Active Directory Federation Services (ADFS)

10/10/2010 4:25:15 PM
Federation Services were originally introduced in Windows Server 2003 R2. F provides an identity access solution, and AD Federation Services provides authenticated access to users inside (and outside) an organization to publicly (via the Internet) accessible applications. Federation Services provides an identity management solution that interoperates with WS-* Web Services Architecture–enabled security products. WS-Federation Passive Requestor Profile (WS-F PRP) also makes it possible for federation to work with solutions that do not use the Microsoft standard of identity management. The WS-Federation specification defines an integrated model for federating identity, authentication, and authorization across different trust realms and protocols. This specification defines how the WS-Federation model is applied to passive requestors such as Web browsers that support the HTTP protocol. WS-Federation Passive Requestor Profile was created in conjunction with some pretty large companies, including IBM, BEA Systems, Microsoft, VeriSign, and RSA Security.

What Is Federation?

As we described earlier in this chapter, federation is a technology solution that makes it possible for two entities to collaborate in a variety of ways. When servers are deployed in multiple organizations for federation, it is possible for corporations to share resources and account management in a trusted manner. Earlier in this chapter, we were discussing Active Directory Rights Management Server. This is just one way companies can take advantage of FS. With ADFS, partners can include external third parties, other departments, or subsidiaries in the same organization.

Why and When to Use Federation

Federation can be used in multiple ways. One product that has been using federation for quite some time is Microsoft Communication Server (previously, Live Communication Server 2005, now rebranded as Office Communication Server 2007). Federation is slightly different in this model, where two companies can federate their environments for the purposes of sharing presence information. This makes it possible for two companies to securely communicate via IM, Live Meeting, Voice, and Video. It also makes it possible to add “presence awareness” to many applications, including the Office suite, as well as Office SharePoint Server. If you want to know more about OCS and how federation works for presence, we recommend How to Cheat at Administering Office Communication Server 2007, also by Elsevier.

A little closer to home, Federation Services can also be used in a variety of ways. Let’s take an extranet solution where a company in the financial service business shares information with its partners. The company hosts a Windows SharePoint Services (WSS) site in their DMZ for the purposes of sharing revenue information with investment companies that sell their products. Prior to Active Directory Federation Services, these partners would be required to use a customer ID and password in order to access this data. For years, technology companies have been touting the ability to provide and use single sign-on (SSO) solutions. These worked great inside an organization, where you may have several different systems (Active Directory, IBM Tivoli, and Solaris), but tend to fail once you get outside the enterprise walls.

With AD FS, this company can federate their DMZ domain (or, their internal AD) with their partner Active Directory infrastructures. Now, rather than creating a username and password for employees at these partners, they can simply add the users (or groups) to the appropriate security groups in their own Active Directory (see Figure 1). It is also important to note that AD FS requires either Windows Server 2008 Enterprise edition or Datacenter edition.

Figure 1. The Active Directory Federation Services Structure

Configuring ADFS

In this exercise, we are going to create the account side of the ADFS structure. The resource is the other half of the ADFS configuration, which is the provider of the service that will be provided to an account domain. To put it in real-world terms, the resource would provide the extranet application to the partner company (the account domain).

Configuring Federation Services

Click Start | Administrative Tools | Server Manager.

Scroll down to Role Summary, and then click Add Roles.

When the Before You Begin page opens, click Next.

On the Select Server Roles page, select Active Directory Federation Services (see Figure 2) from the list and click Next.

Figure 2. Selecting the Role

Click Next on the Active Directory Federation Services page.

In the Select Role Services window, select Federation Service, and then click Next. If prompted, add the additional prerequisite applications.

Click Create A Self-Signed Certificate For SSL Encryption (Figure 3), and then click Next.

Figure 3. Creating a Self-Signed Token-Signing Certificate

Click Create A Self-Signed Token-Signing Certificate, and then click Next.

Click Next on the Select Trust Policy page.

If prompted, click Next on the Web Server (IIS) page.

If prompted, click Next on the Select Role Services page.

On the Confirm Installation Selections page, click Install.

When the installation is complete, click Close.

The next step in configuring AD FS is to configure IIS to require SSL certificates on the Federation server:

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.

Double-click the server name.

Drill down the left pane to the Default Web Site and double-click it.

Double-click SSL Settings and select Require SSL.

Go to Client Certificates and click Accept. Then, click Apply (Figure 4).

Figure 4. Requiring Client Certificates

Click Application Pools.

Right-click AD FS AppPool, and click Set Application Pool Defaults.

In the Identity pane (Figure 5), click LocalSystem, and then click OK.

Figure 5. Setting Application Pool Defaults

Click OK again.

Before we close IIS, we need to create a self-signed certificate. Double-click the server name again.

Double-click Server Certificates.

Click Create Self-Signed Certificate.

In the Specify Friendly Name field, enter the NetBIOS name of the server and click OK.

Next, we need to configure a resource for use with AD FS. In this case, we are going to use the same domain controller to double as a Web server. What we will be doing is installing the AD FS Web Agent, essentially adding an additional role to the server, as part of the AD FS architecture. This will allow us to use our federated services within a Web application.

Choose Start | Administrative Tools | Server Manager. Scroll down to Role Summary, and then click Add Roles.

When the Before You Begin page opens, click Active Directory Federation Services.

Scroll down to Role Services and click Add Role Services.

In the Select Role Services window, select Claims-aware Agent (Figure 6), and then click Next.

Figure 6. Setting Services

Confirm the installation selections (Figure 7), and then click Install.

Figure 7. Confirming the Installation

When installation is complete, click Close.

Now we need to configure the trust policy which would be responsible for federation with the resource domain.

Choose Start | Administrative Tools | Active Directory Federation Services.

Expand Federation Service by clicking the + symbol (see Figure 8).

Figure 8. AD FS MMC

Right-click Trust Policy, and then choose Properties.

Verify the information in Figure 9 matches your configuration (with the exception of the FQDN server name), and then click OK.

Figure 9. Trust Policies

When you return to the AD FS MMC, expand Trust Policy and open My Organization.

Right-click Organization Claims, and then click New | Organization Claim.

This is where you enter the information about the resource domain. A claim is a statement made by both partners and is used for authentication within applications. We will be using a Group Claim, which indicates membership in a group or role. Groups would generally follow business groups, such as accounting and IT.

Enter a claim name (we will use PrepGuide Claim). Verify that Group Claim is checked as well before clicking OK.

Create a new account store. Account stores are used by AD FS to log on users and extract claims for those users. AD FS supports two types of account stores: Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This makes it possible to provide AD FS for full Active Directory Domains and AD LDS domains.

Right-click Account Store and choose New | Account Store.

When the Welcome window opens, click Next.

Since we have a full AD DS in place, select Active Directory Domain Services (AD DS) from the Account Store Type window (Figure 10), and then click Next.

Figure 10. The Account Store Type Window

Click Next on the Enable This Account Store window.

Click Finish on the completion page.

Now, we need to add Active Directory groups into the Account Store.

Expand Account Stores.

Right-click Active Directory, and then click New | Group Claim Extraction.

In the Create A New Group Claim Extraction window (Figure 11), click Add and click Advanced.

Figure 11. The Create A New Group Claim Extraction Window

Click Object Types, remove the checkmarks from everything except Groups, and then click OK.

Click Find Now.

Select Domain Admins from the list of groups by double-clicking.

Click OK.

The Map To This Organization Claim field should show the claim we created earlier. Click OK to close the window.

Finally, we will work to create the partner information of our resource partner, which is

Expand Partner Organizations.

Right-click Resource Partners, and then select New | Resource Partner.

Click Next on the Welcome window.

We will not be importing a policy file, so click Next.

In the Resource Partner Details window (Figure 12), enter a friendly name for the partner, and the URI and URL information of the partner. Note it is identical to what we entered earlier in Figure 9. When the information is complete, click Next.

Figure 12. Resource Partner Details

Click Next on the Federation Scenario page. This is the default selection, which is used for two partners from different organizations when there’s no forest trust.

On the Resource Partner Identity Claims page, check UPN Claim and click Next. A UPN Claim is based on the domain name of your Active Directory structure. In our case, the UPN is

Set the UPN suffix. Verify that Replace All UPN Suffixes With The Following: is selected and then enter your server’s domain name. This is how all suffixes will be sent to the resource partner. Click Next.

Click Next to enable the partner.

Click Finish to close the wizard.

We’re almost at the end of our account partner configuration. The last thing we need to do is create an outgoing claim mapping. This is part of a claim set. On the resource side, we would create an identical incoming claim mapping.

Expand Resource Partners.

Right-click your resource partner, and then choose New | Outgoing Group Claim Mapping.

Select the claim we created earlier, enter PrepGuide Mapping, and then click OK.

As you can imagine, this process would be duplicated on the resource domain, with the exception that the outgoing claim mapping would be replaced with an incoming mapping.

  •  Active Directory Rights Management Service (RMS)
  •  Active Directory Lightweight Directory Service (LDS)
  •  Windows Server 2003 : Securing and Troubleshooting Authentication
  •  Windows Server 2003 : Managing User Profiles
  •  Windows Server 2003 : Creating Multiple User Objects
  •  Windows Server 2003 : Creating and Managing User Objects
  •  Understanding Application Domains
  •  Building and Deploying Applications for Windows Azure : Activating the Storage Account Account
  •  Deploying Applications to Windows Azure
  •  Building and Deploying Applications for Windows Azure : Creating a Demo Project
  •  Network Programming with Windows Sockets : Datagrams
  •  Network Programming with Windows Sockets : An Alternative Thread-Safe DLL Strategy
  •  Network Programming with Windows Sockets : A Thread-Safe DLL for Socket Messages
  •  Network Programming with Windows Sockets : In-Process Servers
  •  Network Programming with Windows Sockets : A Socket-Based Server with New Features
  •  Network Programming with Windows Sockets : A Socket-Based Client
  •  Network Programming with Windows Sockets : A Socket Message Receive Function
  •  Exchange Server 2010 : Operating Without Traditional Point-in-Time Backups
  •  Exchange Server 2010 : Performing Backup and Recovery for Mailbox Server Roles
  •  Exchange Server 2010 : Performing Backup and Recovery for Non-Mailbox Server Roles
    Top 10
    Fujifilm XF1 - The Stylish Shooter
    Nikon 1 V2 - Still Fast and Handles Better
    Asustor AS-604T 4-Bay NAS Review (Part 3)
    Asustor AS-604T 4-Bay NAS Review (Part 2)
    Asustor AS-604T 4-Bay NAS Review (Part 1)
    Toshiba Satellite U925t Review (Part 3)
    Toshiba Satellite U925t Review (Part 2)
    Toshiba Satellite U925t Review (Part 1)
    iBall Andi 4.5H - Pretty In White
    The HTC Butterfly - Full HD In 5 Inches Only
    Most View
    New Products For March 2013 (Part 1)
    Speed up Linux (Part 3) - Enjoy better swappiness, The four-line speed boost
    PC Specialist Optimus IV - Balance Of Power
    Windows Vista : Performing Local PC Administration (part 2) - Performing common workstation administration tasks
    Some Cool Apps From Various Flatforms To Make Your Life Easy
    Mobile Application Security : BlackBerry Security - Development and Security Testing
    OS X Mountain Lion - Bringing iOS features “back to the Mac” (Part 1)
    Using MySQL Enterprise (part 1) - Installation & Fixing Monitoring Agent Problems
    iPhone 3D Programming : Adding Depth and Realism - Surface Normals (part 1)
    Acer Aspire S3-391 Ultrabook - Cheap Ultrabook With Attractive Features
    Adding the Android CSS
    Motu Machfive 3.0.2 : Stonking samples
    Home Theatre Pc Software And Operating Systems (Part 7) - Playing Back Blu-rays
    Microsoft SQL Server 2005 : Report Definition and Design (part 2) - Business Intelligence Development Studio
    IIS 7.0 : Performance and Tuning - Processor
    How To Transfer Data From SSD To HDD
    Internet Remote Desktop
    Leveraging and Optimizing Search in SharePoint 2010 : Customizing the FAST Search User Interface
    iPhone Application Development : Creating and Managing Image Animations and Sliders (part 3) - Finishing the Interface
    Some Of The Biggest Brands In The World Had Their Products (Part 4) - Huawei Ascend P1, Sony Xperia Neo L