Lesson 1: Understanding Active Directory Federation Services 849 upgrade process automatically resets all these services, by default, to use the Network Service account. After the upgrade is complete, you can change the service back to the named service account you had previously assigned to it. Ideally, you will test the upgrade in a laboratory, perhaps a virtual laboratory, before you begin the process in your production networks. PRACTICE Prepare an AD FS Deployment In this practice, you will create a complex AD FS environment that will consist of several com- puters. The computers you need for this practice are outlined in the “Before You Begin” section of this chapter. Table 17-3 outlines the roles each domain and computer will play in your AD FS deployment. Begin by preparing the DNS in each forest and then move on to install the federation servers. Then install the federation service proxies in both forests and AD FS–enable the Web site in the resource forest. IMPORTANT Perimeter networks Note that this layout does not include perimeter networks. Perimeter networks require a complex TCP/IP configuration, which is not required for the purpose of this practice. However, make sure that your AD FS deployments include proper server placement within perimeter networks as out- lined in Lesson 1, “Understanding and Installing Active Directory Federation Services.” Table 17-3 AD FS Computer Roles Domain Name Role contoso.com Account Domain woodgrovebank.com Resource Domain Computer Name Role SERVER01 AD DS domain controller for contoso.com, the account domain SERVER03 The federation server for contoso.com, the account domain SERVER04 The Federation Service Proxy for contoso.com, the account domain SERVER05 The SQL Server database server for the AD RMS deployment in contoso.com SERVER06 AD DS domain controller for woodgrovebank.com, the resource domain SERVER07 The federation server for woodgrovebank.com, the resource domain SERVER08 The Federation Service Proxy and AD FS–enabled Web server for woodgrovebank.com, the resource domain 850 Chapter 17 Active Directory Federation Services  Exercise 1 Configure Cross-DNS References In this exercise, you will configure the DNS servers in each forest to refer to the servers in the other forest. Because each forest is independent of the other, their DNS servers do not know about the other. To exchange information from one forest to the other, you need to implement cross-DNS references in each forest. The easiest way to do this is to use forwarders from one domain to the other and vice versa. Make sure SERVER01 and SERVER06 are running. 1. Log on to SERVER01 with the domain Administrator account. 2. Launch Server Manager from the Administrative Tools program group. 3. Expand Roles\DNS Serve\DNS\SERVER01. 4. Right-click SERVER01 in the tree pane and select Properties. 5. Click the Forwarders tab and click Edit. 6. Type the IP address of SERVER06 and click OK twice. 7. Repeat the procedure in reverse on SERVER06; that is, add the SERVER01 IP address as a forwarder for SERVER06. 8. Test the operation by pinging each server from the other. For example, use the following command to ping SERVER01 from SERVER06: ping server01.contoso.com You should receive a response stating the IP address of SERVER01.  Exercise 2 Install the Federation Servers In this exercise, you will install the federation servers. This involves the installation of the server role plus the required support services for the role. Make sure SERVER01, SERVER03, SERVER06, and SERVER07 are running. 1. Log on to SERVER07 with the domain Administrator account. You do not need as high privileges as the domain administrator to install and work with AD FS, but using these credentials here facilitates the exercise. Local administrative priv- ileges are all that are required to work with AD FS. 2. Launch Server Manager from the Administrative Tools program group. 3. Right-click the Roles node in the tree pane and select Add Roles. 4. Review the Before You Begin information and click Next. 5. On the Select Server Roles page, select Active Directory Federation Services and click Next. 6. Review the information about the role and click Next. 7. On the Select Role Services page, select Federation Service. Server Manager prompts you to add the required role services and features. Click Add Required Role Services. Click Next. Lesson 1: Understanding Active Directory Federation Services 851 8. On the Choose A Server Authentication Certificate For SSL Encryption page, select Cre- ate A Self-Signed Certificate For SSL Encryption and click Next. In a production environment, you would need to request certificates from a trusted CA so that all your systems will work together through the Internet. 9. On the Choose A Token-Signing Certificate page, select Create A Self-Signed Token-Signing Certificate and click Next. 10. On the Select Trust Policy page, select Create A New Trust Policy and click Next. Make a note of the path used to save this trust policy. Your federation relationship will rely on this policy to work. 11. Review the information on the Web Server (IIS) page and click Next. 12. On the Select Role Services page, accept the default values and click Next. 13. On the Confirm Installation Selections page, review your choices and click Install. 14. When the installation is complete, click Close to close the installation wizard. 15. Repeat the same procedure for SERVER03. Note that because SERVER03 is a root CA, the operation is shorter. However, use the same settings as with SERVER07. This means relying on self-signed certificates wherever possible. IMPORTANT Default Web Site When the AD FS installation is complete, you must configure the Default Web Site in IIS with TLS/SSL security on both federation servers. This will be done in Lesson 2, “Configuring and Using Active Directory Federation Services.” You begin with SERVER07 because it does not include any role and displays all the installation pages you would see when installing the AD FS role on a new server. Note that because SERVER03 already includes some server roles, the installation process on this server is shorter.  Exercise 3 Install the Federation Service Proxies In this exercise, you will install the federation service proxies. This involves the installation of the server role plus the required support services for the role. Make sure SERVER01, SERVER03, SERVER04, SERVER06, SERVER07, and SERVER08 are running. 1. Log on to SERVER08 with the domain Administrator account. 2. Launch Server Manager from the Administrative Tools program group. 3. Right-click the Roles node in the tree pane and select Add Roles. 4. Review the Before You Begin information and click Next. 5. On the Select Server Roles page, select Active Directory Federation Services and click Next. 852 Chapter 17 Active Directory Federation Services 6. Review the information about the role and click Next. 7. On the Select Role Services page, select Federation Service Proxy and click Add Required Role Services. Also, select AD FS Web Agents and click Next. Note that although you cannot add the Federation Service Proxy on the same server as the federation server, you can combine the FSP and the AD FS Web Agents role services. 8. On the Choose A Server Authentication Certificate For SSL Encryption page, select Cre- ate A Self-Signed Certificate For SSL Encryption and click Next. In a production environment, you would need to request certificates from a trusted CA so that all your systems will work together through the Internet. 9. On the Specify Federation Server page, type server07.woodgrovebank.com and click Validate. The validation should fail because you have not yet set up the trust relationship between each computer. This is done by exporting and importing the SSL certificates for each server through IIS. You will perform this task in Lesson 2. 10. Click Next. 11. On the Choose A Client Authentication Certificate page, select Create A Self-Signed Cli- ent Authentication Certificate and click Next. 12. Review the information on the Web Server (IIS) page and click Next. 13. On the Select Role Services page, accept the default values and click Next. 14. On the Confirm Installation Selections page, review your choices and click Install. 15. When the installation is complete, click Close to close the installation wizard. 16. Repeat the operation on SERVER04 in the contoso.com domain. When asked to input the federation server, type server03.contoso.com. Also, use self-signed certificates when prompted and do not install AD FS Web Agents on SERVER04. Its role is only that of an FSP because it is in the account organization. You begin with SERVER08 because it does not include any role and displays all the installation pages you would see when installing the AD FS role on a new server. Note that because SERVER04 already includes some server roles, the installation process on this server is shorter. Exam Tip Pay attention to the details of each installation type; they are covered on the exam. Lesson Summary ■ AD FS extends your internal authentication store to external environments through identity federation and federation trusts. Lesson 1: Understanding Active Directory Federation Services 853 ■ Federation partnerships always involve a resource and an account organization. A resource organization can be a partner of several account organizations, but an account organization can be a partner with only a single resource organization. ■ AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity of both the server and the client during communications. Because of this, all communications occur through port 433 over HTTPS. ■ AD FS is a Web Services implementation that relies on standards-based implementations to ensure that it can interact with partners using different operating systems, for exam- ple, Windows, UNIX, and Linux. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Understanding and Installing Active Directory Federation Services.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You are a systems administrator for Contoso, Ltd. Your organization already has a feder- ation relationship with Woodgrove Bank, which was implemented using Federation Ser- vices with Windows Server 2003 R2. To improve security, you deployed the federation service with named accounts running the service. Now you’re ready to upgrade to AD FS, but when you perform the upgrade, you find out that the named account used to run the service has been removed and replaced with the Network Service account. Why did this happen? A. You cannot use named service accounts to run the AD FS service. B. The default service account used in an AD FS installation or upgrade is Network Service. C. Woodgrove has a policy that states that all federation services must run with the Network Service account. D. Microsoft prefers to use the Network Service account to run federation services and resets it as a best practice. 854 Chapter 17 Active Directory Federation Services Lesson 2: Configuring and Using Active Directory Federation Services As you saw in Lesson 1, servers in an AD FS relationship must rely on certificates to create a chain of trust between each other and to ensure that all traffic transported over the trust rela- tionships is encrypted at all times. As discussed in Chapter 15, “Active Directory Certificate Services and Public Key Infrastructures,” the best way to ensure that this chain of trust is valid and is trusted in all locations is either to obtain certificates from a trusted third-party CA or obtain them through the creation of a linked AD CS implementation that uses a third-party CA as its root. This is only one aspect of the AD FS configuration that must be completed. When you deploy AD FS, you will want to configure your AD FS–aware applications, configure trust policies between partner organizations, and configure claims for your users and groups. Then, you can generally begin to run and manage AD FS. MORE INFO AD FS operations For more information on AD FS operations, look up “AD FS Operations Guide” at http:// technet2.microsoft.com/windowsserver/en/library/007d4d62-2e2e-43a9-8652-9108733cbb731033 .mspx?mfr=true. After this lesson, you will be able to: ■ Manage AD FS certificates. ■ Finalize AD FS server configurations. ■ Work with AD FS trust policies. Estimated lesson time: 40 minutes Finalize the Configuration of AD FS When you deploy AD FS, you must perform several activities to complete the configuration. These activities include: ■ Configuring the Web service on each server to use SSL/TLS encryption for the Web site that is hosting the AD FS service. ■ Exporting certificates from each server and importing them into the other servers that form the relationship. For example, the federation server’s token-signing certificate must be installed as a validation certificate in the other servers in the trust relationship to sup- port the AD FS security token exchange processes. ■ Configuring IIS on the servers that will host the claims-aware applications. These servers must use HTTPS for application-related communications. Lesson 2: Configuring and Using Active Directory Federation Services 855 ■ Creating and configuring the claims-aware applications you will be hosting. ■ Configuring the federation servers in each partner organization. This involves several steps, which include: ❑ In an account organization, configuring the trust policy, creating claims for your users, and, finally, configuring the AD DS account store for identity federation. ❑ In a resource organization, configuring the trust policy creating claims for your users, configuring an AD DS account store for identity federation, and then enabling a claims-aware application. ■ Creating the federation trust to enable identity federation. This also involves several steps: ❑ Exporting the trust policy from the account organization and importing it into the resource organization ❑ Creating and configuring a claim mapping in the resource organization ❑ Exporting the partner policy from the resource organization and importing it into the account organization Much of this effort is related to certificate mapping from one server to another. One important factor is the ability to access the roots or at least the Web sites hosting the Certificate Revoca- tion Lists (CRL) for each certificate. As discussed in Chapter 15, CRLs are the only way you can tell a member of a trust chain whether a certificate is valid. If it is supported, you can use the Microsoft Online Responder service (OCSP) from AD CS to do this as well. In AD FS, CRL checking is enabled by default. CRL checking is mostly performed for the secu- rity token signatures, but it is good policy to rely on it for all digital signatures. Using and Managing AD FS When the configuration of the identity federation is complete, you will move on to regular administration and management of the AD FS services and server roles. You will rely on the Active Directory Federation Services console in Server Manager to perform these tasks. Admin- istration tasks will include: ■ Configuring the federation service or federation server farm. Remember that you can have up to three farms in an AD FS deployment: ❑ A federation server farm that includes several servers hosting the same role ❑ A Federation Service Proxy farm ❑ A claims-aware application server farm running IIS ■ Managing the trust policy that is associated with the federation service by: ❑ Administering account stores in either AD DS or AD LDS. ❑ Managing the account, resource partners, or both that trust your organization. ❑ Managing claims on federation servers. 856 Chapter 17 Active Directory Federation Services ❑ Managing certificates used by federation servers. ❑ Managing certificates in AD FS–protected Web applications. Because AD FS relies so heavily on IIS, many of the federation server settings that are config- ured in the Active Directory Federation Services node of Server Manager are stored in the Web.config file located in the Federation Service virtual directory in IIS. Other configuration settings are stored in the trust policy file. As with other IIS settings, the Web.config file can eas- ily be edited directly because it is nothing more than a text file. The settings you can control through the Web.config file include: ■ The path to the trust policy file. ■ The local certificate used for signing tokens. ■ The location of the ASP.NET Web pages supporting the service. ■ The debug logging level for the service as well as the path to the log files directory. ■ The ability to control the access type, for example, anonymous access, to group claims you prepare for the organization. When edited, you can publish the Web.config file to other servers requiring the same config- uration settings. After IIS has been reset, the new configuration will take effect. However, the trust policy file should never be edited manually. This file should always be edited through the controls in the AD FS console or through programmatic settings that rely on the AD FS object model. MORE INFO AD FS object model For more information on scripting support and the AD FS object model, see http:// msdn2.microsoft.com/en-us/library/ms674895.aspx. When you work with FSPs, you can rely on the AD FS console to configure: ■ The federation service with which the FSP is working. ■ The manner in which the FSP will collect user credential information from browsers and Web applications. The settings configured for Federation Service proxies are also stored in a Web.config file, much like the federation server settings. However, because the FSP does not include a trust policy file, all its settings are stored within its Web.config file. These include: ■ The Federation Service URL. ■ The client authentication certificate to be used by the federation server proxy for TLS/ SSL-encrypted communications with the federation service. ■ The ASP.NET Web pages supporting the service. Lesson 2: Configuring and Using Active Directory Federation Services 857 Preparing and putting in place an identity federation through AD FS requires care and plan- ning. Because of this, take the time to practice and prepare thoroughly in a laboratory before you move this technology into production. PRACTICE Finalizing the AD FS Configuration In this practice, you will finalize the AD FS installation you performed in Lesson 1. You will need to rely on the same computers you used in that practice. Begin by configuring the IIS server on each of the federation servers and then map certificates from one server to the other and configure the Web server. You can also create and configure the Web application that will be claims-aware. Then configure the federation servers for each partner organization. You fin- ish the AD FS configuration by creating the federation trust.  Exercise 1 Configure SSL for the Federation Servers and the FSPs In this exercise, you will configure IIS to require SSL on the Default Web Site of the federation servers and the Federation Service proxies. Make sure that all servers are running. This includes SERVER01, SERVER03, SERVER04, SERVER05, SERVER06, SERVER07, and SERVER08. 1. Log on to SERVER03 with the domain Administrator account. You do not need domain administrative credentials; in fact, you need only local admin- istrative credentials to perform this task, but using the domain Administrators account facilitates this exercise. 2. Launch Internet Information Services (IIS) Manager from the Administrative Tools pro- gram group. 3. Expand Servername\Sites\Default Web Site. 4. In the details pane, in the Features view, move to the IIS section and double-click SSL Settings. 5. On the SSL Settings page, select the Require SSL check box. In a production environment, you can also require 128-bit SSL, which is more secure than the default setting but requires additional processing overhead. For the purposes of this practice, the default setting is sufficient. 6. Under Client Certificates, select Accept, and then click Apply in the Actions pane. 7. Repeat this procedure on SERVER04, SERVER07, and SERVER08. All your AD FS servers are now configured to rely on SSL-encrypted communications.  Exercise 2 Export and Import Certificates One of the most important factors in setting up federation partnerships is the integration of the certificates from each server to link each server with the ones it needs to communicate with. To do so, you need to perform several tasks. ■ Create a file share that each server can access to simplify the transfer of certificate files from one server to another. 858 Chapter 17 Active Directory Federation Services ■ Export the token-signing certificate from the account federation server (SERVER03) to a file. ■ Export the server authentication certificate of the account federation server (SERVER03) to a file. ■ Export the server authentication certificate of the resource federation server (SERVER07) to a file. ■ Import the server authentication certificate for both federation servers. ■ Export the client authentication certificate of the account Federation Service Proxy (SERVER04) to a file. ■ Export the client authentication certificate of the resource Federation Service Proxy (SERVER08) to a file. ■ Import the client authentication certificate on the respective federation servers. ■ First, you need to create the file share you will use to store the certificates. 1. Log on to SERVER03 with the domain Administrator account. 2. Launch Windows Explorer and move to the C drive. Create a new folder and name it Temp. 3. Right-click the Temp folder and select Share. 4. In the File Sharing dialog box, select Everyone in the drop-down list, click Add, and from the Permission Level column, assign the Contributor role to Everyone. 5. Click Share. Your shared folder is ready. Proceed to the export of the security token signing certificate. 6. Log on to SERVER03 with the domain Administrator account. 7. Launch Active Directory Federation Services from the Administrative Tools program group. 8. Right-click Federation Service and select Properties on the General Tab. Click View. 9. Click the Details tab and click Copy To File. 10. On the Welcome To The Certificate Export Wizard page, click Next. 11. On the Export Private Key page, select No, Do Not Export The Private Key and click Next. You do not export the private key file because you are creating a validation certificate that consists only of the certificate’s public key. 12. On the Export File Format page, ensure that DER Encoded Binary X.509 (.CER) is selected and click Next. 13. On the File To Export page, type C:\Temp\SERVER03TokenSigning.cer and click Next. This token-signing certificate will be imported to SERVER07 when the Account Partner Wizard prompts you for the Account Partner Verification Certificate. You can then use the shared TEMP folder to obtain this file over the network. 14. On the Completing The Certificate Export Wizard page, verify the information and click Finish. Click OK when you get the Certificate Export Was Successful message. Click OK twice to close the Federation Service property sheet. [...]... Certificate Server Authentication Client Authentication Figure 1 7-7 Preparing certificate mappings for AD FS Table 1 7-4 AD FS Certificate Mappings Server Name Certificate to Export Certificate Name Location to Import SERVER0 3 Token Signing SERVER0 3TokenSigning.cer SERVER0 7 SERVER0 3 SSL Server Authentication SERVER0 3SSL.cer SERVER0 4 SERVER0 4 SSL Client Authentication SERVER0 4SSL.cer SERVER0 3 SERVER0 7 SSL Server. .. exercises outlined in the Microsoft Step-by-Step Guide for Active Directory Federation Services, which is available at http://www .microsoft. com/downloads/details.aspx?familyid=062F7382-A82F-442 8-9 BBD-A103B9F27654&displaylang=en Keep in mind that it is not recommended to install AD FS on an AD DS domain controller even though this is the method used in the step-by-step guide on the Microsoft Web site Take... remain at Windows Server 2003 forest functional level B Incorrect: Windows Server 2008 forest functional level requires that all domains operate at Windows Server 2008 domain functional level Because the Litware domain might include Windows Server 2003 domain controllers, that domain must remain at the Windows Server 2003 domain functional level Therefore, the forest must also remain at Windows Server. ..Lesson 2: Configuring and Using Active Directory Federation Services 859 So that successful communications can occur between both of the federation servers (SERVER0 3 and SERVER0 7) and their respective FSPs (SERVER0 4 and SERVER0 8) as well as with the Web server (SERVER0 8), each server must trust the root of the federation servers Because you use self-signed certificates in this practice,... claims-aware application To create the three files that make up the sample claims-aware application, use the procedure called “Creating the Sample Claims-aware Application” from http://207.46.196.114/ windowsserver2008/en/library/5ae6ce0 9-4 49 4-4 80b-881 6-8 897bde3594 9103 3.mspx After these files are created, copy them into the C:\Inetpub\Wwwroot\Claimapp folder 864 Chapter 17 Exercise 6 Active Directory. .. not supported on Server Core B Incorrect: AD FS is not supported on Server Core C Incorrect: AD RMS is not supported on Server Core D Correct: AD CS is not supported on Server Core, so you must reinstall the server with the full installation of Windows Server 2008 Chapter 1: Case Scenario Answers Case Scenario: Creating an Active Directory Forest 1 Yes Server Core supports Active Directory Domain Services... Incorrect: A domain operating at Windows Server 2008 domain functional level cannot include Windows Server 2003 domain controllers D Correct: The Litware domain might include Windows Server 2003 domain controllers and, therefore, must operate at Windows Server 2003 domain functional level The forest functional level cannot be raised until all domains are operating at Windows Server 2008 domain functional level... SERVER0 3 SERVER0 7 SSL Server Authentication SERVER0 7SSL.cer SERVER0 8 SERVER0 8 SSL Client Authentication SERVER0 8SSL.cer SERVER0 7 860 Chapter 17 Exercise 3 Active Directory Federation Services Export the SSL Server and Client Certificates Beginning with SERVER0 3, you will export the SSL server and client authentication certificates to a file on each server 1 Log on to SERVER0 3 with domain Administrator credentials... exist, the Active Directory Installation Wizard will install and configure DNS service on the domain controller 2 Correct Answer: D A Incorrect: Windows Server 2008 forest functional level requires that all domains operate at Windows Server 2008 domain functional level Because the Litware domain might include Windows Server 2003 domain controllers, that domain must remain at the Windows Server 2003 domain... 1 7-4 to see which certificate must be imported where For each of the other servers, go to the shared TEMP folder on SERVER0 3 to obtain the certificate Your certificate mappings are complete Lesson 2: Configuring and Using Active Directory Federation Services Exercise 5 863 Configure the Web Server To set up a claims-aware application on a Web server, you need to configure IIS and create a claims-aware . http:// technet2 .microsoft. com/windowsserver/en/library/007d4d6 2-2 e2e-43a 9-8 65 2-9 108 733cbb7 3103 3 .mspx?mfr=true. After this lesson, you will be able to: ■ Manage AD FS certificates. ■ Finalize AD FS server. http://207.46.196.114/ windowsserver2008/en/library/5ae6ce0 9-4 49 4-4 80b-881 6-8 897bde3594 9103 3.mspx. After these files are created, copy them into the C:InetpubWwwrootClaimapp folder. 864 Chapter 17 Active Directory. SERVER0 4 SERVER0 4 SSL Client Authentication SERVER0 4SSL.cer SERVER0 3 SERVER0 7 SSL Server Authentication SERVER0 7SSL.cer SERVER0 8 SERVER0 8 SSL Client Authentication SERVER0 8SSL.cer SERVER0 7 Roles: · AD CS · AD