Recommended
More Related Content
What's hot
What's hot (20)
Similar to MCSA 70-412 Chapter 08
Similar to MCSA 70-412 Chapter 08 (20)
Recently uploaded
Recently uploaded (20)
MCSA 70-412 Chapter 08
- 1. Module 8 Implementing and Administering AD FS
- 2. Module Overview • Overview of AD FS • Deploying AD FS • Implementing AD FS for a Single Organization • Deploying AD FS in a Business-to-Business Federation Scenario • Extending AD FS to External Clients
- 3. Lesson 1: Overview of AD FS • What Is Identity Federation? • What Is Claims-Based Identity? • Web Services Overview • What Is AD FS? • How AD FS Enables SSO in a Single Organization • How AD FS Enables SSO in a Business-to-Business Federation • How AD FS Enables SSO with Online Services
- 4. What Is Identity Federation? Identity federation: • Enables identification, authentication, and authorization across organizational and platform boundaries • Requires a federated trust relationship between two organizations or entities • Enables organizations to retain control over who can access resources • Enables organizations to retain control of their user and group accounts
- 5. What Is Claims-Based Identity? • Claims provide information about users • Information is provided by the user’s identity provider, and is accepted by the application provider Application Provider Identity Provider Application Security Token Service Security Token (Outgoing Claims) Security Token (Incoming Claims)
- 6. Web Services Overview Web services are a standardized set of specifications used to build applications and services Web services typically: • Transmit data as XML • Use SOAP to define the XML message format • Use WSDL to define valid SOAP messages • Use UDDI to describe available web services SAML is a standard for exchanging identity claims
- 7. What Is AD FS? • AD FS is the Microsoft identity federation product that can use claim-based authentication • AD FS has the following features: • SSO for web-based applications • Interoperability with web services on multiple platforms • Support for many clients, such as web browsers, mobile devices, and applications • Extensibility to support customized claims from third-party applications • Delegation of account management to the user’s organization • Windows Server 2012 AD FS features: • Integration with DAC • Windows PowerShell cmdlets for administration
- 8. How AD FS Enables SSO in a Single Organization External Client Federation Server Federation Service Proxy Web Server AD DS Domain Controller Perimeter Network Corporate Network 3 2 4 77 6 5 1 8
- 9. How AD FS Enables SSO in a Business-to- Business Federation Trey Research A. Datum Internal Client Computer Resource Federation Server Account Federation Server Web Server AD DS Federation Trust 7 6 8 5 4 3 2 1 11 9 10
- 10. How AD FS Enables SSO with Online Services Account Federation Server On-Premises Microsoft Exchange Online Internal Client Computer Microsoft Online Services Federation Server Microsoft Outlook Web App Server AD DS Federation Trust 7 6 8 4 3 2 1 11 10 9 5
- 11. Lesson 2: Deploying AD FS • AD FS Components • AD FS Prerequisites • PKI and Certificate Requirements • Federation Server Roles • Demonstration: Installing the AD FS Server Role
- 12. AD FS Components AD FS components: Federation server Relying parties Federation server proxy Claims provider trust Claims Relying party trust Claim rules Certificates Attribute store Endpoints Claims providers
- 13. AD FS Prerequisites Successful AD FS deployment includes the following critical infrastructure: • TCP/IP network connectivity • AD DS • Attribute stores • DNS • Compatible operating systems Installation changes in Windows Server 2012 R2: • IIS is not required • No AD FS stand alone server option
- 14. PKI and Certificate Requirements • Certificates used by AD FS: • Service communication certificates • Token-signing certificates • Token-decrypting certificates • When choosing certificates, ensure that the service communication certificate is trusted by all federation partners and clients • If you use an internal CA then users must have access to certificate revocation information
- 15. Federation Server Roles Claims provider federation server: • Authenticates internal users • Issues signed tokens containing user claims Relying party federation server: • Consumes tokens from the claims provider • Issues tokens for application access Federation server proxy: • Is deployed in a perimeter network • Provides a layer of security for internal federation servers
- 16. Demonstration: Installing the AD FS Server Role In this demonstration, you will see how to install and configure the AD FS server role
- 17. Lesson 3: Implementing AD FS for a Single Organization • What Are AD FS Claims? • What Are AD FS Claim Rules? • What Is a Claims-Provider Trust? • What Is a Relying-Party Trust? • Demonstration: Configuring Claims Provider and Relying Party Trusts • What Are Authentication Policies? • What Is Multifactor Authentication?
- 18. What Are AD FS Claims? • Claims provide information about users from the claims provider to the relying party • AD FS: • Provides a default set of built-in claims • Enables the creation of custom claims • Requires that each claim have a unique URI • Claims can be: • Retrieved from an attribute store • Calculated based on retrieved values • Transformed into alternate values
- 19. What Are AD FS Claim Rules? • Claim rules define how claims are sent and consumed by AD FS servers • Claims provider rules are acceptance transform rules • Relying party rules can be: • Issuance transform rules • Issuance authorization rules • Delegation authorization rules • AD FS servers provide default claim rules, templates, and a syntax for creating custom claim rules
- 20. What Is a Claims-Provider Trust? • Claims provider trusts: • Are configured on the relying party federation server • Identify the claims provider • Configure the claim rules for the claims provider • In a single-organization scenario, a claims provider trust called Active Directory defines how AD DS user credentials are processed • Additional claims provider trusts can be configured by: • Importing the federation metadata • Importing a configuration file • Configuring the trust manually
- 21. What Is a Relying-Party Trust? • Relying party trusts: • Are configured on the claims provider federation server • Identify the relying party • Configure the claim rules for the relying party • In a single-organization scenario, a relying party trust defines the connection to internal applications • Additional relying party trusts can be configured by: • Importing the federation metadata • Importing a configuration file • Manually configuring the trust
- 22. Demonstration: Configuring Claims Provider and Relying Party Trusts In this demonstration, you will see how to: • Configure a claims provider trust • Configure a certificate for a web-based app • Configure a WIF application for AD FS • Configure a relying party trust
- 23. What Are Authentication Policies? • Authentication methods can be configured for the intranet or extranet • Windows authentication • Forms authentication • Certificate authentication
- 24. What Is Multifactor Authentication? • Multi-factor authentication requires an additional factor for authentication • Certificate authentication or third-party vendors • Multi-factor authentication can apply to: • Specific users or groups • Registered or unregistered devices • Intranet or extranet • Windows Azure Multi-factor authentication uses the following: • Phone calls • Text messages • Mobile App
- 25. Lab A: Implementing AD FS • Exercise 1: Installing and Configuring AD FS • Exercise 2: Configuring an Internal Application for AD FS Logon Information Virtual machines: 20412C-LON-DC1, 20412C-LON-SVR1, 20412C-LON-CL1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 30 minutes
- 26. Lab Scenario A. Datum Corporation has set up a variety of business relationships with other companies and customers. Some of these partner companies and customers must access business applications that are running on the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality and access to these companies. The Security and Operations departments want to ensure that the partners and customers can access only the resources to which they require access, and that implementing the solution does not increase the workload for the Operations team significantly. A. Datum also is working on migrating some parts of its network infrastructure to Microsoft Online Services, including Windows Azure and Office 365.
- 27. Lab Scenario To meet these business requirements, A. Datum plans to implement AD FS. In the initial deployment, the company plans to use AD FS to implement SSO for internal users who access an application on a Web server. As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS solution. As a proof-of-concept, you plan to deploy a sample claims- aware application, and you will configure AD FS to enable internal users to access the application.
- 28. Lab Review • Why was it important to configure adfs.adatum.com to use as a host name for the AD FS service? • How can you test whether AD FS is functioning properly?
- 29. Lesson 4: Deploying AD FS in a Business-to- Business Federation Scenario • Configuring an Account Partner • Configuring a Resource Partner • Configuring Claims Rules for Business-to-Business Scenarios • How Home Realm Discovery Works • Demonstration: Configuring Claim Rules
- 30. Configuring an Account Partner • An account partner is a claims provider in a business to business federation scenario To configure an account partner: 1. Implement the physical topology 2. Add an attribute store 3. Configure a relying party trust 4. Add a claim description 5. Prepare client computers for federation
- 31. Configuring a Resource Partner • A resource partner is a relying party in a business- to-business federation scenario To configure an relying partner: 1. Implement the physical topology 2. Add an attribute store 3. Configure a claims provider trust 4. Create claim rule sets for the claims provider trust
- 32. Configuring Claims Rules for Business-to- Business Scenarios • Business to business scenarios may require more complex claims rules • You can create claims rules by using the following templates: • Send LDAP Attributes as Claims • Send Group Membership as a Claim • Pass Through or Filter an Incoming Claim • Transform an Incoming Claim • Permit or Deny Users Based on an Incoming Claim • You can also create custom rules by using the AD FS claim rule language
- 33. How Home Realm Discovery Works • Home realm discovery identifies the AD FS server responsible for providing claims about a user • There are two methods for home realm discovery: • Prompt users during their first authentication • Include a WHR string in the application URL • SAML applications can use a preconfigured profile for home realm discovery
- 34. Demonstration: Configuring Claim Rules In this demonstration, you will see how to configure claim rules
- 35. Lesson 5: Extending AD FS to External Clients • What Is Web Application Proxy? • Configuring an Application for Web Application Proxy • Web Application Proxy and AD FS • High Availability for AD FS • Demonstration: Installing and Configuring Web Application Proxy • What Is Workplace Join? • The Workplace Join Process
- 36. What Is Web Application Proxy? • Web Application Proxy: • Increases security for web-based applications and AD FS • Is placed in a perimeter network • Drops invalid requests • Is independent of the web server software being used • Is new in Windows Server 2012 R2 Intranet Application Web Application Proxy Internet
- 37. Configuring an Application for Web Application Proxy • Preauthentication types: • AD FS • Pass-through • URLs: • External • Backend server • Certificates Intranet Application Web Application Proxy Internet
- 38. Web Application Proxy and AD FS • Web Application Proxy is an AD FS proxy • The same certificate is used on the AD FS server and Web Application Proxy • Split DNS allows the same name to resolve to different IP addresses Web Application Proxy adfs.adatum.com 10.10.0.100 InternetAD FS Server adfs.adatum.com 172.16.0.21
- 39. High Availability for AD FS AD FS Server adfs.adatum.com 172.16.0.21 AD FS Server adfs.adatum.com 172.16.0.22 Web Application Proxy adfs.adatum.com 10.10.0.101 Load Balancer adfs.adatum.com 10.10.0.100 Web Application Proxy adfs.adatum.com 10.10.0.102 Load Balancer adfs.adatum.com 172.16.0.20
- 40. Demonstration: Installing and Configuring Web Application Proxy In this demonstration, you will see how to: • Install Web Application Proxy • Export the certificate from the AD FS server • Import the certificate to the Web Application Proxy server • Configure Web Application Proxy
- 41. What Is Workplace Join? Workplace Join: • Creates an object in AD DS for non-domain joined devices • Works with Windows 8.1and iOS devices • Can control access to claims-aware applications • Enables SSO for application access Enabling Workplace Join 1. Enable-AdfsDeviceRegistration –PrepareActiveDirectory 2. Enable-AdfsDeviceRegistration 3. Enable Device Authentication in AD FS
- 42. The Workplace Join Process • To perform a Workplace Join the service communication certificate for AD FS must be trusted by devices Devices running Windows: • Require a UPN for authentication • Access by using enterpriseregistration.upndomainname.com • Devices running iOS use Safari to install a configuration profile • A certificate is placed on the device for authentication
- 43. Lab B: Implementing AD FS for External Partners and Users • Exercise 1: Configuring AD FS for a Federated Business Partner • Exercise 2: Configuring Web Application Proxy Logon Information Virtual machines: 20412C-LON-DC1, 20412C-LON-SVR1, 20412C-LON-SVR2, 20412C-TREY-DC1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 60 minutes
- 44. Lab Scenario A. Datum Corporation has set up a variety of business relationships with other companies and customers. Some of these partner companies and customers must access business applications that are running on the A. Datum network. The business groups at A. Datum want to provide a maximum level of functionality and access to these companies. The Security and Operations departments want to ensure that the partners and customers can access only the resources to which they require access, and that implementing the solution does not increase the workload for the Operations team significantly. A. Datum also plans to migrate some parts of its network infrastructure to Microsoft Online Services, including Windows Azure and Office 365.
- 45. Lab Scenario Now that you have deployed AD FS for internal users, the next step is to enable access to the same application for external partner organizations and for external users. A. Datum Corporation has entered into a partnership with Trey Research. You need to ensure that Trey Research users can access the internal application. You also need to ensure that A. Datum Corporation users working outside the office can access the application. As one of the senior network administrators at A. Datum, it is your responsibility to implement the AD FS solution. As a proof-of-concept, you are deploying a sample claims-aware application, and configuring AD FS to enable both Trey Research users and external A. Datum Corporation users to access the same application.
- 46. Lab Review • Why would the need to configure certificate trusts between organizations be avoided when you use certificates from a trusted provider on the Internet? • Could you have created authorization rules in Adatum.com and achieved the same result if you had instead created authorization rules in TreyResearch.net?
Editor's Notes
- Presentation: 90 minutes Lab: 90 minutes After completing this module, the students will be able to: Describe Active Directory® Federation Services (AD FS). Describe how to deploy AD FS. Describe how to implement AD FS for a single organization. Describe how to deploy AD FS in a business-to-business federation scenario. Describe how to extend AD FS to external clients. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20412C_08.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, some features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who might experience difficulties in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.
- As you start this lesson and this topic, emphasize that identity federation addresses authentication and authorization scenarios that are not addressed easily by traditional means. Within most organizations, users authenticate to Active Directory Domain Services (AD DS) by using Kerberos version 5 protocol, and they are granted access to most services and applications based on that authentication. In most of these deployment scenarios, AD FS is not used. Instead, AD FS enables authentication and authorization across boundaries where AD DS authentication does not work. For example, two organizations might want to enable access to applications, but maintain strict security requirements that prevent cross-forest trusts. Identity federation also is becoming increasingly popular in the cloud deployment scenario. Cloud deployment does not have traditional options for enabling authentication and authorization, so an alternative means is necessary to enable access to cloud applications.
- Use this topic to describe how claims-based authentication makes it possible to implement identity federation. As organizations define their business processes with partner organizations, they define which users will be granted access, and what applications or data the users can access. Claims are a way to transmit agreed upon information between organizations. If the application provider wants to allow access based on specific groups or some other attribute, the identity provider has to make sure that the associated information is included in the claims that are sent to the application provider.
- Emphasize that Web services are an industry-standard solution, and not merely a Microsoft solution. The standards have been developed over the last several years. The goal of Web services specifications is to enable organizations to use almost any authentication mechanism and almost any application platform. Web services specifications define how the two components communicate. Mention that there are many more specifications included with Web services than those that are listed in the Workbook. This topic describes the current Web services security specifications as they are implemented in AD FS. You should emphasize that user account properties can be made available to other organizations, but only as defined by the administrator. Any information about the user accounts not specifically defined as being visible is never available.
- Consider briefly describing the history of AD FS. AD FS 1.0 originally shipped with Windows Server® 2003 R2, and it included many of the same features that are available in the current version of AD FS. AD FS 1.0 required AD FS Web Agents to be installed on all Web servers that used AD FS, and it provided both claims-aware and NT token-based authentication. AD FS 1.x supported both AD DS and Active Directory Lightweight Directory Services (AD LDS) as an account provider. AD FS 1.0 did not support active clients, and it did not support the Security Assertion Markup Language (SAML) protocol. AD FS 1.1 shipped with Windows Server® 2008, and it included just a few minor changes from AD FS 1.0. AD FS 2.0 shipped as a separate product. It includes support for SAML, WS-Trust protocols, and smart clients. Many vendors, including IBM, Netegrity, Oblix, Open Network, RSA, and Ping Identity, have demonstrated two-way interoperability with AD FS.
- Start this topic by describing the scenarios where AD FS might be used within an organization. The students might mention that they use AD FS to connect to a cloud service. Mention that this is definitely a valid single-organization scenario, but as it requires a different infrastructure, it is described later in this lesson. Then use the build slide to describe the communication flow in this scenario. The goal is not necessarily for the students to understand all the details of how AD FS works in this scenario. Instead, keep the discussion at a fairly high level so that the students can see the overall communication flow. Highlight that the Web server in this scenario does not communicate directly with the Federation Service Proxy or the federation server. Rather, the client computer initiates all the communication steps.
- When you describe this scenario, emphasize the areas of control in each organization. Trey Research, which is the account partner—or claims provider—has complete control over its user accounts and authentication mechanisms. A. Datum Corporation has no control over how Trey Research implements its user accounts. On the other hand, A. Datum, as the relying party, has complete control over the application and the access it grants to the application. To enable the relationship, the organizations must agree on what kind of claims are provided and accepted by each party, and they must exchange certificates and public keys.
- Stress the similarity between the business-to-business scenario and the cloud-based services scenario. The communication flow between client computers and AD FS servers is exactly the same. Highlight that the Microsoft Exchange Online example could be extended to any cloud-based service that uses claims-based authentication.
- The goal of this topic is to provide the students an overview of the terminology and components that are explained in more detail throughout the rest of the module. Do not spend a lot of time on this topic, and avoid going into too much detail on any of the terms. Tell the students that most of the components are described in much more detail in the rest of the module.
- If the students are not very familiar with Domain Name System (DNS), you could go back to the slide that describes the business-to-business deployment scenario, and point out all of the places where client computers must resolve DNS names. You also might need to discuss the concept of split DNS with the students. In most cases, organizations implement a split DNS to enable users, both internal and external to the network, to resolve DNS names differently. For example, if the organization is deploying a federation server proxy, the federation server fully qualified domain name (FQDN) from the Internet must point to the public IP of the federation server proxy. That same FQDN from the perimeter network resolves to the federation server on the internal network. Therefore, split DNS is required to ensure that the perimeter network has access to something other than Internet DNS.
- The the students must understand the role of certificates in an AD FS deployment, so be prepared to spend extra time on this topic. The students should be familiar with certificate concepts from earlier modules in this course. Use this topic to emphasize the concept of certificate trust. For certificates to be trusted by federation servers and clients, they must be issued by a CA that is trusted by the servers and clients, or the servers and clients must be explicitly configured to trust the certificates.
- This topic is essential to understanding the rest of this module, because the terms claims provider and relying party are used throughout the rest of this module. Make it clear that the claims provider is the server that issues claims and authenticates users. The relying party is where the application is located, and it consumes the claims issued by the claims provider. Ensure that the students understand that a single AD FS federation server can be both a claims provider and a relying party. In a single-organization AD FS deployment, the federation server will authenticate users and create claims, but also will consume those claims and issue tokens for application access. In a business-to-business deployment scenario, the AD FS federation server can be the claims provider for one partner company, and also be the relying party for the same company, or for another company.
- During the demonstration, you can create the KDS root key while you wait for the AD FS installation to complete. Remind the students that the name used for AD FS is different from the server name. This ensures that load balancing can be used. Preparation Steps To complete this demonstration, the 20412C-LON-DC1 virtual machine must be running. Sign in to the server as Adatum\Administration with the password Pa$$w0rd. Demonstration Steps Install AD FS On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next. On the Select destination server page, click LON-DC1.Adatum.com, and then click Next. On the Select server roles page, select the Active Directory Federation Services check box, and then click Next. On the Select features page, click Next. On the Active Directory Federation Services (AD FS) page, click Next. On the Confirm installation selections page, click Install. Wait until installation is complete, and then click Close.
- Add a DNS record for AD FS On LON-DC1, in the Server Manager, click Tools, and then click DNS. In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com. Right-click Adatum.com, and then click New Host (A or AAAA). In the New Host window, in the Name box, type adfs. In the IP address box, type 172.16.0.10, and then click Add Host. In the DNS window, click OK, and then click Done. Close DNS Manager. Configure AD FS In the Server Manager, click the Notifications icon, and then click Configure the federation service on this server. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click Create the first federation server in a federation server farm, and then click Next. On the Connect to Active Directory Domain Services page, click Next to use Adatum\Administrator to perform the configuration. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next. On the Specify Service Account page, click Create a Group Managed Service Account. In the Account Name box, type ADFS, and then click Next. On the Specify Configuration Database page, click Create a database on this server using Windows Internal Database, and then click Next. On the Review Options page, click Next. On the Pre-requisite Checks page, click Configure. On the Results page, click Close.
- The concept of claims should be fairly easy for the students to understand. You can use the passport example to describe claims. A passport is issued by a country (the claims provider) to its citizens. When a user travels to another country, the user presents the passport (the claim) to an immigration official (the relying party). If the immigration official deems the passport trustworthy, the user is admitted into the country. The passport might even be used to make additional decisions. For example, if the passport is issued by a specific country, the user might have to provide additional information, such as a visa, to enter the country. Spend some time on the options for populating claims. Most of the students will not have trouble understanding the role AD DS information might play in providing retrievable values, but you might have to spend additional time describing the calculated and transformed values.
- The easiest way for the students to understand claim rules might be to describe them as applying business logic to claims. In the previous topics, the students learned about all the possible claims that could be defined on an AD FS server. When you define the claim rules, you decide which of all the possible claims your organization will actually use. If you are the claims-provider organization, the claim rules define which attributes you use to populate the claim before sending the claim to the relying party. If you are the relying-party organization, the claim rules define which claims you will accept.
- Describe a claims-provider trust as one half of setting up an AD FS federation between organizations, with the relying-party trust being the second half. Point out that the claims-provider trust actually configures much of what has been covered in the module so far, and that this configuration object defines how a relying party accepts claims from an AD FS partner organization. Point out that in a single-organization deployment of AD FS, there is often no need for additional claims-provider trusts beyond the Active Directory claims provider trust. In this scenario, all users authenticate by AD DS, and the claims-provider trust simply defines which AD DS attributes are accepted by AD FS, and how those attributes are used in AD FS. Additional claims-provider trusts may be required if additional data sources such as an LDAP are used.
- Mention that the relying-party trust is the second part of the AD FS configuration. This component defines how the claims provider sends information to the relying party. Point out that the options for creating new relying-party trusts are identical to those for configuring claims-provider trusts.
- Preparation Steps To complete this demonstration, the 20412C-LON-DC1 and 20412C-LON-SVR1 virtual machines must be running. Sign in to both servers as Adatum\Administrator with the password Pa$$w0rd. You must have completed the previous demonstration before you start this demonstration. Demonstration Steps Configure a Claims Provider Trust On LON-DC1, in the Server Manager, click Tools, and then click AD FS Management. In the AD FS Management console, expand Trust Relationships, and then click Claims Provider Trusts. Right-click Active Directory, and then click Edit Claim Rules. In the Edit Claim Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule template box, select Send LDAP Attributes as Claims, and then click Next. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute store drop-down list, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for the LDAP Attribute and the Outgoing Claim Type: E-Mail-Addresses: E-Mail Address User-Principal-Name: UPN Click Finish, and then click OK. Configure a certificate for a web-based app On LON-SVR1, in Server Manager, click Tools and click Internet Information Services (IIS) Manager.
- Describe how you can enable and disable different authentication methods for intranet or extranet. Then describe the uses for each authentication type.
- Describe multifactor authentication and how it increases security. Describe how AD FS can apply this authentication method to specific users or groups. To finish, describe Windows Azure Multi-Factor Authentication and its capabilities. Windows Azure MFA was previously known as PhoneFactor before Microsoft purchased the product.
- Exercise 1: Installing and Configuring AD FS To start the AD FS implementation, you need to install AD FS on an A. Datum domain controller. During the initial deployment, you will configure it as the first server in a farm with the option to expand the farm at a later time. The certificate for AD FS already has been installed on LON-DC1. Exercise 2: Configuring an Internal Application for AD FS The first scenario for implementing the proof-of-concept AD FS application is to ensure that internal users can use SSO to access the web application. You plan to configure the AD FS server and a web application to enable this scenario. You also want to verify that internal users can access the application.
- Question Why was it important to configure adfs.adatum.com to use as a host name for the AD FS service? Answer If you use the host name of an existing server for the AD FS server, you will not be able to add additional servers to your server farm. All servers in the server farm must share the same host name when they provide AD FS services. The host name for AD FS also is used by AD FS proxy servers. Question How can you test whether AD FS is functioning properly? Answer You can access https://hostname/federationmetadata/2007-06/federationmetadata.xml on the AD FS server.
- Explain to the students that the account partner is simply another name for the claims provider, which was discussed in the previous lesson. In addition, explain that the process for implementing the account-partner side of the federation has not changed significantly from the single-organization scenario. The only real difference is that the relying-party trust now references the AD FS servers in another organization, rather than a Web server within the organization.
- Point out the similarities between this process and configuring the account-partner side of the federation.
- This topic can get complicated for the students because there are many variations or ways to use these rules. Unless the students are interested in this topic, consider just listing the claim-rule templates and focusing on examples for when you would use each. Another option for you to teach this content is to move ahead to the Configuring Claims Rules demonstration, and use the demonstration to show the options for creating each type of rule by using the provided templates.
- Focus on the conceptual component of this topic rather than on how home realm discovery is actually implemented. The students should not have trouble understanding that home realm discovery is required in the scenario where users access a resource partner’s website from many different account partners. Point out that configuring home realm discovery likely is included in the web application.
- Preparation Steps To complete this demonstration, the 20412C-LON-DC1 and 20412C-LON-SVR1 virtual machines must be running. Sign in to both servers as Adatum\Administrator with the password Pa$$w0rd. You must have completed the previous demonstrations before you start this demonstration. Demonstration Steps On LON-DC1, in the AD FS Manager, in the Edit Claim Rules for A. Datum Test App window, on the Issuance Transform Rules tab, click Add Rule. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click Next. In the Claim rule name box, type Send Group Name Rule. In the Incoming claim type drop-down list, click Group, and then click Finish. In the Edit Claim Rules for A. Datum Test App window, on the Issuance Authorization Rules tab, click the rule named Permit Access to All Users, and then click Remove Rule. Click Yes to confirm. Note: With no rules, users are not permitted access. On the Issuance Authorization Rules tab, click Add Rule. On the Select Rule Template page, in the Claim rule template box, select Permit or Deny Users Based on an Incoming Claim, and then click Next. On the Configure Rule page, in the Claim rule name box, type Permit Production Group Rule. In the Incoming claim type drop-down list, select Group. In the Incoming claim value box, type Production, click Permit access to users with this incoming claim, and then click Finish. On the Issuance Authorization Rules tab, click Add Rule.
- Provide a brief overview of the benefits of using Web application Proxy. Be sure to explain that there are two main roles for Web Application Proxy: AD FS proxy and reverse proxy for web applications.
- There are two functions of a Web Application Proxy server. This slide addresses the application proxy functionality. In this scenario, Web Application Proxy is a reverse proxy server that has the ability to perform preauthentication for an application by using AD FS. This ensures that a user authenticates before requests are passed to an internal network. Use the network diagram to show the location of Web Application Proxy server and to show the firewall locations.
- This topic builds on the content presented earlier in this module, providing additional details about the importance of DNS resolution and certificates. Be sure that the students understand these points, because they are critical for real-world implementation of AD FS connectivity to the Internet.
- Use this topic to discuss the importance of high availability for AD FS. Once AD FS is implemented, it is a critical service in most organizations, and it needs to be highly available. Any organization that implements AD FS needs to be aware of this fact and must know how to make AD FS highly available. The section on geographic high availability is simplified greatly to provide a quick overview that is understood easily. The second location also would need to have at least one AD FS proxy in place. There also would need to be a mechanism to redirect users to the alternate location. In some cases, you could do this by changing the DNS records. In other cases, you might have a load-balancing solution that can redirect clients between locations automatically. For more information on ADFS 2.0 High Availability and High Resiliency Walkthrough, go to: http://go.microsoft.com/fwlink/?LinkID=386643
- The application created in Web Application Proxy is not a valid application that you can test. This is by design to save time in the demonstration. To test the application running on LON-SVR1, the certificate must be exported from LON-SVR1 and imported on LON-SVR2. In the lab, the students perform this process and verify that the application works through Web Application Proxy. Preparation Steps To complete this demonstration, the 20412C-LON-DC1 and 20412C-LON-SVR2 virtual machines must be running. Sign in to both servers as Adatum\Administrator with the password Pa$$w0rd. You must have completed the previous demonstrations before you start this demonstration. Demonstration Steps Install Web Application Proxy On LON-SVR2, in the Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard, on the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next. On the Select server roles page, expand Remote Access, select the Web Application Proxy check box, and then click Next. On the Select features page, click Next. On the Confirm installation selections page, click Install. On the Installation progress page, click Close. Export the adfs.adatum.com certificate from LON-DC1 On LON-DC1, on the Start screen, type mmc, and then press Enter.
- Provide the students with a high-level description of what Workplace Join is and how it is used. Describe the process for enabling Workplace Join. This process is not covered in a demonstration or lab, so you can consider demonstrating this process.
- Use this topic to describe how the Workplace Join process is performed for both devices running Windows and devices running iOS. Be sure to note the differences in the process for the two different operating systems.
- Exercise 1: Configuring AD FS for a Federated Business Partner The second deployment scenario is to enable Trey Research users to access the web application. You plan to configure the integration of AD FS at Trey Research with AD FS at A. Datum, and then verify that Trey Research users can access the application. You also want to confirm that you can configure access that is based on user groups. You must ensure that all users at A. Datum, and only users who are in the Production group at Trey Research, can access the application. The main tasks in this exercise are: Configure DNS forwarding between TreyResearch.net and Adatum.com. Configure certificate trusts between TreyResearch.net and Adatum.com. Create a DNS record for AD FS in TreyResearch.net. Install AD FS for TreyResearch.net. Configure AD FS for TreyResearch.net. Add a claims-provider trust for the TreyResearch.net AD FS server. Configure a relying-party trust in TreyResearch.net for the A. Datum application. Test access to the application. Configure issuance authorization rules. Exercise 2: Configuring Web Application Proxy The third scenario for implementing the proof-of-concept AD FS application is to increase security for AD FS authentication by implementing an AD FS proxy for the AD FS and a reverse proxy for the application. You will implement Web Application Proxy to fulfill both of these roles.
- Question Why would the need to configure certificate trusts between organizations be avoided when you use certificates from a trusted provider on the Internet? Answer In this lab, certificate trusts needed to be configured because the certificates were internally generated by each organization. The CA certificate for each organization was configured as trusted in the other organization so that the certificates issued by each organization would be trusted. If you use certificates from a trusted provider on the Internet, that provider is already trusted by the other organization. Consequently, certificates are automatically trusted. Note that on rare occasions, high-security environments may have chosen to remove trusted root certification authorities that are installed by default. Also, if updates to trusted root certification authorities are not applied, certificates issued by some public certification authorities may not be trusted. Question Could you have created authorization rules in Adatum.com and achieved the same result if you had instead created authorization rules in TreyResearch.net? Answer Yes. However, to allow the authorization rules to be configured at Adatum.com, the implementation of AD FS at TreyResearch.net must pass through the group membership claims to AD FS at Adatum.com.