Understanding Active

Directory
Christopher Chapman | MCT
Content PM, Microsoft Learning, PDG Planning ,
Microsoft

Active Directory Federation

Services
(AD FS)

Microsof
t
Virtual
Click toAcadem
edit
Masterysubtitle

style

Module Overview
AD FS Overview
AD FS Deployment Scenarios
Configuring AD FS Components

Lesson 1: AD FS Overview
What Is Identity Federation?
What Are the Identity Federation Scenarios?
Benefits of Deploying AD FS

What is Identity Federation?

Identity
Identity federation
federation is
is a
a process
process that
that enables
enables distributed
distributed
identification,
identification, authentication,
authentication, and
and authorization
authorization across
across
organizational
organizational and
and platform
platform boundaries
boundaries

An identity federation:
Requires a trust relationship between two organizations or
entities
Allows organizations to retain control of:
Resource access
Their own user and group accounts

What Are the Identity Federation

Scenarios?
Federation
Federation for
for
business-tobusiness-tobusiness
business (B2B)
(B2B)

Federation
Federation for
for
business-to-consumer
business-to-consumer
or
or business-tobusiness-toemployee
employee in
in a
a Web
Web
single
single sign-on
sign-on
scenario
scenario

Federation
Federation
within
within an
an
organization
organization
across
across multiple
multiple
Web
Web
applications
applications

Benefits of Deploying AD FS
AD FS provides the following benefits:
Enables improved:
Security and control over authentication
Regulatory compliance
Interoperability with heterogeneous systems
Works with Active Directory Domain Services (AD DS) or Active
Directory Lightweight Directory Services (AD LDS)
Extends AD DS to the Internet

Demonstration: Installing AD FS

In this demonstration, you will see how to install the

Active Directory Federation Services Server Role

Lesson 2: AD FS Deployment Scenarios

What Is a Federation Trust?
What Are the AD FS Components?
How AD FS Provides Identity Federation in a B2B
Scenario
How AD FS Traffic Flows in a B2B Federation Scenario
How AD FS Provides Web Single Sign-On
Integrating AD FS and AD RMS

What Is a Federation Trust?

AD DS
Federation Trust

Account
Federation
Server

Account Partner
Organization

Web
Server

Resource
Federation
Server

Resource
Partner
Organization

What Are the AD FS Components?

AD FS Components:
AD DS domain controllers
Account federation server
Account Federation Service Proxy
Resource Federation Server
Resource Federation Server Proxy
AD FS Web Agent

How AD FS Provides Identity Federation in a B2B

Scenario
INTRANET
FOREST

PERIMETER
NETWORK

AD
DS

Account
Federati
on
Server

Contos
o

Resource
Federatio
n Server
Proxy

Account
Federatio
n Server
Proxy

Resource

Federation
Trust

AD FSenabled
Web
Server

Online
Retailer

Federatio
nServer

How AD FS Traffic Flows in a Business to Business

Federation Scenario
5
5

AD DS

3
3

Account
Federation
Server

Contos
o

1
1

Federation Trust

2
2

Web
Server

4
4

Resource
Federation
Server

Online
Retailer

Lesson 3: Configuring AD FS
Components

Federation Service Configuration Options

What Are AD FS Trust Policies?
Demonstration: Configuring the Federation Services
for an Account Partner
AD FS Web Proxy Agent Configuration Options
What Are AD FS Claims?

Federation Service Configuration

To implement the federation service:
Options
Create a trust policy for both the resource and account partners
Create organizational claims
Create account stores
Create and configure applications

What Are AD FS Trust Policies?

Trust
Trust policies
policies are
are the
the configuration
configuration settings
settings that
that define
define how
how to
to
configure
configure a
a federated
federated trust
trust and
and how
how the
the federated
federated trust
trust works
works
Resource partner trust policies include:
Token
Token Lifetime
Lifetime
Federation
Federation Service
Service URI
URI
Federation
Federation Service
Service endpoint
endpoint URL
URL
The
The option
option to
to use
use aa Windows
Windows trust
trust relationship
relationship for
for this
this partner
partner

In addition, the account partner trust policies include:

Location
Location for
for aa certificate
certificate to
to verify
verify the
the resource
resource partner
partner
Options
Options for
for configuring
configuring how
how resource
resource accounts
accounts are
are created
created

Demonstration: AD FS Initial Configuration

In this demonstration, you will see how run the AD FS

Management Snap-In and run through the initial
configuration steps.

AD FS Web Proxy Agent Configuration

AD FS Web Proxy Agent Configuration Options:
Options
1

Install the AD FS Web Agent on the IIS server

Windows Token-based authentication requires ISAPI
extensions
Claims-aware authorization can authenticate natively
with ASP.NET

Determine how to collect user credential information from

browser clients and Web applications

What Are AD FS Claims?

Claim Type

Description
UPN: indicates a Kerberos version 5 protocol-style
user principal name (UPN), for example:
user@realm

Identity

E-mail: indicates Request for Comments

(RFC)2822style e-mail names of the form
user@domain
Common name: indicates an arbitrary string that
is used for personalization

Group

Indicates membership in a group or role

Custom

Indicates a claim that contains custom information

about a user, for example, an employee ID
number

Module Review and Takeaways

Review Questions
Summary of AD FS

Thanks for Watching!

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of
Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.