AD FS role
    • fter you finish installing the operating system, a list of initial configuration tasks appears. To install AD FS, in the list of tasks, click  Add roles , and then click  Active Directory Federation Services .
  • 33.
    • Managing the AD FS role
    • You can manage server roles with Microsoft Management Console (MMC) snap-ins. After you install AD FS, you can use the Active Directory Federation Services snap-in to manage both the Federation Service and Federation Service Proxy role services. To open this snap-in, click  Start , click  Administrative Tools , and then click  Active Directory Federation Services .
    • To manage the Windows token-based agent, click  Start , click  Administrative Tools , click  Internet Information Services (IIS) Manager , and then click  Connect to localhost .
  • 34.
    • Who will be interested in this feature?
    • AD FS is designed to be deployed in medium to large organizations that have the following:
    • At least one directory service: either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerly known as Active Directory Application Mode (ADAM)) 
    • Computers running various operating system platforms
    • Domain-joined computers
    • Computers that are connected to the Internet
    • One or more Web-based applications
    • Review this information, along with additional documentation about AD FS, if you are any of the following:
    • An information technology (IT) professional who is responsible for supporting an existing AD FS infrastructure
    • An IT planner, analyst, or architect who is evaluating identity federation products
  • 35. Are there any special considerations?
    • If you have an existing AD FS infrastructure, there are some special considerations to be aware of before you begin upgrading federation servers, federation server proxies, and AD FS-enabled Web servers running Windows Server 2003 R2 to Windows Server 2008. These considerations apply only when you have AD FS servers that have been manually configured to use unique service accounts.
    • AD FS uses the Network Service account as the default account for both the AD FS Web Agent Authentication Service and the identity of the ADFSAppPool application pool. If you manually configured one or more AD FS servers in your existing AD FS deployment to use a service account other than the default Network Service account, track which of the AD FS servers use these unique service accounts and record the user name and password for each service account.
    • When you upgrade a server to Windows Server 2008, the upgrade process automatically restores all service accounts to their original default values. Therefore, you must enter service account information again manually for each applicable server after Windows Server 2008 is fully installed.
  • 36. What new functionality does this feature provide?
    • For Windows Server 2008, AD FS includes new functionality that was not available in Windows Server 2003 R2. This new functionality is designed to ease administrative overhead and to further extend support for key applications:
    • Improved installation—AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.
    • Improved application support—AD FS is more tightly integrated with Microsoft Office SharePoint® Server 2007 and Active Directory Rights Management Services (AD RMS).
    • A better administrative experience when you establish federated trusts—Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.
  • 37. Improved installation
    • AD FS in Windows Server 2008 brings several improvements to the installation experience. To install AD FS in Windows Server 2003 R2, you had to use  Add or Remove Programs  to find and install the AD FS component. However, in Windows Server 2008, you can install AD FS as a server role using Server Manager.
    • You can use improved AD FS configuration wizard pages to perform server validation checks before you continue with the AD FS server role installation. In addition, Server Manager automatically lists and installs all the services that AD FS depends on during the AD FS server role installation. These services include Microsoft ASP.NET 2.0 and other services that are part of the Web Server (IIS) server role.
  • 38. Improved application support
    • AD FS in Windows Server 2008 includes enhancements that increase its ability to integrate with other applications, such as Office SharePoint Server 2007 and AD RMS.
  • 39. Integration with Office SharePoint Server 2007
    • Office SharePoint Server 2007 takes full advantage of the SSO capabilities that are integrated into this version of AD FS. AD FS in Windows Server 2008 includes functionality to support Office SharePoint Server 2007 membership and role providers. This means that you can effectively configure Office SharePoint Server 2007 as a claims-aware application in AD FS, and you can administer any Office SharePoint Server 2007 sites using membership and role-based access control. The membership and role providers that are included in this version of AD FS are for consumption only by Office SharePoint Server 2007.
  • 40. Integration with AD RMS
    • AD RMS and AD FS have been integrated in such a way that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights-protected content. For example, an organization that has deployed AD RMS can set up federation with an external organization by using AD FS. The organization can then use this relationship to share rights-protected content across the two organizations without requiring a deployment of AD RMS in both organizations.
  • 41. Better administrative experience when establishing federated trusts
    • In both Windows Server 2003 R2 and Windows Server 2008, AD FS administrators can create a federated trust between two organizations using either a process of importing and exporting policy files or a manual process that involves the mutual exchange of partner values, such as Uniform Resource Indicators (URIs), claim types, claim mappings, display names, and so on. The manual process requires the administrator who receives this data to type all the received data into the appropriate pages in the Add Partner Wizard, which can result in typographical errors. In addition, the manual process requires the account partner administrator to send a copy of the verification certificate for the federation server to the resource partner administrator so that the certificate can be added through the wizard.
    • Although the ability to import and export policy files was available in Windows Server 2003 R2, creating federated trusts between partner organizations is easier in Windows Server 2008 as a result of enhanced policy-based export and import functionality. These enhancements were made to improve the administrative experience by permitting more flexibility for the import functionality in the Add Partner Wizard. For example, when a partner policy is imported, the administrator can use the Add Partner Wizard to modify any values that are imported before the wizard process is completed. This includes the ability to specify a different account partner verification certificate and the ability to map incoming or outgoing claims between partners.
    • By using the export and import features that are included with AD FS in Windows Server 2008, administrators can simply export their trust policy settings to an .xml file and then send that file to the partner administrator. This exchange of partner policy files provides all of the URIs, claim types, claim mappings, and other values and the verification certificates that are necessary to create a federated trust between the two partner organizations.
  • 42.
    • http://technet.microsoft.com/en-us/library/cc772313(WS.10).aspx
  • 43. What settings have been added or changed?
    • You configure Windows NT token-based Web Agent settings with the IIS Manager snap-in. To support the new functionality that is provided with Internet Information Services (IIS) 7.0, Windows Server 2008 AD FS includes user interface (UI) updates for the AD FS Web Agent role service. The following table lists the different locations in IIS Manager for IIS 6.0 or IIS 7.0 for each of the AD FS Web Agent property pages, depending on the version of IIS that is used.
  • 44.  
  • 45. AD FS Deployment Guide
    • http://technet.microsoft.com/en-us/library/cc771833(WS.10).aspx
  • 46. AD FS Design Guide
    • http://technet.microsoft.com/en-us/library/cc755132(WS.10).aspx
  • 47.  
  • 48.  
  • 49.
    • http://www.google.com.ec/imgres?imgurl=http://blog.fpweb.net/wp-content/uploads/2009/02/federated-14.gif&imgrefurl=http://blog.fpweb.net/federated-identity-and-microsoft-adfs-illustrated/&usg=__mHc8qi8qn9Tx7JY3HS5BUhpBQTw=&h=250&w=400&sz=11&hl=es&start=15&um=1&itbs=1&tbnid=zbd94rEJw2rDNM:&tbnh=78&tbnw=124&prev=/images%3Fq%3DActive%2BDirectory%2BFederation%2BServices%26um%3D1%26hl%3Des%26sa%3DN%26tbs%3Disch:1