Windows Server 2008 R2 : Active Directory federation services (part 3) - Install Web agent for claims aware Web application, Configure ADFS certificates

2.2 Install Web agent for claims aware Web application

The next task we need to complete when setting up ADFS is to configure our Web application to support claims-based authentication. This is done by adding the ADFS Web agent. The Web agent comes in two forms:

• Claims-Aware Agent—The claims-aware agent is used for applications that support claims-based authentication natively. If your Web application has been developed to support claims authentication, you should install this agent.

• Windows Token-based Agent—The Windows token agent is used to support applications that are not natively capable of supporting claims-based authentication. Using the Windows token-based agent, traditional Windows-based authentication Web sites can be set up to work with ADFS. If you are using a Windows token agent, you will want to set up the ADFS server prior to installing the Web agent as you will be asked to specify the name of the ADFS server when adding the Web agent role service.

To install the Web agent, perform the following tasks:

1. Log on to the Web application server and open Server Manager.

2. Select the Roles node, then click the Add Roles link in the middle pane.

3. Click Next to begin.

4. Select the Active Directory Federation Services role and click Next.

5. On the Introduction page, click Next.

6. Select the Claims-aware Agent (see Figure 7), then click Next.

   

   Figure 7 Claims-aware Agent Role Service.

7. On the Confirmation page, click Install to install the Web agent.

8. After the installation completes, click Close.

2.3 Configure ADFS certificates

Now that we have installed all of the ADFS components, we need to ensure that all proper components trust the correct certificate chains or single certificates since we have used self-signed certificates in this example deployment. Some of the following steps would be unnecessary in a production deployment where a trust CA was used. Complete the following steps to complete the certificate setup process for ADFS.

The first step is to create a self-signed server authentication certificate for the Web application server (web1.extranet.syngress.net). If you remember, the server authentication certificates for both ADFS servers were created when adding the role to each of those servers. To create the server authentication certificate for the Web server, perform the following tasks:

1. Open Server Manager.

2. Select the node Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.

3. In the middle pane, select the Web server node (WEB1) and then open the Server Certificates option (see Figure 8).

   

   Figure 8 Web Server Configuration options.

4. In the right Actions pane, click the link to Create Self-Signed Certificate (see Figure 9).

   

   Figure 9 Create a new Self-Signed Certificate.

5. In the dialog box requesting a friendly name, enter web1 self signed, then click OK.

6. Select the Default Website (or Web site hosting your claims aware application) in the middle pane of the IIS Management console.

7. Click the Bindings link in the right Action pane.

8. Click Add to create a new binding in the Site Bindings window.

9. Select a type of https and select the self-signed certificate you just created (see Figure 10), then click OK.

   

   Figure 10 Add SSL Binding to Web application.

10. Open the SSL settings of the Web site and choose the options to Require SSL and to Accept client certificates.

We now need to export the server authentication certificate and the token-signing certificate from the ADFS server in the extranet so that it can be imported to the trusted certificates store on the Web server. Additionally, we need to export the token-signing certificate from the ADFS server on the internal LAN (dc1.syngress.com). This certificate will be used while configuring the ADFS servers.

To export the token-signing certificate from the internal LAN ADFS server (dc1.syngress.com), perform the following tasks:

1. Log on to the internal ADFS server (dc1.syngress.com).

2. Open Server Manager.

3. Expand the node Roles | Active Directory Federation Services.

4. Right-click on the Federation Service node and choose Properties.

5. From the General tab, click the View button from the Token-signing Certificate section of the window (see Figure 11).

   

   Figure 11 Federation Service properties.

6. Select the Details tab from the Certificate window and click Copy to file (see Figure 12).

   

   Figure 12 Certificate properties.

7. Click Next to begin the Certificate Export Wizard.

8. Select the No, do not export the private key option and click Next.

9. Accept the default export format of DER encoded binary X.509 (.CER), then click Next.

10. Enter a path and filename to export the certificate, then click Next.

11. Click Finish to export the certificate. You should receive a confirmation dialog informing you that the export was successful.

Copy the certificate file to the extranet ADFS server (dc2.extranet.syngress.net) for use during ADFS setup.

To export the server authentication certificate from the extranet ADFS server, perform the following tasks:

1. Log on to the extranet ADFS server (dc2.extranet.syngress.net) and open Server Manager.

2. Select the node Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.

3. In the middle pane, select the Web server node (DC2) and then open the Server Certificates option.

4. In the middle pane, right-click the dc2.extranet.syngress.net certificate and choose Export. Enter a patch to save the certificate and a password to protect the private key (see Figure 13), then click OK.

   

   Figure 13 Exporting a Server Certificate.

You now need to copy the certificate to the Web server (Web1). We will then import the certificate to the computer's trusted certificate store. After copying the certificate to the Web server, perform the following tasks:

1. Open a new mmc console by clicking Start | Run and typing mmc and then clicking the OK button.

2. You now need to add the certificates snap-in by clicking File | Add/Remove Snap-in.

3. Select the Certificates snap-in and choose Add. When prompted for the type of account to manage certificates, select Computer Account and then click Next.

4. Select Local Computer for the computer to manage, then click Finish.

5. Click OK to close the add/remove snap-ins window.

6. Expand the Certificates node, then right-click on the Trusted Root Certificate Authorities node and choose All Tasks | Import.

7. Click Next to start the Certificate Import Wizard.

8. Enter the path and file name of the exported server certificate from the extranet ADFS server (dc2.extranet.syngress.net) as seen in Figure 14; then click Next.

   

   Figure 14 Import Certificate Wizard.

9. Enter the password you previously assigned to protect the certificate's private key, then click Next.

10. Ensure that the import location Trusted Root Certificate Authorities is selected and click Next.

11. Click Finish to import the certificate. You should receive a confirmation dialog box that the import was successful.