Servers in an AD FS relationship must rely on certificates to create a chain of trust between each other and to ensure that all traffic transported over the trust relationships is encrypted at all times. The best way to ensure that this chain of trust is valid and is trusted in all locations is either to obtain certificates from a trusted third-party CA or obtain them through the creation of a linked AD CS implementation that uses a third-party CA as its root.
Use the buttons below to navigate through the lesson
This is only one aspect of the AD FS configuration that must be completed. When you deploy AD FS, you will want to configure your AD FS–aware applications, configure trust policies between partner organizations, and configure claims for your users and groups. Then, you can generally begin to run and manage AD FS.
In this practice, you will finalize the AD FS installation you performed in the previous lessons. You will need to rely on the same computers you used in that practice.
Begin by configuring the IIS server on each of the federation servers and then map certificates from one server to the other and configure the Web server. You can also create and configure the Web application that will be claims-aware.
Then configure the federation servers for each partner organization. You finish the AD FS configuration by creating the federation trust.
Click Internet Information Services (IIS) Manager. Expand Web server. Select Default Web Site. Double click SSL Settings.
On the SSL Settings page, select the Require SSL check box. In a production environment, you can also require 128-bit SSL, which is more secure than the default setting but requires additional processing overhead. For the purposes of this practice, the default setting is sufficient. Under Client Certificates, select Accept, and then click Apply in the Actions pane. This process should be repeated on Federation servers and proxies.
Exporting Certificates
One of the most important factors in setting up federation partnerships is the integration of the certificates from each server to link each server with the ones with which it needs to communicate To do so, you need to perform several tasks;-
- Create a file share that each server can access to simplify the transfer of certificate files from one server to another.
- Export the token-signing certificate from the account federation server to a file.
- Export the server authentication certificate of the account federation server to a file.
- Export the client authentication certificate of the resource Federation Service Proxy to a file.
Click Active Directory Federation Services. Right click Federation Services. Select Properties. Select View. Select the Details tab. Select Copy to file. Click Next. Select No, do not export the private key, and click Next. Select DER encoded binary X.509 (.cer) and click Next. Access the shared folder you set up previously. Type in a descriptive file name and click Save. Click Next. Click Finish. The export was successful, click OK. Click OK.
Export SSL Server and Client Certificates
Click Internet information Services (IIS) Manager. Double click Server Certificates. Double click the root certificate. Select the Details tab. Click Copy to File. Click Next. Select No, do not export the private key and click Next. Select DER encoded binary X.509 (.CER) and click Next. Type in a descriptive name and click Save. Note certificate is saved in the previously used shared folder. Type in a descriptive name and click Save. Note certificate is saved in the previously used shared folder. Click Next. Review information and click Finish. Click OK.
Export SSL Server and Client Certificates
This operation should be repeated on all federation servers and all certificates saved to the shared folder.
Importing Certificates
Type MMC in the run box and click OK. From the File menu select Add/Remove Snap-in. Highlight Certificates and click Add. Select Computer account and click Next. Select Local computer and click Finish. Snap-in has been added click OK. Expand Certificates>Trusted Root Certification Authorities. Right click Trusted Root Certification Authorities and click All Tasks>Import. Click Next. Navigate to the shared folder and select the certificate. Click Open. Click Next. Select Place all certificates in the following store and select Trusted Root Certification Authorities. Click Next. Click Finish. Click OK.
This operation should be repeated on all federation servers and all certificates imported from the shared folder.
Now that all federation servers have been configured, you can move on to the configuration of the federation trust. To do so, you must export the trust policy from the account federation server, import it into the resource federation server, create a claim mapping based on this policy, and then export the partner policy from the RFS to import it into the AFS. This will complete the AD FS implementation.
AD FS Summary
- AD FS relies on secure communications, you must ensure that each server in an AD FS partnership trusts the root certificate that was used to issue certificates for each of the servers in the deployment. If you use self-signed certificates, you must export each certificate and then import it in the corresponding server’s trusted CA stores.
- When you configure a partnership, you must first create claims-aware applications and assign specific claims to each partner in the partnership.
- After the claims have been created, you then identify which directory store will be used by each federation server in the deployment.
- You create a federation trust between the two partners. This involves preparing the trust policy on each server, exporting the trust policy from the account federation server, and importing it in the resource federation server. Then you can use this trust policy to assign claims to the account organization. To complete the federation trust, you export the partner policy from the RFS and then import it into the AFS. At this point, your partnership has been created.