Академический Документы
Профессиональный Документы
Культура Документы
To set up another virtual machine, install Windows Server 2012 R2 and connect it to the domain
yyyyyyyyy.com. Set up the computer after you have joined it to the domain, and then proceed to
install and configure the AD FS role.
Install a server SSL certificate
You must install a server Secure Socket Layer (SSL) certificate on the adfs server in the local
computer store. The certificate MUST have the following attributes:
For more information about setting up SSL certificates, see Configure SSL/TLS on a Web site in
the domain with an Enterprise CA.
.
Start Server Manager. To start Server Manager, click Server Manager on the Windows Start screen,
or click Server Manager on the Windows taskbar on the Windows desktop. On the Quick Start tab
of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can
click Add Roles and Features on the Manage menu.
On the Select installation type page, click Role-based or feature-based installation, and then click
Next.
On the Select destination server page, click Select a server from the server pool, verify that the
target computer is selected, and then click Next.
On the Select server roles page, click Active Directory Federation Services, and then click Next.
On the Active Directory Federation Service (AD FS) page, click Next.
After you verify the information on the Confirm installation selections page, select the Restart the
destination server automatically if required check box, and then click Install.
On the Installation progress page, verify that everything installed correctly, and then click Close.
Configure the federation server
On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation service on the server.
On the Welcome page, select Create the first federation server in a federation server farm, and then
click Next.
On the Connect to AD DS page, specify an account with domain administrator rights for the
yyyyyyyyy.com Active Directory domain that this computer is joined to, and then click Next.
On the Specify Service Properties page, do the following, and then click Next:
Import the SSL certificate that you have obtained earlier. This certificate is the required service
authentication certificate. Browse to the location of your SSL certificate.
To provide a name for your federation service, type adfs.yyyyyyyyy.com. This value is the same
value that you provided when you enrolled an SSL certificate in Active Directory Certificate
Services (AD CS).
On the Specify Service Account page, select Use an existing domain user account or group
Managed Service Account, and then specify the GMSA account fsgmsa that you created when you
created the domain controller.
On the Specify Configuration Database page, select Create a database on this server using Windows
Internal Database, and then click Next.
On the Review Options page, verify your configuration selections, and then click Next.
On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed,
and then click Configure.
On the Results page, review the results, check whether the configuration has completed
successfully, and then click Next steps required for completing your federation service deployment.
The next step is to configure Device Registration Service on the adfs server. For a video, see Active
Directory Federation Services How-To Video Series: Enabling the Device Registration Service.
The following step applies to the Windows Server 2012 R2 RTM build.
Open a Windows PowerShell command window and type:
Initialize-ADDeviceRegistration
When you are prompted for a service account, type contoso\fsgmsa$.
Enable-AdfsDeviceRegistration
On the adfs server, in the AD FS Management console, navigate to Authentication Policies. Select
Edit Global Primary Authentication. Select the check box next to Enable Device Authentication,
and then click OK.
On DC1, you must ensure that the following Domain Name System (DNS) records are created for
Device Registration Service.
To add a host (A) and alias (CNAME) resource records to DNS for your federation server
On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.
In the console tree, expand DC1, expand Forward Lookup Zones, right-click yyyyyyyyy.com, and
then click New Host (A or AAAA).
In Name, type the name you want to use for your AD FS farm. For this walkthrough, type adfs.
In IP address, type the IP address of the adfs server. Click Add Host.
In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.
In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs.yyyyyyyyy.com, and
then click OK.
Important
In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you
must create multiple CNAME records, one for each of those UPN suffixes in DNS.
Antra Dalis
To complete the walkthroughs that were referenced earlier in this topic, you must have a sample
application that is secured by your federation server (adfs).
You must complete the following steps to set up a web server with this sample claims-based
application.
Note
These steps have been tested on a web server that runs the Windows Server 2012 R2 operating
system.
Install the Web Server Role and Windows Identity Foundation
Note
You must have access to the Windows Server 2012 R2 installation media.
Log on to WebServ1 by using administrator@yyyyyyyyy.com and the password pass@word1.
From Server Manager, on the Quick Start tab of the Welcome tile on the Dashboard page, click Add
roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.
On the Select installation type page, click Role-based or feature-based installation, and then click
Next.
On the Select destination server page, click Select a server from the server pool, verify that the
target computer is selected, and then click Next.
On the Select server roles page, select the check box next to Web Server (IIS), click Add Features,
and then click Next.
On the Select features page, select Windows Identity Foundation 3.5, and then click Next.
On the Web Server Role (IIS) page, click Next.
On the Select role services page, select and expand Application Development. Select ASP.NET 3.5,
click Add Features, and then click Next.
On the Confirm installation selections page, click Specify an alternate source path. Enter the path to
the Sxs directory that is located in the Windows Server 2012 R2 installation media. For example
D:\Sources\Sxs. Click OK, and then click Install.
Install a valid SSL certificate in the computer certificate store. The certificate should contain the
name of your web server, webserv1.yyyyyyyyy.com.
Edit the Default.aspx.cs file so that no claim filtering takes place. This step is performed to ensure
that the sample application displays all the claims that are issued by the federation server. Do the
following:
Comment out the entire IF statement and its braces. Indicate comments by typing "//" (without the
quotes) at the beginning of a line.
Your FOREACH statement should now look like this code example.
Go to Application Pools, right-click DefaultAppPool to select Advanced Settings. Set Load User
Profile to True, and then click OK.
Right-click DefaultAppPool to select Basic Settings. Change the .NET CLR Version to .NET CLR
Version v2.0.50727.
Add an HTTPS binding to port 443 with the SSL certificate that you have installed.
Set the application configuration location to C:\inetput\claimapp\web.config and set the application
URI to the URL for your site, https://webserv1.yyyyyyyyy.com /claimapp/. Click Next.
Select Use an existing STS and browse to your AD FS server's metadata URL
https://adfs.yyyyyyyyy.com/federationmetadata/2007-06/federationmetadata.xml. Click Next.
Select No encryption, and then click Next. On the Offered claims page, click Next.
Select the check box next to Schedule a task to perform daily WS-Federation metadata updates.
Click Finish.
Your sample application is now configured. If you test the application URL
https://webserv1.yyyyyyyyy.com/claimapp, it should redirect you to your federation server. The
federation server should display an error page because you have not yet configured the relying party
trust. In other words, you have not secured this test application by AD FS.
You must now secure your sample application that runs on your web server with AD FS. You can
do this by adding a relying party trust on your federation server (adfs). For a video, see Active
Directory Federation Services How-To Video Series: Add a Relying Party Trust.
Create a relying party trust on your federation server
On you federation server (adfs), in the AD FS Management console, navigate to Relying Party
Trusts, and then click Add Relying Party Trust.
On the Select Data Source page, select Import data about the relying party published online or on a
local network, enter the metadata URL for claimapp, and then click Next. Running FedUtil.exe
created a metadata .xml file. It is located at
https://webserv1.yyyyyyyyy.com/claimapp/federationmetadata/2007-06/federationmetadata.xml.
On the Specify Display Name page, specify the display name for your relying party trust, claimapp,
and then click Next.
On the Configure Multi-factor Authentication Now? page, select I do not want to specify multi-
factor authentication setting for this relying party trust at this time, and then click Next.
On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.
On the Choose Rule Type page, select Send Claims Using a Custom Rule, and then click Next.
On the Configure Claim Rule page, in the Claim rule name box, type All Claims. In the Custom
rule box, type the following claim rule.
c:[ ]
=> issue(claim = c);
Click Finish, and then click OK.