integrating active directory federation services with ... · integrating active directory...
Post on 25-Mar-2020
68 Views
Preview:
TRANSCRIPT
Integrating Integrating Integrating Integrating Active Directory Active Directory Active Directory Active Directory
Federation Services with Federation Services with Federation Services with Federation Services with
SharePointSharePointSharePointSharePoint
Environment All servers have Window Server 2008 R2 Datacentre installed and joined to the test.com domain
• DC – Domain Controller and Enterprise CA for the test.com domain
• Share – SharePoint Server
• SQL – SQL Server for ADFS databases
• SQL02 – SQL Server mirror partner for ADFS databases
• ADFS01 – First ADFS Server
• ADFS02 – Second ADFS Server
The following servers are not joined to the test.com domain
• ADFSProxy01 – First ADFS Proxy Server
• ADFSProcy02 – Second ADFS Proxy Server
Install ADFS 2.0 and Configure to Use with ADFS
Prerequisites
• Download ADFS 2.0 on ADFS01
• Create following DNS entries
o A � auth.test.com � 192.168.1.103 (IP of ADFS01)
• Create a certificate for auth.test.com
• Provision domain user accounts:
o test\adfs-service � Normal Domain User
o test\adfs-install-temp � Domain Admin and sysadmin on SQL server
Installation
1. Logon to the ADFS01 server as a
domain administrator and launch
the ADFSSetup.exe
5. Next
6. Unselect Start the AD FS 2.0
Management… � Finish
Request a Certificate
1. Open the IIS Management
Console � Select the Server
name � Double click Server
Certificates � select Create
Domain Certificate…
2. Enter the relevant information
� Next
Note: The common name must
be the same as the CNAME
you created earlier
3. Select the correct certificate
authority and enter a friendly
name � Finish
4. Select Default Website �
Bindings
5. Add
6. Select https � select ADFS
Certificate � OK
7. Select http\80 � Remove �
Yes � Close
Configure AD FS
1. Logon to the ADFS01 with an
account that is a Domain Admin
and is a sysadmin on the SQL
server
2. Open Administrator Powershell
console � browse to C:\Program
Files\Active Directory Federation
Services 2.0> � Run the following
command
Note: Replace Password with
account password
.\FSConfig.exe CreateSQLFarm /ServiceAccount
test\adfs-service /ServiceAccountPassword
Password /SQLConnectionString
“database=AdfsConfiguration;server=sql;integrated
security=SSPI” /CleanConfig
/FederationServiceName auth.test.com
/AutoCertRolloverEnabled
3. Example
Export Certificates and add a new token signing certificate to ADFS
1. Open IIS Manager � Select the
server � Server Certificates �
ADFS Certificate � View…
5. Next
6. Enter C:\Temp\Certificates\ADFS
Certificate.cer � Next
7. Finish
8. Open IIS Manager � Select the
server � Server Certificates �
ADFS Certificate � View…
9. Select the Certification Path tab �
select the root � View Certificate
10. Details tab …. And follow the same
steps as above, but save the
certificate as ADFS Certificate Parent
Note: This step is will be used on the
SharePoint Server
11. Open PowerShell run following lines Add-PSSnapin
Microsoft.Adfs.PowerShell
set-adfsproperties -
autocertificaterollover $false
12. Open ADFS Management Console �
Services � Certificates � Add
Token Signing Certificate…
13. OK
14. Yes
15. OK
16. Right click Certificate and select Set
as Primary…
Configure AD FS Trust
1. Open the AD FS Management
Console
2. Relying Party Trust � Add Relying
Party Trust…
3. Start
7. Next
8. Select Enable support for the WS-
Federation Passive protocol �
Enter the URL for the SharePoint
site and add /_trust/,
https://share/_trust/ � Next
9. Add urn:test:sharepoint � Next
13. Select Add
14. Next
15. Map E-Mail-Addresses � E-Mail
Address and Token-Groups -
Unqualified Names � Role
� Finish � OK
Notes
Internet to ADFS proxy 443
ADFS Proxy to ADFS port 443
When configuring the ADFS server farm you need to be logged on as a Domain Admin
References:
http://cloudanalysis.blogspot.co.uk/2011/06/setting-up-adfs-with-office-365.html
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-
v2-end-to-end.aspx
Add Second ADFS Server
Prerequisites
• Provision Windows 2008 R2 server as ADFS02
• Download ADFSSetup.exe to "C:\Temp\ADFS 2.0\AdfsSetup.exe"
• Add second A DNS record auth.test.com pointing to ADFS02
o Confirm both records are in DNS by running nslookup auth.test.com
Installation
1. Logon to the ADFS02 server as a
domain administrator and launch
the ADFSSetup.exe
2. Next
3. I Accept… � Next
4. Select Federation server � Next
5. Next
6. Unselect Start the AD FS 2.0
Management… � Finish
Export Certificates from ADFS01 primary ADFS server
1. Logon to ADFS01
2. Open MMC snap in for Certificates
for the Computer account
3. Expand Certificates (Local Machine)
� Personal � select Certificates
4. Right click auth.test.com � All
tasks… � Export
5. Next
6. Yes, export private key � Next
7. Select Include all certificates in the
certification path if possible and
Export all extended properties �
Next
Note: DO NOT select Delete the
private key if the export is
successful
8. Enter password � Next
9. Enter C:\Temp\Certificates\ADFS01
Export.pfx � Next
10. Finish
Install Exported Certificate on ADFS02
1. Logon to ADFS02
2. Copy
\\ADFS02\C$\Temp\Certificates\ADFS0
1 Export.pfx to
C:\Temp\Certificates\ADFS01
Export.pfx
3. Open MMC snap in for Certificates for
the Computer account
4. Expand Certificates (Local Machine) �
Personal � right Certificates � Import
5. Next
6. Enter C:\Temp\Certificates\ADFS01
Export.pfx � Next
10. Open IIS Management Console �
Default Web Site � Bindings
11. Select Add � https � Select ADFS
Certificate � OK
12. Select http � Remove
13. Close
14. Logon to ADFS02 as ADFS-Install-Temp
� Open PowerShell console �
browse to C:\Program Files\Active
Directory Federation Services 2.0> �
Run the following command
Note: Replace Password with account
password
.\FSConfig.exe JoinSQLFarm /ServiceAccount
TEST\adfs-service /ServiceAccountPassword
Password /SQLConnectionString
“database=AdfsConfiguration;server=sql;integra
ted security=SSPI”
Configure ADFS SQL Databases as with mirrored SQL
Prerequisites
• Configure the ADFSConfiguration and ADFSArtifact SQL databases as mirrored databases
Installation
Note: The following steps are for the ADFSConfiguration database and need to be run on all ADFS
servers
1. Logon to ADFS01 � Open
PowerShell as an
Administrator
2. Stop the adfs service by
running
net stop adfssrv
3. Run the following command
Note: SQL is my primary SQL
server and SQL02 is my Mirror
$temp= Get-WMIObject -namespace root/ADFS -class
SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”Data
Source=SQL; Failover Partner=SQL02;Initial
Catalog=AdfsConfiguration;Integrated Security=true”
$temp.put()
4. Start the adfs service by
running
net start adfssrv
5. Logon to ADFS02 � Open
PowerShell as an
Administrator
6. Stop the adfs service by
running
net stop adfssrv
7. Run the following command
Note: SQL is my primary SQL
server and SQL02 is my Mirror
$temp= Get-WMIObject -namespace root/ADFS -class
SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”Data
Source=SQL; Failover Partner=SQL02;Initial
Catalog=AdfsConfiguration;Integrated Security=true”
$temp.put()
8. Start the adfs service by
running
net start adfssrv
9. Example
Note: you can run “Get-
WmiObject -namespace
root/adfs -class
securitytokenservice” to see if
setting are correctly applied
Note: The following steps are for the ADFSArtifact database and need to be run on all ADFS
servers
10. Logon to ADFS01 � Open
PowerShell as an
Administrator
11. Run the following command Add-PSSnapin Microsoft.ADFS.Powershell
Set-adfsproperties –artifactdbconnection ”Data
Source=SQL; Failover Partner=SQL02;Initial
Catalog=AdfsArtifactStore;Integrated Security=true”
12. Restart the ADFS service on all
ADFS servers
13. Example
Note: run Get-ADFSProperties
to see if configuration has
applied
14.
15.
16.
17.
18.
19.
20.
21.
22.
Notes
http://pipe2text.com/?page_id=542
Install and Configure ADFS Proxy Servers
Prerequisites
• Provision Windows 2008 R2 Server
• DO NOT Join it to the domain
• Download ADFSSetup.exe to "C:\Temp\ADFS 2.0\AdfsSetup.exe"
Installation
1. Logon as a local Administrator
2. Launch "C:\Temp\ADFS
2.0\AdfsSetup.exe"
6. Next
7. Uncheck Start the AD FS 2.0 …
� Finish
Install Exported Certificate on ADFSProxy01
1. Logon to ADFSProxy01
2. Copy
\\ADFS01\C$\Temp\Certificate
s\ to C:\Temp\Certificates\
3. Open MMC snap in for
Certificates for the Computer
account
4. Expand Certificates (Local
Machine) � Personal � right
Certificates � Import
5. Next
6. Enter
C:\Temp\Certificates\ADFS01
Export.pfx � Next
10. Expand Certificates (Local
Machine) � Personal �
Trusted Certificate Authorities
� Certificates � Import
11. Next
12. Enter
C:\Temp\Certificates\ADFS01
Certificate Parent.cer � Next
16. Select Add � https � Select
ADFS Certificate � OK
17. Select http � Remove
18. Close
Run ADFS Proxy Configuration
1. Run AD FS 2.0 Federation
Server Proxy Configuration
Wizard
2. Next
6. Close
7. Add static records to
C:\Windows\System32\Hosts
file mapping to the local ADFS
servers
8. Repeat these steps on
ADFSProxy02
Notes
http://pipe2text.com/?page_id=399
• ADFS Proxy does not need to be on domain
• External DNS entry needed which points to the ADFS proxy server with an associated
certificate
Install Rollup Pack 3 for ADFS
Prerequisites
• Download http://support.microsoft.com/kb/2790338/en-gb and extract it
Installation
1. Copy Windows6.1-KB2790338-v2-
x64.msu to C:\Temp\
2. Logon to ADFS01, ADFS02,
ADFSProxy01 and ADFSProxy02 �
Run C:\Windows6.1-KB2790338-
v2-x64.msu � Yes
3. Restart Now
4. After restart confirm ADFS
services have started on all
servers
Configure SharePoint to use AD FS
Prerequisites
• Configure SharePoint default site to use https
Configuration
1. Logon to SHARE
2. Copy ADFS Certificate to from
\\ADFS01\C$\Temp\Certificates to
C:\Temp\Certificates
3. Open an SharePoint Administrator
PowerShell console session and
Run following PowerShell
commands to import the
Certificates
Note: Run in them in a SharePoint
Administrator PowerShell console
session or import the cmdlets
before running the commands
$root = New-Object
System.Security.Cryptography.X509Certificates.X50
9Certificate2("C:\temp\Certificates\ADFS Certificate
Parent.cer")
New-SPTrustedRootAuthority -Name "Token Signing
Cert Parent" -Certificate $root
$cert = New-Object
System.Security.Cryptography.X509Certificates.X50
9Certificate2("C:\Temp\Certificates\ADFS
Certificate.cer ")
New-SPTrustedRootAuthority -Name "Token Signing
Cert" -Certificate $cert
4. Create claim mappings to Email
Address and Role by running this
command in the above SharePoint
PowerShell session
$map = New-SPClaimTypeMapping -
IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/
claims/emailaddress" -
IncomingClaimTypeDisplayName "EmailAddress" -
SameAsIncoming
$map2 = New-SPClaimTypeMapping -
IncomingClaimType
"http://schemas.microsoft.com/ws/2008/06/identit
y/claims/role" -IncomingClaimTypeDisplayName
"Role" -SameAsIncoming
5. Create variable for realm by
running by running this command
in the above SharePoint
PowerShell session
$realm = "urn:test:sharepoint"
6. Now run the final command that
will tie everything together,
preparing SharePoint. Run in the
same SharePoint PowerShell
session as above.
$ap = New-SPTrustedIdentityTokenIssuer -Name
"SAML Provider" -Description "SharePoint secured
by SAML" -realm $realm -ImportTrustCertificate
$cert -ClaimsMappings $map,$map2 -SignInUrl
"https://auth.test.com/adfs/ls" -IdentifierClaim
"http://schemas.xmlsoap.org/ws/2005/05/identity/
claims/emailaddress"
7. Logon to the SharePoint Central
Administration Site � Select
Manage Web Applications
12. Enter Title � Blank Page �
Primary Site Administrator e.g.
TEST\Administrator � OK
Test Configuration 1. At this point you should be able to
browse to https://share. You
should then be presented with the
following screen
2. Logon using the a test account that
is part of the shareallow group
3. After logging on you should be re-
directed to the SharePoint site
top related