Identity Management in

Windows Server 2003 R2: Active

Directory Federation Services

OLAV TVEDT
EMENTOR
What Will We Cover?
• Identity Management
• New and improved features in R2
• What Active Directory® Federation
Services (ADFS) is, and what it does
• How ADFS works
Helpful Experience
• Knowledge of Active Directory
• Understanding of Certificates
• Authentication and authorization methods
• IIS and Web application principles

Level 300
Agenda
• Identity Management
• Active Directory Application Mode (ADAM)
• UNIX Identity Management
• Active Directory Federation Services (ADFS)
Identity Management Vision

Past Present Future

Application Silos Custom Integration Connected Systems

ID for Each System Identity Integration Identity Federation

Internally Focused Internal & External Built to Extend

Limit to Biz Value High cost to value Low cost to value

Identity Management in
Windows Server 2003 R2
• Contains improvements, additions, and
new features
Active Directory Application Mode (ADAM)
UNIX Identity Management
Active Directory Federation Services (ADFS)
• Key new feature
Agenda
• Identity Management
• ADAM
• UNIX Identity Management
• ADFS
What is ADAM
• A mode of Active Directory
• Lightweight, domain-independent
• Intended for application directory
scenarios
ADAM Improvements
• Active Directory to ADAM
Synchronizer tool
• Active Directory Schema Analyzer tool
• Newer version of LDP tool
• User Password Chaining
Agenda
• Identity Management
• ADAM
• UNIX Identity Management
• ADFS
UNIX Identity Management
Challenges of Interoperation
UNIX Windows
Server Server
UNIX
Workstation Windows
Workstation

UNIX
Workstation Windows
Workstation

UNIX
Workstation Windows
Workstation
UNIX Windows
Server Server
UNIX Identity Management
Objective of Interoperation
• Goal: Efficient cross-platform user
management
Consolidate administration and monitoring across
platforms
Manage Windows and UNIX-based systems with
the same tools
Server for NIS
• Makes a Windows Server 2003 Active Directory into an NIS
master server

UNIX NIS Servers Windows Servers

Master Subordinate Subordinate

NIS Clients
Server for NIS

UNIX NIS Servers Windows Servers

SubordinateSubordinateSubordinate Master

NIS Clients
UNIX Password Synchronization
• Pull NIS schema into Active Directory
• Bidirectional Password Sync, user name
mapping
• Supported on several common platforms
• Mapping Server
Map Windows® User and Group Accounts to UNIX
• Testet ut på Sun Solaris 8 & 9, HP-UX 11i, IBM AIX 5L 5.2 og Red Hat 9.0, men bør virke på
alle LDAP baserte versjoner
Agenda
• Identity Management
• ADAM
• UNIX Identity Management
• ADFS
Federated Identity Management
• Federation: trust-based relationships
across organizations
• Benefits:
Accelerates creation of relationships
Standardization for integration with partners
Security
What is ADFS?
• Active Directory-based ID federation
Simplified, secure sharing of digital identities
across security boundaries
Web single sign-on
Interoperability via Web Services (WS-*)
ADFS: Standards-based Solution

Now HTTP messages HTTP

Receiver
Security
Token
SOAP messages SOAP
Future Receiver Service

AD Users Java, Unix,

WS-Federation Linux Users

Java, Unix,
.Net Apps IBM PingID Linux Apps
Active
Directory BMC Oracle
Federation CA Quest
Services RSA Centrify
+ others…
ADFS Architecture
Windows
LPC/Web Authentication/
Methods LDAP

FS-P FS HTTPS
AD or
ADAM

SSO Agent Application

ADFS Requirements
• Federation Service, Federation Service Proxy,
and ADFS Web Service Agent must have:
Internet Information Server (IIS) 6.0
ASP.NET
Microsoft .NET Framework 2.0
Transport Layer Security and Secure Sockets Layer
(TLS/SSL)
X.509 certificate (Federation Service only)
ADFS Requirements (continued)
• ADFS requires Active Directory or ADAM
Domain controllers must be
• Windows Server 2003 Service Pack 1 (SP1)
• Windows Server 2003 R2
• Windows 2000 with Service Pack 4 (SP4)
ADFS: How it works
A. Datum Trey Research
Account Forest Resource Forest

Federation Trust
Active Directory

Account Resource
Federation Server Federation Server

Internal Client Web Server

Certificates
• Certificates used by the Federation Service
Token Signing Certificates
Verification Certificates

• Certificates used by the Federation Proxy

Service
SSL Client Authentication Certificate
ADFS Authentication Methods
• Windows Integrated (intranet) Recommended
Use the session generated when logging onto a Windows machine

• Client Certificate
Web browser receives a request to present a client certificate and the
user may choose which certificate to present

• Forms-based
Present a customizable web page to the user requesting credentials

• Basic
Web browser presents the standard username/password dialog
Claims-aware Federation Process
• Configure environments
• Create claims
• Create claim transforms
• Establish trust
• Enable the claims for the application

See the ADFS Reference on TechNet:

http://go.microsoft.com/fwlink/?LinkId=54635
ADFS-enabled Applications
• Implements the ADFS API or an API that
consumes claims
• ASP.NET 2.0 application
Application Authorization Using Claims
• Claims are statements made about users
Used for authorization purposes in an application

• Three types of claims

Identity
• Email
• User Principal Name (UPN)
• Common Name

Group
Custom
Understanding Transforms
• Transforms are instructions that map
claims between partners
• Used by the resource partner to make
authorization decisions
Establishing Trust
• Assumes proper partner relationship agreements
• Carefully consider security ramifications
Method for transfer of certificates between organizations

• Mechanics:
Account partner must transfer token signing certificate to resource
Resource uses ADFS snap-in to establish trust and enable account
partner
Demo

demonstration
Session Summary
• Windows Server 2003 R2 delivers important
functionality toward the Microsoft vision for
Identity Management
• ADFS is a key, new component
• ADFS is standards-based (WS-*), integrates
with third party federation solutions