programming4us
programming4us
DESKTOP

Windows Server 2008 R2 : Active Directory federation services (part 4) - Complete ADFS server configuration

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

2.4 Complete ADFS server configuration

We now need to complete the configuration of the ADFS servers and assign permissions. In this section, we will configure a trust policy for each ADFS server, set up group claims to provide access to the application, and configure connectivity to each AD forest from the respective ADFS server. During the configuration, we will refer to the internal ADFS server as the account federation server because users on this side of the federated trust will be accessing resources in the extranet. We will refer to the extranet federation server as the resource federation server because users will access the Web application on this side of the federated trust.

We first need to configure the account federation server (dc1.syngress.com). This will involve configuring the trust policy, exporting the trust policy so it can later be imported on the resource federation server, and connect the ADFS server to the internal AD forest by creating an account store. To configure the account federation server, perform the following tasks:

  1. Log on to the account federation server (dc1.syngress.com) and open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service.

  3. Right-click the Trust Policy node and select Properties.

  4. We now need to create the federation URI that will be used to uniquely identify this service. In the Federation Service URI text box, type urn:federation:syngress (see Figure 15). Note that the URI is case sensitive.

    Image

    Figure 15 Trust policy properties.

  5. The federation service endpoint URL should already be prepopulated with a URL that points to the ADFS server. If this is correctly pointed to the ADFS server, accept the default URL and then click the Display Name tab.

  6. Enter a meaningful name to identify this trust policy, for example, Account Domain (Syngress.com), then click OK.

You now need to export the trust policy so that it can later be imported on the resource federation server. To export the trust policy from the account ADFS server, perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service.

  3. Right-click on the Trust Policy node and select the option Export Basic Partner Policy.

  4. In the Export Basic Partner Policy dialog box, browse to the path and enter a file name for the policy to be exported, for example, C:\dc1.syngress.com_trustpolicy.xml, then click OK.

  5. Copy the trust policy file to the resource federation server.

You now need to create a group claim on the account federation server. This group claim will be used to provide access to the claims application via the resource federation server. To create the group claim, perform the following tasks on the account ADFS server (dc1.syngress.com):

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.

  3. Right-click the Organization Claims node and select New | Organization Claim.

  4. Enter a name for the claim, for example, Syngress Claim, then click OK.

We now need to connect the account ADFS server (dc1.syngress.com) with the internal AD domain. This is done by creating an Account Store on the ADFS server. To create an account store, perform the following tasks on dc1.syngress.com:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organziation.

  3. Right-click on the Account Store node and choose New | Account Store. This will launch the Add Account Store Wizard.

  4. Click Next to begin.

  5. Choose the option Active Directory Domain Services and click Next.

  6. Ensure that the option to Enable this account store is selected and click Next.

  7. Click Finish to create the account store.

We now need to map an AD global group to the group claim that we previously created. This group is how you will provide users access to the application in the extranet. Any user added to the group mapped to the group claim will be given SSO access to the extranet Web application. To create the group-to-group claim mapping, perform the following tasks on the account federation server (dc1.syngress.com):

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organziation | Account Stores.

  3. Right-click Active Directory and select New | Group Claim Extraction.

  4. Click Add to add an AD global group and then select the claim to map the group to (see Figure 16), for example, the Syngress Claim set up previously. Then click OK.

    Image

    Figure 16 New Group Claim Extraction.

We have now successfully set up the account ADFS server and now need to configure the resource ADFS server (dc2.extranet.syngress.net). To configure the resource federation server, perform the following tasks:

  1. Log on to the server dc2.extranet.syngress.net.

  2. Open Server Manager.

  3. Expand the nodes Roles | Active Directory Federation Services | Federation Service.

  4. Right-click on the Trust Policy node and select Properties.

  5. On the General tab, enter a federation service URI in the text box. For example, urn:federation:resource. Remember the URI is case sensitive.

  6. Verify whether the Federation service endpoint URL is pointed to the ADFS server ( https://dc2.extranet.syngress.net/adfs/ls ) as seen in Figure 17. Then click the Display Name tab.

    Image

    Figure 17 Trust Policy properties.

  7. Enter a meaningful name for the trust policy, for example, Resource Domain Policy (Syngress Extranet), then click OK.

This will configure the resource trust policy. You should now export this policy using the same steps you used to export the policy for the account federation server. After exporting the policy, copy it to the account federation server (dc1.syngress.com).

We now need to create a group claim for the resource side. To create the group claim, perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.

  3. Right-click the Organization Claims node and select New | Organization Claim.

  4. Enter a meaningful name for the claim, for example, Extranet Claim, then click OK.

After creating the group claim, we need to add the AD account store. Follow the same steps as you did for the account federation server to add the extranet domain account store. After adding the account store, you will need to add the claims-aware Web application to the extranet ADFS server. To do this, perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.

  3. Right-click on Applications and select New | Application. This will launch the Add Application Wizard. Click Next to begin.

  4. Select the option Claims-aware application and then click Next.

  5. Enter a descriptive name and the secure URL for the Web application (see Figure 18), then click Next.

    Image

    Figure 18 Application Details.

  6. Select the type of identity claim that you want to use with the application. In most cases, you will want to use the User Principal Name (UPN) option. Select the UPN option and then click Next.

  7. Ensure that Enable this application is selected, then click Next.

  8. Click Finish to complete the Add Application Wizard.

  9. You now need to enable the claim for the application. Select the newly created application (Extranet Application) under the applications node.

  10. Right-click the Extranet Claim and choose Enable (see Figure 19).

    Image

    Figure 19 Enable Extranet Claim for Extranet Application.

We are now ready to import the trust policy from one ADFS server to the other. You should have already exported each trust policy and copied it to the other server. On the account ADFS server, we will be importing the trust policy for a new resource partner and on the resource ADFS server, we will be importing the trust policy for a new account partner. To import the trust policy on the account ADFS server (dc1.syngress.com), perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations.

  3. Right-click the Resource Partners node and select New | Resource Partner. This will launch the Add Resource Partner Wizard. Click Next to begin.

  4. Select the Yes option that you do have a Resource Partner Policy file.

  5. Browse to the policy file that you copied from the resource ADFS server (see Figure 20), then click Next.

    Image

    Figure 20 Import Partner Trust Policy File.

  6. Verify the resource partner details and click Next.

  7. Choose the option Federated Web SSO. If there were an AD trust relationship setup between the two forests, you would choose the option Federated Web SSO with Forest Trust. Since there is no preestablished trust relationship, choose the Federated Web SSO option, then click Next.

  8. Verify that the UPN Claim and Email Claim options are selected and then click Next.

  9. Select the option to replace all UPN suffixes with following and then enter the internal domain name, syngress.com. Then click Next.

  10. Select the option to replace all email suffixes with the following and then enter the internal domain name, syngress.com. Then click Next.

  11. Verify whether the option to Enable this resource partner is selected and then click Next.

  12. Click Finish to complete the import of the trust policy.

You now need to add the trust policy for the account ADFS server to the resource ADFS server (dc2.extranet.syngress.net). To import the policy, log on to the server dc2.extranet.syngress.net and perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations.

  3. Right-click on the Account Partners node and select New | Account Partner. This will launch the Add Account Partner Wizard. Click Next to begin.

  4. Click Yes that you do have an Account Partner Policy File.

  5. Browse to the trust policy file that was exported from the account partner (see Figure 21), then click Next.

    Image

    Figure 21 Import Policy File.

  6. Verify whether the partner details point to the account partner, dc1.syngress.com, then click Next.

  7. Ensure that the option to Use the verification certificate in the policy file is selected and then click Next.

  8. Select the Federated Web SSO option, then click Next.

  9. Ensure that the options to use UPN claim and Email claim are selected, then click Next.

  10. Add the domain syngress.com to the accepted UPN suffixes (see Figure 22), then click Next.

    Image

    Figure 22 Accepted UPN Suffixes.

  11. Add the domain syngress.com to the accepted Email suffixes, then click Next.

  12. Ensure that the option to Enable this account partner is selected, then click Next.

  13. Click Finish to complete the Add Account Partner Wizard.

We now simply need to link the two claim mappings, Syngress Claim and Extranet Claim. This is done by logging onto the resource ADFS server (dc2.extranet.syngress.net) and performing the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | Partner Organizations | Account Partners.

  3. Right-click the new account partner you just set up and select the option New | Incoming Group Claim Mapping (see Figure 23).

    Image

    Figure 23 Create a New Group Claim Mapping.

  4. Enter the name of the group claim that was set up on the account federation server (Syngress Claim) in the Incoming Group claim name field and select Extranet Claim from the Organization Group Claim down-down list (see Figure 24). Then click OK.

    Image

    Figure 24 Group Claim Mapping settings.

Finally, we need to map the Extranet Claim to a global group in the extranet AD forest. You will then configure your application to allow this group access. To map the extranet claim to a resource group, perform the following tasks:

  1. Open Server Manager.

  2. Expand the nodes Roles | Active Directory Federation Services | Federation Service | Trust Policy | My Organization.

  3. Select the node Organization Claims and right-click the Extranet Claim in the middle pane and select Properties.

  4. Select the Resource Group tab in the Group Claim Properties window.

  5. Select the option Map this claim to the following resource group and then browse to the resource group you want to add (see Figure 25). Then click OK.

    Image

    Figure 25 Group Claim Properties.

You should now be able to provide domain users in the syngress.com domain access to the extranet application by simply providing the domain users' global group in the extranet.syngress.net domain access to the application.

Other  
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 3) - Using the network troubleshooters, Using command-line tools
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 2) - View ing Windows 8 network settings
  •  Windows 8 : Administering Windows Networking - Troubleshooting networking (part 1) - Updating the Task Manager view for networking
  •  Windows Server 2008 and Windows Vista : Troubleshooting GPOs - Group Policy Troubleshooting Essentials
  •  Windows Server 2008 and Windows Vista : Creating and Using the ADMX Central Store
  •  Windows Server 2008 and Windows Vista : Migrating .adm Templates to ADMX Files
  •  Windows Server 2008 and Windows Vista : ADMX Files,Default ADMX Files, Using Both .adm Templates and ADMX Files
  •  Windows 8 : Configuring networking (part 7) - Managing network settings - Managing a wireless network
  •  Windows 8 : Configuring networking (part 6) - Managing network settings - Adding a second default gateway,Connecting to a wireless network
  •  Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
  •  
    Soccer Highlights
    - VIDEO Marseille 2 – 2 PSG (Ligue 1) Highlights
    - VIDEO Real Madrid 3 – 0 Eibar (La Liga) Highlights
    - VIDEO Udinese 2 – 6 Juventus (Serie A) Highlights
    - VIDEO Tottenham Hotspur 4 – 1 Liverpool (Premier League) Highlights
    - VIDEO Celta 0 – 1 Atletico Madrid (La Liga) Highlights
    - VIDEO Everton 2 – 5 Arsenal (Premier League) Highlights
    - VIDEO Torino 0 – 1 Roma (Serie A) Highlights
    - VIDEO Benevento 0 – 3 Fiorentina (Serie A) Highlights
    - VIDEO AC Milan 0 – 0 Genoa (Serie A) Highlights
    - VIDEO Troyes 0 – 5 Lyon (Ligue 1) Highlights
    - VIDEO Nice 1 – 2 Strasbourg (Ligue 1) Highlights
    - VIDEO Atalanta 1 – 0 Bologna (Serie A) Highlights
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us