Documente Academic
Documente Profesional
Documente Cultură
0 VM LAB ENVIRONMENT
FOR FEDERATED COLLABORATION
Microsoft Corporation
Published: May 2010
Version: 1.0
Authors: Brad Mahugh, Tariq Sharif
Editor: Jim Becker
Abstract
This guide walks you through the setup of a small test lab environment that you can use to
evaluate the next generation of Microsoft® federated identity technologies, Active Directory®
Federation Services (AD FS) version 2.0. This document is intended for information technology
(IT) professionals and application developers who want to create a lab environment specifically
for use with the Federated Document Collaboration Using Microsoft
Office SharePoint® Server 2007 and AD FS 2.0 guide, which demonstrates the implementation
and evaluation of an end-to-end, claims-based, identity federation solution. The instructions in
this guide should take approximately four hours to complete.
Contents
HOW TO SET UP THE AD FS 2.0 VM LAB ENVIRONMENT FOR FEDERATED COLLABORATION ..................... 1
About this guide ........................................................................................................................... 6
What this guide does not provide ............................................................................................ 7
Requirements ........................................................................................................................... 7
About the lab environment ...................................................................................................... 8
Step 3: Reconfigure the IP and DNS settings for all VMs .............................................................. 15
Create a new virtual network .................................................................................................... 15
Configure static IP and DNS settings for each VM ..................................................................... 16
Change the names of the computers ..................................................................................... 17
Step 5: Install and Configure IIS, Certificates, and Group Policy ................................................... 23
Disable Internet Explorer Enhanced Security Configuration ..................................................... 24
Configure Group Policy .............................................................................................................. 25
Push Internet Explorer settings to computers in the Contoso domain .................................. 25
Push Internet Explorer settings to computers in the Fabrikam domain ................................ 26
Refresh Group Policy .............................................................................................................. 27
Configure certificates ................................................................................................................. 27
Install AD CS ............................................................................................................................ 27
Disable CRL Extension ............................................................................................................. 28
Configure certificate templates .............................................................................................. 29
Create a shared certificate for AD RMS and AD FS 2.0 on ContosoSrv01 .............................. 30
Create a certificate for AD FS 2.0 on Fabrikam.com............................................................... 31
Configure the Default Web Site on FabrikamSrv01 with the new server authentication
certificate ............................................................................................................................ 32
Export and import Root CA certificates ..................................................................................... 33
Export both Root CA certificates ............................................................................................ 33
Import both Root CA certificates ............................................................................................ 34
Refresh Group Policy .............................................................................................................. 35
Install and configure AD RMS as a root cluster ...................................................................... 35
Install SQL Server 2008 Standard SP1 ..................................................................................... 37
Create the HOL Doctors Role database on ContosoSrv01 ...................................................... 38
Step 8: Configure ContosoSrv02 and FabrikamSrv02 for the step-up authentication scenario ... 47
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and
other Internet Web site references, is subject to change without notice. The entire risk of the
use or the results from the use of this document remains with the user. Unless otherwise noted,
the example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility
of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
Federated Document Collaboration with Microsoft Office SharePoint Server 2007 and AD FS 2.0
(http://go.microsoft.com/fwlink/?LinkId=148503).
While you can download VM images that are preconfigured for trial use, this guide assists you if
you choose to make the images yourself. The overall goal of this guide is to give you a good
understanding of the base configuration requirements necessary to deploy and enable
federated identity technologies in your environment.
To maximize your chances of completing the objectives of this guide successfully, it is important
that you do all of the following:
Complete the steps in this guide in the order in which they are presented.
Use the exact computer, user, group, company, claim, and domain names that this guide
specifies.
Important
Any modifications that you make to the configuration details in this guide may affect or
limit your chances of setting up this lab successfully on the first try.
Note
Microsoft has tested this guide successfully with the Windows Server 2008 Hyper-V™
virtualization technology product.
Instructions for setting up the test lab computer (Hardware and software requirements are
listed in the following section, however.)
Instructions for making your own base virtual hard drive (.vhd) images.
Requirements
To complete all the steps in this guide, you must have a virtual test lab computer where you can
configure four virtual machines (VMs) running the following operating systems:
Windows Server 2008 R2 Enterprise for the four virtual servers.
Your virtual test lab computer must be able to meet the minimum requirements in the following
table.
Processor 64-bit quad core with 2.0 gigahertz (GHz) or higher CPU speed
Additional software The following server role must be added: Microsoft® Hyper-V
Administrative credentials
To perform all the tasks in this guide, use the local Administrator account for each computer,
unless instructed otherwise. To create accounts in Active Directory Domain Services (AD DS), log
on with the Administrator account for the domain. For example, when you create user accounts
for Contoso Pharmaceuticals, use the CONTOSO\Administrator account.
Step 1 Create and configure This step demonstrates the information technology (IT)
VMs using Hyper-V pro experience for creating a virtual test lab
Manager environment for the purpose of evaluating federated
identity technologies.
Step 2 Download prerequisite This step provides details about the software
software dependencies and applications that are required for
updating each of the virtual servers and the virtual client
so that you can use them to support the AD FS 2.0 test
lab environment that you will need to emulate a
business-to-business (B2B) federated identity
configuration.
Step 3 Reconfigure the IP and This step demonstrates the network changes involved in
DNS settings for all reconfiguring network settings for the VMs to move
VMs. from VM setup to the settings that are required for the
private network that you will need for the virtual test
lab.
Step 4 Install and configure This step demonstrates the underlying configuration
Active Directory requirements for installing and configuring AD DS to be
Domain Services used by two separate companies that are involved in a
(AD DS) B2B scenario.
Step 5 Install and configure This step demonstrates the underlying configuration
IIS, certificates, and requirements for installing and configuring Internet
Group Policy Information Services (IIS), Active Directory Certificate
Services (AD CS), and Group Policy for both of the
companies involved in a B2B scenario.
Step 6 Install and configure This step demonstrates the underlying configuration
the SharePoint Site on requirements for installing and configuring Microsoft
ContosoSrv02 Office SharePoint Server® 2007 for document
collaboration needs in a B2B scenario.
Step 7 Install and configure This step demonstrates the underlying configuration
Windows claims-based requirements for installing and configuring AD FS 2.0
identity software and related technologies for federation service in both
of the companies involved in a B2B scenario.
Before you proceed to the next step, make a folder (for example, D:\LabVhdFiles) that you will
use for the remainder of this step, and copy your base .vhd files to it. Ensure that the Read-only
attribute is set for each file.
Tip
If you do not already have clean-installed Windows Server 2008 R2 virtual hard drive
images, you can download and use the base evaluation .vhd files to build the base VMs
for this lab. The files are available on the Microsoft Web site at Windows Server 2008 R2
Virtual Hard Drive Images (http://go.microsoft.com/fwlink/?LinkId=179734).
To open Hyper-V Manager, click Start, point to Administrative Tools, and then click
Hyper-V Manager.
2. On the Action menu, point to New, and then click Hard Disk.
3. When the New Virtual Hard Disk Wizard appears, click Next.
4. On the Choose Disk Type page, click Differencing, and then click Next.
5. On the Specify Name and Location page, do the following, and then click Next:
b. In Location, browse to the location where you copied the base .vhd images for the
virtual server or client differencing disk drive in the previous section. For example, if
the path you used there was D:\LabVhdFiles, select that path here.
6. On the Configure Disk page, in Location, click Browse to locate the appropriate base
.vhd image in the path that was used in the previous step, and then click Next.
For example, if you are creating a virtual hard drive for CONTOSOSRV01 and also using
the downloaded base .vhd image, follow the instructions provided in the download page
here: Windows Server 2008 R2 Evaluation Virtual Hard Drive Images for Hyper-V (180 Days)
(http://go.microsoft.com/fwlink/?LinkId=179736).
7. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
8. Repeat this procedure three more times to make differencing drives for all four VMs
before moving on to the next part of the process.
For example, after you run this procedure the first time to make a drive for
CONTOSOSRV01, repeat the process and create drives for the other three VMs that you
will use in the lab environment. Be sure to select the corresponding base .vhd file for
each of the other two server VMs and the client VM.
CONTOSOSRV01 1536
FABRIKAMSRV01 1536
CONTOSOSRV02 1536
FABRIKAMSRV02 1536
To open Hyper-V Manager, click Start, point to Administrative Tools, and then click
Hyper-V Manager.
2. On the Action menu, point to New, and then click Virtual Machine.
4. On the Specify Name and Location page, do the following, and then click Next.
a. In Name, type the name of the VM that you are creating as the name of the VM. For
example, start with "CONTOSOSRV01".
5. On the Assign Memory page, in Memory, enter the corresponding number from the
RAM column (in MB) as provided in the previous table for the VM that you are creating,
and then click Next.
6. On the Configure Networking page, in Connection, select the network connection that
maps to a physical network adapter that has access to the Internet, and then click Next.
7. On the Connect Virtual Hard Disk page, click Use an existing hard disk, and then click
Browse to locate the differencing disk image file (CONTOSOSRV01.vhd) that you created
in the previous procedure, and then click Next.
8. On the Completing the New Virtual Machine Wizard page, select the Start the virtual
machine after it is created check box, and then click Finish.
9. Repeat this procedure three more times to make all four VMs before moving on to the
next part of the process.
After you complete these steps, you should be able to verify that you can log on to each
VM with the local Administrator account and then verify that you have Internet access
before moving on to the following steps. Before you create and start each subsequent
VM, be sure that the previously created VM is up and running.
Important
Before you reconfigure your VMs in subsequent steps of this guide, we recommend
that you first do the following for each VM while it has Internet connectivity:
For consistency with later hands-on lab instructions set the Administrator password
to " demo!23" on all the VMs.
Make sure that you have downloaded all corresponding prerequisite software that
is mentioned in the following section (Step 2) to the appropriate VM computers.
Make sure to turn on Network discovery and File sharing in the Network and
Sharing Center Control Panel on each of the Windows Server 2008 VMs.
Make sure that all the clocks on each of the VM computers are set to the same time
or within five minutes of each other. This ensures that token time stamps are always
valid.
Microsoft Download only This software is required. It Microsoft SQL Server 2008
SQL Server 2008S to contososrv01. acts as the policy store for Evaluation (180 day trial)
tandard with each federation server.
(http://go.microsoft.com/f
Management
Note wlink/?LinkId=179740)
Studio
Accept all the
default settings in
the installation
wizard.
Windows Identity Download only This software is required to Windows Identity Framework
Framework (WIF), to contososrv02. configure SharePoint for (http://go.microsoft.com/f
WIF SDK and federation and enable it to wlink/?LinkID=179831)
SharePoint provide claims-aware
Configure access.
Package
Office SharePoint Download only This software creates Microsoft Office SharePoint
Required software Action Description Link to download the software
Server 2007 SP1 to the the SharePoint site Server 2007 (trial version)
contososrv02 server that will be used (http://go.microsoft.com/f
computer. to implement wlink/?LinkId=150948)
collaboration between
For product IDs to use in
Contoso and Fabrikam.
trial activation of this
product, see Microsoft
Office SharePoint Server 2007
Trial Version (x64)
(http://go.microsoft.com/f
wlink/?LinkID=150950).
Support files for Download and This software contains Support Files for Federated
the Federated install on all VM files that are used to Document Collaboration
Document computers. assist in completing (http://go.microsoft.com/f
Collaboration Lab various hands-on lab wlink/?LinkId=179894)
Setup tasks throughout the
feature walkthrough.
To open Hyper-V Manager, on the Start menu, point to Administrative Tools, and
then click Hyper-V Manager.
2. In Hyper-V Manager, on the Action menu, click Virtual Network Manager.
3. In Virtual Network Manager, click Internal for the type of virtual network that you want
to create, and then click Add.
4. In New Virtual Network, in Name type Internal-Network, verify that for Type the
Internal network option is selected, and then click OK.
Note that the network name is case sensitive and it should be entered exactly as
indicated above. All four VMs will have to use this network, which will be a "local only"
interface. All four VM images should already be IP configured as described in the
following procedure.
3. In the Settings dialog box, under the Hardware settings, click Network Adapter.
4. In the Network Adapter settings, click the Network drop-down list, and then click
Internal-Network.
5. Click OK.
The following table provides the details of how these settings must be configured for each VM.
CONTOSOSRV01 CONTOSOSRV01
CONTOSOSRV02 CONTOSOSRV02
FABRIKAMSRV01 FABRIKAMSRV01
FABRIKAMSRV02 FABRIKAMSRV02
Step 4: Install and configure AD DS
In this step, we install AD DS and configure a single-domain forest for each of the two companies
(Contoso Pharmaceuticals and Fabrikam).
Install AD DS
Create accounts
Install AD DS
You can use the Add Roles Wizard to create two new Active Directory forests on both the
federation server VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard
pages, use the company names and AD DS domain names in the following table.
Note
AD FS 2.0 has no dependency on forest functional level. When you install AD DS, you can
select any forest functional level that is appropriate for your environment.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and
then, in the right pane, click Add Roles.
Important
Configure the IP addresses as specified in the table in the Configure static IP and DNS
settings for each VM section of this guide before you attempt to install AD DS. This helps
ensure that DNS records are configured appropriately.
(new forest)
(new forest)
are prompted.
If you need assistance in creating a new Windows Server 2008-based AD DS forest, see Installing
a New Forest (http://go.microsoft.com/fwlink/?LinkId=101704).
CONTOSOSRV02 contoso.com
FABRIKAMSRV02 fabrikam.com
For more information about how to do this, see Join a Computer to a Domain
(http://go.microsoft.com/fwlink/?LinkID=150213).
Create accounts
After you set up two forests, log on as the Administrator for each domain and start the
Active Directory Users and Computers snap-in on both domain controllers (both contososrv01
and fabrikamsrv01) to create several accounts that you will use to test and verify federated
access across both forests.
For more information about how to create accounts in AD DS, see Create a New User Account
(http://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group
(http://go.microsoft.com/fwlink/?LinkID=133523).
For more information about how to add a user to a group in AD DS, see Add a Member to a Group
(http://go.microsoft.com/fwlink/?LinkID=133522).
Create accounts in the Contoso domain
Create and configure the accounts with the values in the following table at CONTOSOSRV01 for
the Contoso.local domain. When you create the accounts, clear the User must change password
upon login check box.
Note: In addition to creating new accounts, set the email address for the Administrator account
to "administrator@contoso.com".
User
Create: Account name Action
name
Security
group - Add danielw as a member
DrugTrial1Admins N/A
Global of this group.
account
Create accounts in the Fabrikam domain
Create and configure the account values in the following table at FABRIKAMSRV01 for the
Fabrikam domain. In addition to creating new accounts, set the e-mail address for the
Administrator account to "administrator@fabrikam.com".
Security
group - Add frankm as a member of
DrugTrial1Auditors N/A
Global this group.
account
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. Add new host (A) resource records as described in the following section to the Forward
Lookup Zone for contoso.com.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. Add new host (A) resource records as described in the following section to the Forward
Lookup Zone for fabrikam.com.
To install IIS
4. On the Select Server Roles page, select the Web Server (IIS) check box, and then click
Next twice.
6. In the Add role services required for ASP.NET? dialog box, click Add Required Role
Services.
7. On the same page, select the Windows Authentication and IIS 6 Metabase
Compatibility check boxes.
9. Click Install to begin installing IIS with the options that appear on the page.
When the setup process is complete on all servers in the lab, proceed to the next step.
To disable ESC
3. In the console tree, select the top-level (Server Manager) node, and then in the details
pane click Configure IE ESC.
4. In the Configure IE ESC dialog box, click Off for both administrators and users, and then
click OK.
Configure Group Policy
Use the following procedures to configure Group Policy to push important browser-specific
settings to client computers. This section includes procedures for pushing Internet Explorer
settings to the computers in both the Contoso and Fabrikam domains.
Configure certificates
Now that you have configured Group Policy to distribute certificates for the users in the
contoso.com and fabrikam.com domains, use the following procedures to create the user and
computer certificate templates.
Install AD CS
Install AD CS
Use the following procedure to install Active Directory Certificate Services (AD CS) on the
contososrv01 and fabrikamsrv01 VM computers.
To install AD CS
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. In the Roles Summary section, click Add roles.
4. On the Select Server Roles page, select the Active Directory Certificate Services check
box. Click Next two times.
5. On the Select Role Services page, select the Certification Authority and Certification
Authority Web Enrollment check boxes.
6. In the Add role services required for Certification Authority Web Enrollment dialog
box, click Add Required Role Services, and then click Next.
7. On the Specify Setup Type page, click Enterprise, and then click Next.
8. On the Specify CA Type page, click Root CA, and then click Next.
9. On the Set Up Private Key page, click Create a new private key, and then click Next.
10. On the Configure Cryptography for CA page, click Next to accept the default settings.
11. On the Configure CA Name page, click Next to accept the default settings.
12. On the Set Validity Period page, accept the default validity period, and then click Next.
13. On the Configure Certificate Database page, accept the default values, and then click
Next.
15. On the Select Role Services page, select the CGI, Client Certificate Mapping
Authentication, IIS Client Certificate Mapping Authentication, and URL Authorization
check boxes, and then click Next.
16. Verify the information on the Confirmation page, and then click Install.
17. Review the information on the confirmation screen to verify that the installation was
successful.
2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and
then click Add/Remove Snap-in.
4. In the console tree, click Certificate Templates. All the certificate templates appear in
the details pane.
5. In the details pane, right-click the Web Server template, and then click Properties.
If the Security tab does not appear (you will need it in the next step), you might have to
reopen this properties page by clicking the Manage link in the Actions pane.
6. On the Security tab, click Add. In Enter the object names to select, type Domain
Computers, and then click OK.
7. In Permissions for Domain Computers, under Allow, select the Read and Enroll check
boxes, and then click OK.
8. On the Security tab, click Add. In the Enter object names to select, type Domain
Controllers, and then click OK.
9. In Permissions for Domain Controllers, under Allow, select the Read and Enroll check
boxes, and then click OK.
10. Close the console, and open the command prompt window (click Start, click Run, type
cmd, and then click OK), and type the following two commands to restart AD CS:
2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative
Tools, and then click Internet Information Services (IIS) Manager.
5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard
opens.
6. On the Distinguished Name Properties page of the wizard, enter the settings from the
following table, and then click Next.
Field Value
Organizational unit IT
City/Locality Redmond
State/Province WA
Country/Region US
Note
The Select button will be enabled only if a CA is correctly configured and exists on
the domain.
8. Select the certification authority (CA) that appears in the list, and then click OK.
Note
You must provide a friendly name for the certificate.
2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative
Tools, and then click Internet Information Services (IIS) Manager.
5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard
opens.
6. On the Distinguished Name Properties page of the wizard, enter the settings from the
following table, and then click Next.
Field Value
Organizational unit IT
City/Locality Redmond
State/Province WA
Country/Region US
Note
The Select button will be enabled only if a CA is correctly configured and exists on
the domain.
8. Select the CA that appears in the list, and then click OK.
Note
You must provide a friendly name for the certificate.
Configure the Default Web Site on FabrikamSrv01 with the new server
authentication certificate
Each security token service (STS) requires a server authentication certificate (also known as a
Secure Sockets Layer (SSL) certificate) to be bound to the Default Web Site before you can use
AD FS 2.0. The Web server also requires this certificate.
To configure the Default Web Site on FabrikamSrv01 with the new server authentication
certificate
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
3. In the console tree, double-click FABRIKAMSRV01, double-click Sites, click Default Web
Site, and then in the Actions pane, click Bindings.
4. On the Site Bindings dialog box, click Add.
5. In the Add Site Binding dialog box, under Type click https, under SSL certificate, select
sts2.fabrikam.com Certificate in the list, click OK, and then click Close.
6. In the details pane, double-click SSL Settings. Under Client certificates, verify that the
Ignore option is selected, and then click Apply.
2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and
then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available
snap-ins, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click Next.
5. In the Select Computer dialog box, ensure that Local computer: (the computer this
console is running on) is selected, and then click Finish.
7. In the console tree, expand Certificates (Local Computer), and then double-click
Personal.
10. On the Export Private Key page, click No, do not export the private key, and then click
Next.
11. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click
Next.
12. On the File to Export page, type c:\users\public\ContosoCA.cer, and then click Next.
13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove
Snap-ins dialog box opens.
4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor,
and then click OK. The Group Policy Wizard opens.
5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object
dialog box opens.
6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and
then click OK.
7. Click Finish, and then click OK.
8. Double-click Default Domain Policy. In the console tree, expand the following path:
Computer Configuration, Policies, Windows Settings, Security Settings, Public Key
Policies, Trusted Root Certification Authorities.
10. On the Welcome to the Certificate Import Wizard page, and then click Next.
12. On the Certificate Store page, select Place all certificates in the following store and
verify that it is pointed to the Trusted Root Certification Authorities store, and then
click Next.
13. On the Completing the Certificate Import Wizard page, click Finish, and then click
Finish.
2. At the command prompt, type gpupdate /force, and then press ENTER.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager,
and then in the right pane click Add Roles.
Note
AD RMS creates new groups in AD DS. Therefore, you should install AD RMS after the
AD DS role is fully installed and configured. Also, select the Add Required Role Services
option during role installation.
Complete the Add AD RMS Role Wizard using the information in the following table.
Select Configuration Database Select Use Windows Internal Database on this server
Specify Service Account In Domain User Account, click Specify, and then select
the CONTOSO\adrmssrvc account.
Note
If the password does not validate when it is applied,
ensure that the adrmssrvc account is a member of
the CONTOSO\Domain Admins group.
Configure AD RMS Cluster Key Select Use AD RMS centrally managed key storage.
Storage
Register AD RMS Service Select Register the AD RMS service connection point
Connection Point now.
Web Server (IIS) Accept the default options for the role, and then click
Next.
Note
After the AD RMS role is added, you must log off and log on again before you can administer
the AD RMS role.
2. Locate the Setup.exe installer that you downloaded to the contososrv01 computer,
and then double-click it.
4. On the Installation page, click New SQL Server stand-alone installation or add
features to an existing installation.
5. Continue the installation. Accept the defaults for all installation options.
When you install SQL Server 2008 Standard SP1, in the SQL Server 2008 Setup Wizard use
default choices, except for the following specific configuration changes to support the AD FS 2.0
virtual lab environment:
On the Feature Selection page, select the Database Engine Services and Management
Tools - Basic check boxes as your installed feature options.
On the Server Configuration page, on the Service Account tab, for Account name, select
NTAUTHORITY\SYSTEM, as the account to be used.
On the Database Engine Configuration page, on the Account Provisioning tab, where it
lists Specify SQL Server Administrators, click Add Current User, click Add, and then
browse and add the user account (adfssrv) that you created.
2. Start the SQL Server Management studio by clicking Start, All Programs, Microsoft SQL
Server 2008, and SQL Server Management Studio.
3. In the dialog box that appears, type ContosoSrv01 for the server name.
4. Use the SQL script (HOL_Doctors_DB.sql) included with the support files for this lab setup.
Open it using the Microsoft SQL Server Management Studio by clicking File, Open, and then
selecting File.
Note
This document is part of the support files download for this lab setup. For more
information see the table in Step 2: Download and install prerequisite software.
5. Select the file HOL_Doctors_DB.sql in the directory where it is saved.
6. To run the script, click Execute. This should create the necessary database and associated
tables.
2. On the Start menu, click Administrative Tools, and then click Internet Information
Services (IIS) Manager.
3. Click the name of the server in the Connections column, and then double-click
Server Certificates.
5. Enter all the following information about your company and the domain that you
are securing, and then click Next.
Organizational Unit IT
City/Locality Redmond
State/Province WA
Country/Region US
6. Under Specify Online Certificate Authority, click Select, and then click Contoso-
CONTOSOSRV01-CA.
Note
The Select button is enabled only if a CA is correctly configured and exists on the
domain.
7. Under Friendly name, type docs.contoso.com Certificate, and then click Finish.
1. Run setup.exe for Office SharePoint Server 2007. After you start the installation process,
you have to enter a valid product identification key code.
2. After you enter the product identification key code, click Continue. The next screen is the
licensing agreement screen.
For product IDs to use in trial activation of this product, see Microsoft Office
SharePoint Server 2007 Trial Version (x64)
(http://go.microsoft.com/fwlink/?LinkID=150950).
3. Select the I accept the terms of this agreement check box, and then click Continue. On
the next screen, you can select the type of installation.
4. Click Advanced.
6. Click Install Now, and continue until you complete the installation process.
7. If you see the prompt “Program Compatibility Assistant”, click Run program.
Start the SPPT wizard, and on the Welcome page, click Next.
You should see a message informing you that certain services (IIS, SharePoint
Administration, SharePoint Timer) are going to be stopped. Click Yes. After the
installation is complete, click Finish.
1. Start the SharePoint Central administration site: click Start, and then click SharePoint 3.0
Central Administration.
2. In the Central Administration site, click Application Management
3. In the SharePoint Web Application Management section of the page, click Create or
extend Web application.
4. On the next page, click Extend an existing Web application.
5. In the Web Application drop-down list, select Change Web Application, and then click
SharePoint-80.
6. Keep the selection for Create a new IIS web site and for the description type
docs.contoso.com, and then select the following options:
For port type: 443
For Host Headers type: docs.contoso.com
For Use Secure Socket Layer (SSL): Yes
For Zone: Extranet
7. Click OK.
2. Locate the AdfsSetup.exe installable package that you downloaded, and then
double-click it.
4. On the End-User License Agreement page, read the license terms. If you agree to
them, select the I accept the terms in the License Agreement check box, and then
click Next.
5. On the Server Role page, select Federation server, and then click Next.
6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.
Note: The wizard may ask you to restart the computer. If so, click Finish to restart the
computer. After the computer is restarted, log in as contoso\administrator user. On
the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
If you do not see the AD FS 2.0 Management console, on the Start menu, click All
Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
8. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0
Federation Server Configuration Wizard.
9. On the Welcome page, select Create a new Federation Service, and then click Next.
10. On the Select Stand-Alone or Farm Deployment page, select New federation server
farm, and then click Next.
11. On the Specify the Federation Service Name page, type sts1.contoso.com as the
federation service name, and then click Next
12. On the Specify a Service Account page, click Browse, type CONTOSO\adfssrvc, and
then click OK.
14. On the Ready to Apply Settings page, review the settings, and then click Next.
2. Locate the AdfsSetup.exe installable package that you downloaded, and then
double-click it.
4. On the End-User License Agreement page, read the license terms. If you agree to
them, select the I accept the terms in the License Agreement check box, and then
click Next.
5. On the Server Role page, click Federation server, and then click Next.
6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.
7. Note: The wizard may ask you to restart the computer. If so, click Finish to restart the
computer. After the computer is restarted, log in as FABRIKAM\administrator user.
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
If you do not see the AD FS 2.0 Management console, on the Start menu, click All
Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
9. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0
Federation Server Configuration Wizard.
10. On the Welcome page, select Create a new Federation Service, and then click Next.
11. On the Select Stand-Alone or Farm Deployment page, select New federation server
farm, and then click Next.
12. On the Specify the Federation Service Name page, the federation service name
should appear as sts2.fabrikam.com. Click Next
13. On the Specify a Service Account page, click Browse, type FABRIKAM\adfssrvc, and
then click OK.
15. On the Ready to Apply Settings page, review the settings, and then click Next.
Note
This document is part of the support files download for this lab setup. For more
information see the table in Step 2: Download and install prerequisite software.
4. Open the file web.config.
5. In the <appSettings> section, replace logo.png with contoso_logo.png, and
uncomment that line.
6. In the <authenticationTypes> section, move the line <add name=”Forms” … /> to
the top of the list.. Save the changes, and close the file.
For changes on fabrikamsrv01, follow the steps above, except replace contoso_logo.png with
fabrikam_logo.png.
2. Click Start, click Administrative Tools, click Server Manager, and then, in the left
pane, click Features.
2. Install the following programs, and accept their default settings in the installation:
To request a certificate from the CA and set the private key PIN