Module 4

Implementing AD FS
Module Overview

Overview of AD FS
Deploying AD FS
Implementing AD FS for a single organization
Implementing Web Application Proxy
• Implementing SSO with Microsoft online services
Lesson 1: Overview of AD FS

What is identity federation?

What is claims-based identity?
Web services overview
What is AD FS?
Overview of Web Application Proxy
AD FS and SSO in a single organization
• What is Device Registration?
What is identity federation?

Identity federation:
• Enables identification, authentication, and authorization
across organizational and platform boundaries

• Requires a federated trust relationship between two

organizations or entities

• Enables organizations to retain control over who can

access resources

• Enables organizations to retain control of their user and

group accounts
What is claims-based identity?

• Claims provide information about users

• Information is provided by the user’s identity provider
and is accepted by the application provider
Security
token
service Application

Security token Security token

(Outgoing (Incoming
claims) claims)
Identity Application
provider provider
Web services overview

• Web services are a standardized set of

specifications used to build applications and
services
• Web services typically:
• Transmit data as XML
• Use SOAP to define the XML message format
• Use WSDL to define valid SOAP messages
• Use UDDI to describe available web services

• SAML is a standard for exchanging identity

claims
What is AD FS?

AD FS is the Microsoft identity federation product that can

use claim-based authentication

AD FS has the following features:

• SSO for web-based applications
• Interoperability with web services on multiple
platforms
• Support for many clients, such as web browsers,
mobile devices, and applications
• Extensibility to support customized claims from
third-party applications
• Delegation of account management to the user’s
organization
Overview of AD FS

New features in AD FS introduced in Windows

Server 2012:
• Integration with Windows Server 2012 operating system
• Integration with Dynamic Access Control
• Windows PowerShell cmdlets for administering AD FS

New features in AD FS introduced in Windows

Server 2016:
• Support for any LDAP v3-compliant directory
• New factors of authentication
• Improvements in AD FS management
• Conditional access
Overview of Web Application Proxy

Web Application Proxy:

• Increases security by acting as a:
• Web -proxy for web-based applications
• Federation Service Proxy for AD FS
• Is placed in a perimeter network
• Drops invalid requests
• Is independent of the web server software being used

Intranet Application Web Application Proxy Internet

AD FS and SSO in a single organization

Perimeter network Corporate network

AD DS
domain
7 controller
8
Federation
service 4 6 5
3
proxy
2
Federation
server
External client 1 9
Web server
What is Device Registration?

Access internal websites and company apps without

entering credentials every time

AD FS Domain controller
CA
SS O

SS O
Web Application Web
Registered Proxy claims-aware
device app
What is Device Registration?

Device Registration usage scenarios:

• IT department has some control over the devices:
• Which company websites and apps can be accessed
• Which device is represented in AD DS

• The device is an additional user authentication

factor:
• User can access resources only from known devices
• User is associated with the device enabled for Device
Registration
• Multiple users can register devices on the same device
Lesson 2: Deploying AD FS

Components in an AD FS deployment

Prerequisites for an AD FS deployment
Public key infrastructure and certificate
requirements
AD FS server roles
• Demonstration: Installing the AD FS server role
Components in an AD FS deployment

AD FS components:
• Federation server • Relying parties
• Federation server proxy/ • Claims provider trust
Web Application Proxy
• Claims • Relying party trust
• Claim rules • Certificates
• Attribute store • Endpoints
• Claims providers
Prerequisites for an AD FS deployment

Successful AD FS deployment includes the

following critical infrastructure:
• TCP/IP network connectivity
• AD DS
• Attribute stores
• DNS
Public key infrastructure and certificate requirements

• Certificates used by AD FS:

• Service communication certificates
• Token-signing certificates
• Token-decrypting certificates

• When choosing certificates, ensure that the

service communication certificate is trusted by all
federation partners and clients
AD FS server roles

• Claims provider federation server:

• Authenticates internal users
• Issues signed tokens containing user claims

• Relying party federation server:

• Consumes tokens from the claims provider
• Issues tokens for application access

• Federation service proxy:

• Is deployed in a perimeter network
• Provides a layer of security for internal federation
servers
Demonstration: Installing the AD FS server role

In this demonstration, you will see how to:

• Install AD FS
• Add a DNS record for AD FS
• Configure AD FS
Lesson 3: Implementing AD FS for a single
organization

AD FS claims
AD FS claim rules
Claims provider trust
Relying party trust
• Demonstration: Configuring claims provider and
relying party trusts
AD FS claims

• Claims provide information about users from the

claims provider to the relying party

• AD FS:
• Provides a default set of built-in claims
• Enables the creation of custom claims
• Requires each claim have a unique URI

• Claims can be:

• Retrieved from an attribute store
• Calculated based on retrieved values
• Transformed into alternate values
AD FS claim rules

• Claim rules define how claims are sent and

consumed by AD FS servers
• Claims provider rules are acceptance transform
rules
• Relying party rules can be:
• Issuance transform rules
• Issuance authorization rules
• Delegation authorization rules

• AD FS servers provide default claim rules,

templates, and a syntax for creating custom claim
rules
Claims provider trust

• Claims provider trusts:

• Are configured on the relying party federation server
• Identify the claims provider
• Configure the claim rules for the claims provider

• In a single-organization scenario, a claims

provider trust called Active Directory defines how
AD DS user credentials are processed
• Claims provider trusts can be configured by:
• Importing the federation metadata
• Importing a configuration file
• Configuring the trust manually
Relying party trust

• Relying party trusts:

• Are configured on the claims provider federation server
• Identify the relying party
• Configure the claim rules for the relying party

• In a single-organization scenario, a relying party

trust defines the connection to internal
applications
• You can configure relying party trusts by:
• Importing the federation metadata
• Importing a configuration file
• Manually configuring the trust
Demonstration: Configuring claims provider and
relying party trusts

In this demonstration, you will see how to:

• Configure a claims provider trust
• Configure a WIF application for AD FS
• Configure a relying party trust
Lab A: Implementing AD FS

Exercise 1: Installing and configuring AD FS

• Exercise 2: Configuring an internal application for
AD FS
Logon Information
Virtual machines: 20743B-LON-DC1
20743B-LON-SVR1
20743B-LON-SVR2
20743B-LON-CL1
User name: Adatum\Administrator
Adatum\Beth
Password: Pa55w.rd
Estimated Time: 55 minutes
Lab Scenario

A. Datum Corporation plans to implement AD FS.

In the initial deployment, the company plans to
use AD FS to implement SSO for internal users
who access an application on a web server. As one
of the senior network administrators at A. Datum,
it is your responsibility to implement this AD FS
solution. As a proof of concept, you plan to
deploy a sample claims-aware application, and
configure AD FS to enable internal users to access
the application.
Lab Review

Why is it important to configure adfs.adatum.com

to use as a host name for the AD FS service?
• How can you test whether AD FS is functioning
properly?
Lesson 4: Implementing Web Application Proxy

What is new in Web Application Proxy?

Configuring an application
Web Application Proxy and AD FS proxy
• Demonstration: Installing and configuring Web
Application Proxy
What is new in Web Application Proxy?

Windows Server 2016 includes several

improvements to the Web Application Proxy role,
including:
• Preauthentication for HTTP Basic application publishing
• Wildcard domain publishing of applications
• HTTP to HTTPS redirection
• HTTP Publishing
 Configuring an application

• Preauthentication types:
• AD FS
• Pass-through

• URLs:
• External
• Internal server

• Certificates

Intranet application Web Application Proxy Internet

Web Application Proxy and AD FS proxy

• Web Application Proxy is an AD FS proxy

• The same certificate is used on the AD FS server
and Web Application Proxy
• Split DNS allows the same name to resolve to
different IP addresses

AD FS server Web Application Proxy Internet

adfs.adatum.com adfs.adatum.com
172.16.0.21 10.10.0.100
Demonstration: Installing and configuring Web
Application Proxy

In this demonstration, you will see how to:

• Install Web Application Proxy
• Export the certificate from the AD FS server
• Import the certificate to the Web Application Proxy
server
• Configure Web Application Proxy
Lab B: Implementing Web Application Proxy

• Exercise 1: Implementing Web Application Proxy

Logon Information
Virtual machines: 20743B-LON-DC1
20743B-LON-SVR1
20743B-LON-SVR2
20743B-LON-SVR3
20743B-LON-CL1
20743B-LON-CL3
User name: Adatum\Administrator
Admin
Password: Pa55w.rd
Estimated Time: 20 minutes
Lab Scenario

A. Datum plans to implement AD FS. You have

successfully implemented AD FS to support an
internal application. Now you must deploy and
configure the Web Application Proxy to support
remote clients.
Lab Review

In the lab, you received a certificate error when

connecting from LON-CL3 to the A. Datum Test
App. Why did this error occur, and what can you do
to avoid this?
Lesson 5: Implementing SSO with Microsoft
online services

AD FS and SSO with online services

• Configuring SSO for integration with Microsoft
online services
AD FS and SSO with online services
Configuring SSO for integration with Microsoft
online services

To configure SSO for integration with online

services, you must:
1. Prepare for single sign-on
2. Set up your on-premises AD FS
3. Set up directory synchronization
4. Verify single sign-on
Module Review and Takeaways

• Review Questions