Windows Server 2008 R2 : Active Directory federation services (part 2) - Set up the ADFS role for the internal and external Active Directory forests

2. Deploying Active Directory Federation Services

Deploying ADFS can vary depending on what your solution requires. In this section, we will discuss the general steps to setting up ADFS to support an extranet SSO configuration for an organization's employees. Users will have accounts in the internal AD forest, while the application will reside in a forest in the perimeter network. In this example, we will set up ADFS roles on existing DCs that reside in separate AD forests. Note that in production deployments, it is highly recommended not to colocate ADFS roles on DCs. An extranet forest is set up in the perimeter network to support a Web-based application, while company employees have accounts in an internal AD forest and need SSO capabilities to the extranet application. Figure 2 depicts the deployment we will be using in this example.

Notes from the field

Both SharePoint Server 2007 and SharePoint Server 2010 are claims aware applications thus support ADFS for authentication.

Figure 2 Example of ADFS deployment.

To set up ADFS, we will need to complete the following tasks:

• Set up the ADFS role for the internal and external AD forests.

• Install Web agent for claims aware Web application.

• Configure ADFS Certificates.

• Complete ADFS Server Configuration.

In the following sections, we will walk through the process to complete each of the aforementioned tasks to deploy ADFS.

2.1 Set up the ADFS role for the internal and external Active Directory forests

The first task we need to complete is to install the ADFS role on each of our ADFS servers. The ADFS servers will need to be able to communicate over port 443 (https) between each other. In our example, we will be installing the ADFS role on our existing DCs. Keep in mind that this is not recommended for production deployments for security and management purposes. To install ADFS on each of the DCs, perform the following tasks:

1. Open Server Manager.

2. Select the Roles node and then click the Add Roles link in the middle pane.

3. Select the Active Directory Federation Services role and then click Next.

4. On the Introduction page, click Next.

5. Select the Federation Service on the Add Role Services page (see Figure 3), then click Next. If prompted, choose to Add Required Role Services.

   

   Figure 3 ADFS Role Services.

6. We now need to choose a server authentication certificate. In a production deployment, you will want to request a certificate from an internal CA or 3rd party certificate provider. For our example, we will choose to use a self-signed certificate. Note that using a self-signed certificate will require that all clients import the certificate to their certificate trust list. Select the option to create a self-signed certificate (see Figure 4) and then click Next.

   

   Figure 4 Service Authentication Certificate selection.

7. You now need to select the token-signing certificate. This is the certificate that the ADFS server will use to sign tokens to allow clients and servers to verify the identity of a token. Again, in a production scenario, you will want to use a certificate issued by a CA, however, for this example, we will again choose to use a self-signed certificate. Select the self-signed certificate option and then click Next.

8. You now must select whether to create a new trust policy or using an existing policy. Since this is a new deployment of ADFS you will need to select the option to Create a new trust policy. The trust policy defines how other ADFS servers can authenticate or access resources in the environment. The trust policy is what restricts or allows communications over ADFS. After selecting to create a new policy, click Next.

9. You will notice that IIS is one of the required roles added for the installation of ADFS. Click Next though the IIS section accepting the default role services.

10. Click Install on the confirmation page.

11. After the installation completes, click Close.

Remember you will need to add the ADFS role to both of the ADFS services using the aforementioned steps. After adding the ADFS role to both servers, you will need to configure each server to require SSL communications and accept client certificates. Again you will need to perform the following tasks on both of the ADFS servers:

1. Open Server Manager.

2. Select the node Roles | Web Server (IIS) | Internet Information Services (IIS) Manager.

3. Select the Default Website node and then open the SSL Settings option as seen in Figure 5.

   

   Figure 5 Default Web site configuration options.

4. Select the options to Require SSL and Accept client certificates (see Figure 6). Then click Apply.

   

   Figure 6 Default Web site SSL settings.

After configuring SSL settings, you will need to install the ADFS Web agent on the ADFS application server and configure certificate settings so that the Web server will trust the server authentication certificate from the extranet ADFS server (dc2.extranet.syngress.net).