Configuring and

Troubleshooting Identity and

Access Solutions with
Windows Server® 2008
Active Directory®
Module 5: Configuring AD FS
• Overview of AD FS

• AD FS Deployment Scenarios

• Deploying AD FS

• Implementing AD FS Claims
Lesson 1: Overview of AD FS
• What Is Identity Federation?

• Identity Federation Scenarios

• Identity Federation Business Requirements

• What Is a Federation Trust?

• AD FS Components
What Is Identity Federation?

Identity Federation:

Enables user access to resources between different organizations or different server

platforms

Allows an organization to retain control over who can access resources

Requires an identity federation partnership to provide a form of trust between two

organizations

Provides an agreement to define which resources will be accessible to the other

organization and how access to the resources will be enabled
Identity Federation Scenarios

Identity federation allows secure and efficient communication and collaboration

in the following three scenarios:

Business-To-Business (B2B)

Business-To-Employee (B2E)

Business-To-Consumer (B2C)
Discussion: Identity Federation
Business Requirements
• What business requirements would lead to the deployment of an identity
federation solution?
What Is a Federation Trust?

A federation trust relationship provides efficient communication

between organizations.

Federation trust: This is the embodiment of a partnership

between two organizations
Account partner: This stores and manages user accounts in
Active Directory® store or AD LDS
Resource partner: This hosts the Web servers that host Web-
based applications
AD FS Components

User accounts can exist in AD DS or AD LDS

Account Resource
Federation Federation Trust
Federation
Server Server
Federation
Service
Proxy
Domain
Controller

Web Server
running ADFS
Web Service
Agent

Account Partner Resource Partner

Lesson 2: AD FS Deployment Scenarios
• AD FS Deployment Options

• How ADFS Traffic Flows in a B2B Federation Scenario

• How ADFS Traffic Flows in a B2E Federation Scenario

• How ADFS Traffic Flows in a B2C Federation Scenario

• AD FS Deployment Considerations
AD FS Deployment Options

Firewall

Firewall

Firewall
Firewall

Firewall

Firewall
Internet
Internet
AD DS AD DS

Account
federation
Federation
Trust Resource
Federation federation
Trust
Northwind Contoso
Traders
A. Datum Corp.
Federated Web SSO Web SSO

Firewall
Firewall
Forest
Trust
Internet
AD DS AD DS

Account
federation
Federation Resource
Trust federation

A. Datum Corp.
Federated Web SSO with Forest Trust
 How AD FS Traffic Flows in a B2B Federation Scenario
Federated Web SSO

A. Datum Account partner Woodgrove Bank

Resource partner

Federation Trust
7
Account
Resource
Federation
6 Federation
Server 10 Server
9
AD DS Domain 4
5 Controller

8 Internet
3

1 11
Client Web Server
How AD FS Traffic Flows in a B2E Federation Scenario
Federated Web SSO with Forest Trust

8
8

Account Federation
Proxy Sever 5
Account
Federation Federation
5 Trust Server
7
Internet 6
Resource Federation
4
Server
10
3

This perimeter network is its

Client 2 9 One-Way
Forest Trust
Domain
1 Ad DS Domain Controller

own domain
Controller

11
Separate AD
Domain
(AD FS Web Agent)
How AD FS Traffic Flows in a B2C Federation Scenario

Web Single Sign-On

7

4
7

Resource 6
Internet

Federation
Federation
Sever
3 Proxy Sever
5

2
Client 1

AD LDS Sever

(AD FS Web
Agent)
AD FS Deployment Considerations

Consider the following when planning an AD FS solution:

AD FS scenario to be deployed
Certificate management
Directory store requirements
Application type

Manufacturer Supplier

Account Partner Resource Partner

Lesson 3: Deploying AD FS
• AD FS System Requirements

• AD FS Prerequisites

• AD FS Certificate Requirements

• How To Install the AD FS Server Role

• Federation Service Configuration Tasks

• What Is an AD FS Trust Policy?

• Configuring AD FS Web Agent

AD FS System Requirements

AD FS requirements for the Federation Service, Federation Service Proxy and

FD FS Web Agent Roles:

One of the following:

Windows Server® 2003 R2 Enterprise Edition
Windows Server® 2003 R2 Datacenter Edition
Windows Server® 2008 Enterprise
Windows Server® 2008 Datacenter

Internet Information Services (IIS)

Microsoft® ASP.NET 2.0

Microsoft® .NET Framework 2.0

A Web site with Transport Layer Security/Secure Sockets Layer (TLS/SSL)

configured
AD FS Prerequisites

Network services critical to a successful AD FS deployment include:

Active Directory® or AD LDS

Domain Name System (DNS)
Certificates
AD FS Certificate Requirements

Certificates can be issued by a trusted Certification Authority. You can also

use a self-signed certificate.

Role Certificates Required

•Token-signing Certificate
Federation Server
•Verification Certificate

•SSL server authentication certificate

Federation Server •SSL client authentication certificate

Proxy •SSL server authentication certificate

ADFS Web Agent

•SSL server authentication certificate
Demonstration: How To Install the AD FS
Server Role
• To install the AD FS server role

• To install the Federation Service role service

Federation Service Configuration Tasks

Use the AD FS console to configure:

Account Partners
Resource Partners
Trust Policy
Account Stores
ADFS-protected Applications
Organization Claims
What Is an AD FS Trust Policy?

An AD FS trust policy consists of the configuration information that is

associated with your Federation service.

Properties that can be configured include the following:

Federation Service URI

Federation Service endpoint URL
Trust policy display name
Verification certificates and federation server proxy certificates
Event log level
Advanced settings
Configuring AD FS Web Agent

Configuration options for AD FS Web Agent include:

Federation Service URL

Cookie path
Cookie domain
Return URL

Manufacturer Supplier

Resource
Account Partner
Partner

AD FS
Lesson 4: Implementing AD FS Claims
• What Are AD FS Claims?

• What Are Identity Claims?

• What Are Group and Custom Claims?

• What Is Incoming Claim Mapping?

• What Is Outgoing Claim Mapping?

• How To Configure AD FS Claim Mapping

What Are AD FS Claims?

AD FS Claims:

A statement made about a user that is understood by both the partners in an

AD FS federation scenario.

The Federation Service supports following Claims:

Identity Claims
Group Claims
Custom Claims
What Are Group and Custom Claims?

Group claims contain group membership information.

Custom claims contain information about a user.

Account Resource
Partner Federated Namespace Partner
(Incoming/Outgoing)

Purchasing Dept Purchasing Agent Purchaser Purchaser

Security Group Group Claim Organizational Claim

Title User Position Custom Title Custom Claim

Position
Attributes Claim
What Is Incoming Claim Mapping?
Incoming Claim Mapping maps claims sent from the account partner to claims
used by the resource partner.

The two types of outgoing claim mappings are:

Incoming Group Claim Mapping

Incoming Custom Claim Mapping

Federated Namespace Resource Partner

(Incoming/Outgoing)

Purchaser
Purchaser Organizational Claim

Position Title Custom Claim

What Is Outgoing Claim Mapping?
Outgoing claim mapping modifies an account partner’s organization claim to
match a common attribute as agreed with the resource partner.

The two types of outgoing claim mappings are:

Outgoing group claim mapping

Outgoing custom claim mapping

Account Partner Federated Namespace

(Incoming/Outgoing)

Purchasing Dept Purchasing Agent

Group Claim Purchaser
Security Group
Title User Position Custom
Attributes Claim Position
Demonstration: How To Configure AD FS Claim
Mapping
• To configure Organizational claims

• To configure Group and Custom claims

• To configure outgoing and incoming claim mapping

 Lab 5A: Configuring the Federated Web SSO with
Forest Trust Scenario
• Exercise 1: Installing the AD FS Server Role

• Exercise 2: Configuring Certificate Requirements

• Exercise 3: Configuring the AD FS Web Agent

• Exercise 4: Configuring the Web Server application on 6426A-CHI-DC1

• Exercise 5: Configuring the Forest Trust and the Federated Trust Policies

• Exercise 6: Configuring the Federation Service Within the Internal Network

• Exercise 7: Configuring the Federation Service Within the Extranet

• Exercise 8: Testing the AD FS Implementation

Logon information
Virtual machine 6426A-NYC-DC1 6426A-CHI-DC1 6426A-NYC-CL1

User name Administrator Administrator William

Domain woodgrovebank.com WDextranet.net woodgrovebank.com

Password Pa$$w0rd Pa$$w0rd Pa$$w0rd

Estimated time: 75 minutes

Lab 5B: Configuring AD FS by Using Federated
Web SSO Scenario
• Exercise 1: Installing the AD FS Server Role

• Exercise 2: Configuring Certificate Requirements

• Exercise 3: Configuring the AD FS Web Agent

• Exercise 4: Configuring the Web Server application on the 6426A-CHI-DC1

virtual computer
• Exercise 5: Configuring the Federation Trust Policies

• Exercise 6: Configuring the Account Partner Federation Service

• Exercise 7: Configuring the Resource Partner Federation Service

• Exercise 8: Testing the AD FS implementation

Logon information

Virtual machine 6426A-NYC-DC1 and 6426A-

CHI-DC1
User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes