Lab Answer Key - Module 8 - Implementing and Administering AD FS PDF

Lab Answer Key: Module 8: Implementing and
Administering AD FS
Lab A: Implementing AD FS
Exercise 1: Installing and Configuring AD FS
Task 1: Create a DNS record for AD FS
1. On LONDC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LONDC1, expand Forward Lookup Zones, and then
click Adatum.com.
3. Rightclick Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.10, and then click Add Host.
6. In the DNS window, click OK.
7. Click Done, and then close the DNS Manager.
Task 2: Create a service account
1. On LONDC1, open a Windows PowerShell® prompt.
2. At the Windows PowerShell prompt, type NewADUser –Name adfsService, and then
press Enter.
3. Type SetADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type EnableADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
Task 3: Install AD FS
1. On LONDC1, in the Server Manager, click Manage, and then click Add Roles and
Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Rolebased or featurebased installation,
and then click Next.
4. On the Select destination server page, click Select a server from the server pool,
click LON DC1.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check
box, and then click Next.
6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Confirm installation selections page, click Install.
9. When the installation is complete, click Close.
Task 4: Configure AD FS
1. On LONDC1, in the Server Manager, click the Notifications icon, and then click
Configure the federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome
page, click Create the first federation server in a federation server farm, and then
click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then
click Next.
6. On the Specify Service Account page, click Use an existing domain user account or
group Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server
using Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Prerequisite Checks page, click Configure.
12. On the Results page, click Close.
Note: The adfs.adatum.com certificate was preconfigured for this task. In your
own environment, you need to obtain this certificate.
Task 5: Verify AD FS functionality
1. On LONCL1, sign in as Adatum\Brad with the password Pa$$w0rd.
2. On the taskbar, click Internet Explorer.
3. In Internet Explorer®, in the address bar, type
https://adfs.adatum.com/federationmetadata/200706/federationmetadata.xml, and
then press Enter.
4. Verify that the file loads, and then close Internet Explorer.
Results: In this exercise, you installed and configured AD FS. You also verified that it is
functioning by viewing the FederationMetaData.xml file contents.
Exercise 2: Configuring an Internal Application for AD FS
Task 1: Configure a certificate for the application
1. On LONSVR1, in Server Manager, click Tools and click Internet Information
Services (IIS) Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select
the Do not show this message check box, and then click No.
3. In IIS Manager, click LONSVR1 (ADATUM\Administrator), and then doubleclick
Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the
following information, and then click Next:
• Common name: lonsvr1.adatum.com
• Organization: A. Datum
• Organizational unit: IT
• City/locality: London
• State/Province: England
• Country/region: GB
6. On the Online Certification Authority page, click Select.
7. In the Select Certification Authority window, click AdatumCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type
AdatumTestApp Certificate, and then click Finish.
9. In IIS Manager, expand LONSVR1 (ADATUM\Administrator), expand Sites, click
Default Web Site, and then in the Actions Pane, click Bindings.
10. In the Site Bindings window, click Add.
11. In the Add Site Binding window, in the Type box, select https.
12. In the SSL certificate box, select AdatumTestApp Certificate, and then click OK.
13. In the Site Bindings window, click Close.
14. Close IIS Manager.
Task 2: Configure the Active Directory claimsprovider trust
1. On LONDC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims
Provider Trusts.
3. In the middle pane, rightclick Active Directory, and then click Edit Claim Rules.
4. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform
Rules tab, click Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the
Claim rule template box, select Send LDAP Attributes as Claims, and then click
Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP
Attributes Rule.
7. In the Attribute Store dropdown list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the
following values for the LDAP Attribute and the Outgoing Claim Type, and then click
Finish:
• EMailAddresses: EMail Address
• UserPrincipalName: UPN
• DisplayName: Name
9. In the Edit Claim Rules for Active Directory window, click OK.
Task 3: Configure the application to trust incoming claims
1. On LONSVR1, in the Server Manager, click Tools, and then click Windows Identity
Foundation Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application
configuration location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config
for the location of the sample web.config file.
3. In the Application URI box, type https://lonsvr1.adatum.com/AdatumTestApp/ to
indicate the path to the sample application that will trust the incoming claims from the
federation server, and then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS
Federation metadata document location box, type
https://adfs.adatum.com/federationmetadata/200706/federationmetadata.xml, and
then click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate
chain validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7.
On the Offered claims page, review the claims that the federation server will offer, and
then click Next.
8. On the Summary page, review the changes that will be made to the sample application
by the Federation Utility Wizard, scroll through the items to understand what each item
is doing, and then click Finish.
9. In the Success window, click OK.
Task 4: Configure a relyingparty trust for the claimsaware application
1. On LONDC1, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.
3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published
online or on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lon
svr1.adatum.com/adatumtestapp/, and then click Next. This downloads the metadata
configured in the previous task.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test
App, and then click Next.
7. On the Configure Multifactor Authentication Now page, click I do not want to
configure multifactor authentication settings for this relying party trust at this
time, and then click Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access
this relying party, and then click Next.
9. On the Ready to Add Trust page, review the relyingparty trust settings, and then click
Next.
10. On the Finish page, click Close.
11. Leave the Edit Claims Rules for A. Datum Test App window open for the next task.
Task 5: Configure claim rules for the relyingparty trust
1. On LONDC1, in the AD FS management console, in the Edit Claim Rules for A.
Datum Test App window, on the Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim,
3. In the Claim rule name box, type Pass through Windows account name.
4. In the Incoming claim type dropdown list, click Windows account name, and then
click Finish.
5. On the Issuance Transform Rules tab, click Add Rule.
7. In the Claim rule name box, type Pass through EMail Address.
8. In the Incoming claim type dropdown list, click EMail Address, and then click
Finish.
11. In the Claim rule name box, type Pass through UPN.
12. In the Incoming claim type dropdown list, click UPN, and then click Finish.
15. In the Claim rule name box, type Pass through Name.
16. In the Incoming claim type dropdown list, click Name, and then click Finish.
17. On the Issuance Transform Rules tab, click OK.
Task 6: Test access to the claimsaware application
1. On LONCL1, open Internet Explorer.
2. In Internet Explorer, in the address bar, type https://lon
svr1.adatum.com/AdatumTestApp/, and then press Enter.
Note: It is critical to use the trailing slash in the URL for step 2.
3. In the Windows Security window, sign in as Adatum\Brad with the password
Pa$$w0rd.
4. Review the claim information that the application displays.
5. Close Internet Explorer.
Task 7: Configure Internet Explorer to pass local credentials to the application
automatically
1. On LONCL1, on the Start screen, type Internet Options, and then click Internet
Options.
2. In the Internet Properties window, on the Security tab, click Local intranet, and then
click Sites.
3. In the Local intranet window, click Advanced.
4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lonsvr1.adatum.com, click Add,
and then click Close.
6. In the Local intranet window, click OK.
7. In the Internet Properties window, click OK.
8. On LONCL1, open Internet Explorer.
svr1.adatum.com/AdatumTestApp/, and then press Enter.
Note: It is critical to use the trailing slash in the URL for step 9.
10. Notice that you were not prompted for credentials.
11. Review the claim information that the application displays.
Results: After completing this exercise, you will have configured AD FS to support
authentication for an application.
Lab B: Implementing AD FS for External Partners and
Users
Exercise 1: Configuring AD FS for a Federated Business Partner
Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com
1. On LONDC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LONDC1, and then click Conditional Forwarders.
3. Rightclick Conditional Forwarders, and then click New Conditional Forwarder.
4. In the New Conditional Forwarder window, in the DNS Domain box, type
TreyResearch.net.
5. In the IP addresses of the master servers box, type 172.16.10.10, and then press Enter.
6. Select the Store this conditional forwarder in Active Directory, and replicate it as
follows check box, select All DNS servers in this forest, and then click OK.
7. Close the DNS Manager.
8. On TREYDC1, in the Server Manager, click Tools, and then click DNS.
9. In the DNS Manager, expand TREYDC1, and then click Conditional Forwarders.
10. Rightclick Conditional Forwarders, and then click New Conditional Forwarder.
11. In the New Conditional Forwarder window, in the DNS Domain box, type
Adatum.com.
12. In the IP addresses of the master servers box, type 172.16.0.10, and then press Enter.
13. Select the Store this conditional forwarder in Active Directory, and replicate it as
follows check box, select All DNS servers in this forest, and then click OK.
Note: In a production environment, it is likely that you would use Internet DNS
instead of conditional forwarders.
Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com
1. On LONDC1, open File Explorer, browse to \\TREYDC1\CertEnroll, and then copy
TREY DC1.TreyResearch.net_TreyResearchCA.crt to C:\.
2. Close File Explorer.
3. In the Server Manager, click Tools, and then click Group Policy Management.
4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, rightclick Default Domain Policy, and then click Edit.
5. In Group Policy Management Editor, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and
then click Trusted Root Certification Authorities.
6. Rightclick Trusted Root Certification Authorities, and then click Import.
7. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard
page, click Next.
8. On the File to Import page, type C:\TREY
DC1.TreyResearch.net_TreyResearchCA.crt, and then click Next.
9. On the Certificate Store page, click Place all certificates in the following store, select
Trusted Root Certification Authorities, and then click Next.
10. On the Completing the Certificate Import Wizard page, click Finish, and then click
OK to close the success message.
11. Close the Group Policy Management Editor.
12. Close Group Policy Management.
13. On TREYDC1, open File Explorer, and then browse to \\LONDC1\CertEnroll.
14. Rightclick LONDC1.Adatum.com_AdatumCA.crt, and then click Install
Certificate.
15. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard
page, click Local Machine, and then click Next.
16. On the Certificate Store page, click Place all certificates in the following store, and
then click Browse.
17. In the Select Certificate Store window, click Trusted Root Certification Authorities,
and then click OK.
18. On the Certificate Store page, click Next.
20. Close File Explorer.
21. On LONSVR1, on the taskbar, click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
23. Close Windows PowerShell.
24. On LONSVR2, on the taskbar, click Windows PowerShell.
25. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
26. Close Windows PowerShell.
Note: If you obtain certificates from a trusted certification authority, you do not
need to configure a certificate trust between the organizations.
Task 3: Create a DNS record for AD FS in TreyResearch.net
1. On TREYDC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand TREYDC1, expand Forward Lookup Zones, and then click
TreyResearch.net.
3. Rightclick TreyResearch.net, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.10.10, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
Task 4: Create a certificate for AD FS
1. On TREYDC1, in Server Manager, click Tools and click Internet Information
Services (IIS) Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select
the Do not show this message check box, and then click No.
3. In IIS Manager, click TREYDC1 (TREYRESEARCH\Administrator), and then
doubleclick Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the
following, and then click Next:
• Common name: adfs.TreyResearch.net
• Organization: Trey Research
• Organizational unit: IT
• City/locality: London
• State/Province: England
• Country/region: GB
6. On the Online Certification Authority page, click Select.
7. In the Select Certification Authority window, click TreyResearchCA, and then click
OK.
8. On the Online Certification Authority page, in the Friendly name box, type
adfs.TreyResearch.net, and then click Finish.
9. Close IIS Manager.
Task 5: Create a service account
1. On TREYDC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, type NewADUser –Name adfsService, and then
press Enter.
3. Type SetADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type EnableADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
Task 6: Install AD FS for TreyResearch.net
1. On TREYDC1, in the Server Manager, click Manage, and then click Add Roles and
Features.
3. On the Select Installation type page, click Rolebased or featurebased installation,
4. On the Select destination server page, click Select a server from the server pool,
click TREY DC1.TreyResearch.net, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check
box, and then click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
9. When the installation is complete, click Close.
Task 7: Configure AD FS for TreyResearch.net
1. On TREYDC1, in the Server Manager, click the Notifications icon, and then click
Configure the federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome
page, click Create the first federation server in a federation server farm, and then
click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
TREYRESEARCH\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.TreyResearch.net.
5. In the Federation Service Display Name box, type Trey Research, and then click
Next.
6. On the Specify Service Account page, click Use an existing domain user account or
group Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server
using Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Prerequisite Checks page, click Configure.
Task 8: Add a claimsprovider trust for the TreyResearch.net AD FS server
1. On LONDC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims
Provider Trusts.
3. In the Actions pane, click Add Claims Provider Trust.
4. In the Add Claims Provider Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the claims provider
published online or on a local network.
6. In the Federation metadata address (host name or URL) box, type
https://adfs.treyresearch.net, and then click Next.
7. On the Specify Display Name page, in the Display name box, type Trey Research, and
then click Next.
8. On the Ready to Add Trust page, review the claimsprovider trust settings, and then
click Next to save the configuration.
9. On the Finish page, select the Open the Edit Claim Rules dialog for this claims
provider trust when the wizard closes check box, and then click Close.
10. In the Edit Claim Rules for Trey Research window, on the Acceptance Transform
Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
12. On the Configure Rule page, in the Claim rule name box, type Pass through
Windows account name.
13. In the Incoming claim type dropdown list, select Windows account name.
14. Select Pass through all claim values, and then click Finish.
15. In the popup window, click Yes to acknowledge the warning.
16. In the Edit Claim Rules for Trey Research window, click OK, and then close the AD FS
management console.
Task 9: Configure a relying party trust in TreyResearch.net for the Adatum.com
application
1. On TREYDC1, in the Server Manager, click Tools, and then click AD FS
Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying
Party Trusts.
3. In the Actions pane, click Add Relying Party Trust.
4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the relying party published
online or on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and
then click Next.
7. On the Specify Display Name page, in the Display name text box, type A. Datum
Corporation, and then click Next.
8. On the Configure MultiFactor Authentication Now page, click I do not want to
configure multifactor authentication settings for this relying party trust at this
time, and then click Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access
this relying party, and then click Next.
10. On the Ready to Add Trust page, review the relyingparty trust settings, and then click
Next to save the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for the relying
party trust when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform
Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
14. On the Configure Rule page, in the Claim rule name box, type Pass through
Windows account name.
15. In the Incoming claim type dropdown list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.
17. Close the AD FS management console.
Task 10: Test access to the application
1. On TREYDC1, open Internet Explorer.
svr1.adatum.com/adatumtestapp/, and then press Enter.
3. On the A. Datum Corporation page, click Trey Research.
4. In the Windows Security dialog box, sign in as TreyResearch\April with the password
Pa$$w0rd.
5. After the application loads, close Internet Explorer.
6. Open Internet Explorer.
Pa$$w0rd.
Note: You are not prompted for a home realm on the second access. Once users
have selected a home realm and have been authenticated by a realm authority,
they are issued a _LSRealm cookie by the relyingparty’s federation server. The
default lifetime for the cookie is 30 days. Therefore, to sign in multiple times,
you should delete that cookie after each logon attempt to return to a clean state.
Task 11: Configure issuance authorization rules
1. On TREYDC1, in the Server Manager, click Tools, and then click AD FS
Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying
Party Trusts.
3. Rightclick A. Datum Corporation, and then click Edit Claim Rules.
4. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance
Authorization Rules tab, click Permit Access to All Users, and then click Remove
Rule.
5. Click Yes to confirm deleting the claim rule.
6. Click Add Rule.
7. In the Add Issuance Authorization Claim Rules Wizard, on the Select Rule Template
page, in the Claim rule template box, select Permit or Deny Users Based on an
Incoming Claim, and then click Next.
8. On the Configure Rule page, in the Claim rule name box, type Allow Production
Members.
9. In the Incoming claim type box, select Group.
10. In the Incoming claim value box, type TreyResearchProduction.
11. Click Permit access to users with the incoming claim, and then click Finish.
12. In the Edit Claim Rules for A. Datum Corporation window, click OK.
13. In the AD FS management console, click Claims Provider Trusts, rightclick Active
Directory, and then click Edit Claim Rules.
14. In the Edit Claim Rules for Active Directory window, click Add Rule.
Claim rule template box, select Send Group Membership as a Claim, and then click
Next.
16. On the Configure Rule page, in the Claim rule name box, type Production Group
Claim.
17. To set the User’s group, click Browse, type Production, and then click OK.
18. In the Outgoing claim type box, select Group.
19. In the Outgoing claim value box, type TreyResearchProduction, and then click
Finish.
20. In the Edit Claim Rules for Active Directory window, click OK.
21. Close the AD FS management console.
Task 12: Test the application of issuance authorization rules
1. On TREYDC1, open Internet Explorer.
Pa$$w0rd.
4. Verify that you cannot access the application because April is not a member of the
production group.
8. In the Windows Security dialog box, sign in as TreyResearch\Ben with the password
Pa$$w0rd.
9. Verify that you can access the application because Ben is a member of the production
group.
Results: After completing this exercise, you will have configured access for a claims
aware application in a partner organization.
Exercise 2: Configuring Web Application Proxy
Task 1: Install Web Application Proxy
1. On LONSVR2, in the Server Manager, click Manage, and then click Add Roles and
Features.
3. On the Select installation type page, click Rolebased or featurebased installation,
4. On the Select destination server page, click LONSVR2.Adatum.com, and then click
Next.
5. On the Select server roles page, expand Remote Access, select the Web Application
Proxy check box, and then click Next.
8. On the Installation progress page, click Close.
Task 2: Add the adfs.adatum.com certificate to LONSVR2
1. On LONDC1, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap
in.
3. In the Add or Remove Snapins window, in the Available snapins column, doubleclick
Certificates.
4. In the Certificates snapin window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is
running on), and then click Finish.
6. In the Add or remove Snapins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
8. Rightclick adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click
Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click
Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click
16. Close the Microsoft Management Console and do not save the changes.
17. On LONSVR2, on the Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snapin.
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and
then click Personal.
24. Rightclick Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LONDC1\c$\adfs.pfx, and
then click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
OK to clear the success message.
Task 3: Add the LONSVR1.adatum.com certificate to LONSVR2
Certificates.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
8. Rightclick lonsvr1.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click
Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\lonsvr1.pfx, and then click
Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and
then click Personal.
24. Rightclick Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LONSVR1\c$\lonsvr1.pfx,
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
OK to clear the success message.
Task 4: Configure Web Application Proxy
1. In the Server Manager, click the Notifications icon, and then click Open the Web
Application Proxy Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following, and then click Next:
• Federation service name: adfs.adatum.com
• User name: Adatum\Administrator
• Password: Pa$$w0rd
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD
FS proxy box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.
7. The Remote Access Management Console opens automatically. Leave it open for the
next task.
Task 5: Configure the test application in Web Application Proxy
1. On LONSVR2, in the Remote Access Management Console, click Web Application
Proxy.
2. In the Tasks pane, click Publish.
3. In the Publish New Application Wizard, on the Welcome page, click Next.
4. On the Preauthentication page, click Active Directory Federation Services (AD FS),
5. On the Relying Party page, click A. Datum Test App and click Next.
6. On the Publishing Settings page, in the Name box, type A. Datum Test App.
7. In the External URL box, type https://lonsvr1.adatum.com/adatumtestapp/.
8. In the External certificate box, select lonsvr1.adatum.com.
9.
In the Backend server URL box, type https://lonsvr1.adatum.com/adatumtestapp/,
10. On the Confirmation page, click Publish.
Task 6: Test Web Application Proxy
1. On TREYDC1, on Start screen, type Notepad.
2. Rightclick Notepad, and then click Run as administrator.
3. In Notepad, click File, and then click Open.
4. In the File name box, type C:\Windows\System32\Drivers\etc\hosts, and then click
Open.
5. At the bottom of the file, add the following two lines, click File, and then click Save:
• 172.16.0.22 adfs.adatum.com
• 172.16.0.22 lonsvr1.adatum.com
6. Close Notepad.
9. In the Windows Security dialog box, sign in as TreyResearch\Ben with password
Pa$$w0rd.
10. After the application loads, close Internet Explorer.
Note: You edit the hosts to force TREYDC1 to access the application through
Web Application Proxy. In a production environment, you would do this by
using split DNS.
Task 7: To prepare for the next module
1. When you finish the lab, revert the virtual machines to their initial state. To do this,
perform the following steps:
2. On the host computer, start the HyperV Manager.
3. In the Virtual Machines list, rightclick 20412DLONDC1, and then click Revert.
4. In the Revert Virtual Machine dialog box, click Revert.
5. Repeat steps 2 and 3 to revert 20412DLONSVR1, 20412DLONSVR2, 20412D
LONCL1, and 20412DTREYDC1.
Results: After completing this exercise, you will have configured Web Application Proxy
to secure access to AdatumTestApp from the Internet.

Lab Answer Key - Module 8 - Implementing and Administering AD FS PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Lab Answer Key - Module 8 - Implementing and Administering AD FS PDF

Transféré par

Droits d'auteur :

Formats disponibles

Lab Answer Key: Module 8: Implementing and

Vous aimerez peut-être aussi