Lab13 - AD FS

Administracin de Sistemas Operativos Avanzado
Laboratorio 13: Implementacin de AD FS
Objetivos:
Al finalizar el laboratorio el estudiante ser capaz de:
Instalar y configurar AD FS
Configurar una aplicacin interna para AD FS
Configurar AD FS para un socio federado
Configurar una aplicacin Web para usuarios externos
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con lquidos, ni comida al aula de Laboratorio.
Al culminar la sesin de laboratorio apagar correctamente la computadora y la pantalla, y
ordenar las sillas utilizadas.
Equipos y Materiales:
Una computadora con:

Windows 7 o superior
VMware Workstation 10+ o VMware Player 7+
Conexin a la red del laboratorio
Mquinas virtuales:
DVD:
De Windows Server 2012
Gua de Laboratorio
Pg. 1
Procedimiento:
Escenario A
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que estn
ejecutndose en la red de A. Datum. A. Datum desea proveer un nivel mximo de funcionalidad y
acceso a las otras compaas. Los departamentos de seguridad y operaciones desean asegurarse
que los socios y los clientes puedan acceder solamente a los recursos que correspondan.
A. Datum tambin est trabajando en la migracin de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Para cumplir con los requerimientos solicitados, A. Datum planea implementar AD FS. En la
implementacin inicial, la compaa planea usar AD FS para usarla para implementar SSO para los
usuarios internos quienes acceden a una aplicacin en un servidor Web.
Como uno de los administradores de A. Datum, es su responsabilidad implementar la solucin AD FS.
Como una prueba de concepto, planea implementar una aplicacin a peticin, y usted configurar AD
FS para habilitar a los usuarios internos para acceder a la aplicacin.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-SVR1
y LON-CL1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.
Gua de Laboratorio
Pg. 2

EJERCICIO 1: Instalando y configurando AD FS
Escenario
Para iniciar la implementacin de AD FS, necesita instalar AD FS en un controlador de dominio.
Durante la implementacin inicial, configurar este como el primer servidor en la granja, con la opcin
para la expansin posterior. El certificado para AD FS ya est instalado en LON-DC1.
Las principales tareas para este ejercicio son las siguientes:
Crear un registro DNS para AD FS
Crear una cuenta para el servicio
Instalar AD FS
Configurar AD FS
Verificar la funcionalidad del AD FS
Task 1: Create a DNS record for AD FS

1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click
Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.10, and then click Add Host.
6. In the DNS window, click OK.
7. Click Done, and then close the DNS Manager.
Task 2: Create a service account

1. On LON-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, type New-ADUser -Name adfsService, and then press Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
Task 3: Install AD FS
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and
then click Next.
4. On the Select destination server page, click Select a server from the server pool, click
LON- DC1.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check
Gua de Laboratorio
Pg. 3
box, and then click Next.

6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Confirm installation selections page, click Install.
9. When the installation is complete, click Close.
Task 4: Configure AD FS
1. On LON-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click
Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.
12. On the Results page, click Close.
Note: The adfs.adatum.com certificate was preconfigured for this task. In your own environment, you
need to obtain this certificate.
Task 5: Verify AD FS functionality

1. On LON-CL1, sign in as Adatum\Brad with the password Pa$$w0rd.
2. On the taskbar, click Internet Explorer.
3. In Internet Explorer, in the address bar, type
https://adfs.adatum.com/federationmetadata/2007-06/federationmetadata.xml, and then
press Enter.
4. Verify that the file loads, and then close Internet Explorer.
Gua de Laboratorio
Pg. 4

Entregable 1. Capture la pantalla que muestre el resultado del paso 3.
Results: In this exercise, you installed and configured AD FS. You also verified that it is functioning by
viewing the FederationMetaData.xml file contents.
Gua de Laboratorio
Pg. 5

EJERCICIO 2: Configurando una aplicacin interna para AD FS
Escenario
El primer escenario para la implementacin de la prueba de concepto de la aplicacin AD FS es
asegurarse que los usuarios internos pueden usar SSO para acceder a la aplicacin Web Usted
planea configurar el servidor AD FS y una aplicacin web para habilitar este escenario. Tambin
desea verificar que los usuarios internos pueden acceder a la aplicacin.
Configurar un certificado para la aplicacin
Configurar el directorio activo para confiar en el proveedor de peticiones
Configurar la aplicacin para las peticiones entrantes
Configurar un reenvo para las aplicaciones con peticiones
Configurar las reglas de peticin para los reenvos confiables
Probar el acceso a la aplicacin de peticiones
Configurar Internet Explore para pasar automticamente las credenciales locales a la aplicacin
Task 1: Configure a certificate for the application

1. On LON-SVR1, in Server Manager, click Tools and click Internet Information Services (IIS)
Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do
not show this message check box, and then click No.
3. In IIS Manager, click LON-SVR1 (ADATUM\Administrator), and then double-click Server
Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the following
information, and then click Next:
Common name: lon-svr1.adatum.com
Organization: A. Datum
Organizational unit: IT
City/locality: London
State/Province: England
Country/region: GB
6. On the Online Certification Authority page, click Select.

7. In the Select Certification Authority window, click AdatumCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type AdatumTestApp
Certificate, and then click Finish.
9. In IIS Manager, expand LON-SVR1 (ADATUM\Administrator), expand Sites, click Default Web
Site, and then in the Actions Pane, click Bindings.
10. In the Site Bindings window, click Add.
11. In the Add Site Binding window, in the Type box, select https.
12. In the SSL certificate box, select AdatumTestApp Certificate, and then click OK.
13. In the Site Bindings window, click Close.
Gua de Laboratorio
Pg. 6
14. Close IIS Manager.
Task 2: Configure the Active Directory claims-provider trust

1. On LON-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab,
click Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes
Rule.
7. In the Attribute Store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values for
the LDAP Attribute and the Outgoing Claim Type, and then click Finish:
E-Mail-Addresses: E-Mail Address
User-Principal-Name: UPN
Display-Name: Name
9. In the Edit Claim Rules for Active Directory window, click OK.
Task 3: Configure the application to trust incoming claims

1. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Identity Foundation
Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the path
to the sample application that will trust the incoming claims from the federation server, and then
click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type https://adfs.adatum.com/federationmetadata/200706/federationmetadata.xml, and then click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that the federation server will offer, and then click
Next.
Gua de Laboratorio
Pg. 7
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and
then click Finish.
9. In the Success window, click OK.
Task 4: Configure a relying-party trust for the claims-aware application

1. On LON-DC1, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.
3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lonsvr1.adatum.com/adatumtestapp/, and then click Next. This downloads the metadata configured
in the previous task.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test App, and
then click Next.
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure
multifactor authentication settings for this relying party trust at this time, and then click
Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this
relying party, and then click Next.
9. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claims Rules for A. Datum Test App window open for the next task.
Task 5: Configure claim rules for the relying-party trust

1. On LON-DC1, in the AD FS management console, in the Edit Claim Rules for A. Datum Test App
window, on the Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
3. In the Claim rule name box, type Pass through Windows account name.
4. In the Incoming claim type drop-down list, click Windows account name, and then click Finish.
5. On the Issuance Transform Rules tab, click Add Rule.
click Next.
7. In the Claim rule name box, type Pass through E-Mail Address.
8. In the Incoming claim type drop-down list, click E-Mail Address, and then click Finish.
Gua de Laboratorio
Pg. 8
click Next.
11. In the Claim rule name box, type Pass through UPN.
12. In the Incoming claim type drop-down list, click UPN, and then click Finish.
click Next.
15. In the Claim rule name box, type Pass through Name.
16. In the Incoming claim type drop-down list, click Name, and then click Finish.
17. On the Issuance Transform Rules tab, click OK.
Task 6: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer.
2. In Internet Explorer, in the address bar, type https://lon- svr1.adatum.com/AdatumTestApp/, and
then press Enter.
Note: It is critical to use the trailing slash in the URL for step 2.
3. In the Windows Security window, sign in as Adatum\Brad with the password Pa$$w0rd.
4. Review the claim information that the application displays.
5. Close Internet Explorer.
Task 7: Configure Internet Explorer to pass local credentials to the application automatically
1. On LON-CL1, on the Start screen, type Internet Options, and then click Internet Options.
2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.
3. In the Local intranet window, click Advanced.
4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and
then click Close.
6. In the Local intranet window, click OK.
7. In the Internet Properties window, click OK.
8. On LON-CL1, open Internet Explorer.
9. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/, and
then press Enter.
Gua de Laboratorio
Pg. 9
Note: It is critical to use the trailing slash in the URL for step 9.
10. Notice that you were not prompted for credentials.

11. Review the claim information that the application displays.
Results: After completing this exercise, you will have configured AD FS to support authentication for an
application.
Gua de Laboratorio
Pg. 10

Escenario B
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que estn
ejecutndose en la red de A. Datum. A. Datum desea proveer un nivel mximo de funcionalidad y
acceso a las otras compaas. Los departamentos de seguridad y operaciones desean asegurarse
que los socios y los clientes puedan acceder solamente a los recursos que correspondan.
A. Datum tambin est trabajando en la migracin de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Ahora que ha implementado AD FS para los usuarios internos, el siguiente paso es habilitar el acceso
a la misma aplicacin para las empresas socias y para los usuarios externos. A. Datum ha ingresado
en una relacin con Trey Research, por lo tanto, necesita asegurarse que los usuarios de Trey
Research puedan acceder a la aplicacin interna. Tambin necesita asegurarse que los usuarios de
A. Datum que trabajan fuera de la oficina puedan acceder a la aplicacin.
Como uno de los administradores de A. Datum, es responsable de implementar la solucin de AD FS.
Como una prueba de concepto, est desarrollando un ejemplo de aplicacin de peticiones, y est
configurando AD FS para habilitar que los usuarios de Trey Research y los usuarios externos de A.
Datum puedan acceder a la misma aplicacin.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LONSVR1, LON-SVR2 y TREY-DC1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.
Gua de Laboratorio
Pg. 11

EJERCICIO 1: Configurando AD FS para un socio federado
Escenario
El segundo escenario de implementacin es habilitar el acceso a los usuarios de Trey Research a la
aplicacin Web. Usted planea configurar la integracin de AD FS en Trey Research con AD FS en A.
Datum, y entonces verificar que los usuarios de Trey Research puedan acceder a la aplicacin.
Tambin debe confirmar que puede configurar que acceso est basado en grupos de usuarios.
Ustede debe asegurarse que todos los usuarios de A. Datum, y solamente los usuarios que estn en
el grupo Production en Trey Research puedan acceder a la aplicacin.
Configurar el reenvo de DNS entre empresas
Configurar certificados entre empresas
Instalar y configurar AD FS para Trey Research
Configurar y probar la aplicacin
Configurar y probar las reglas de autorizacin
Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com

1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LON-DC1, and then click Conditional Forwarders.
3. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
4. In the New Conditional Forwarder window, in the DNS Domain box, type TreyResearch.net.
5. In the IP addresses of the master servers box, type 172.16.10.10, and then press Enter.
6. Select the Store this conditional forwarder in Active Directory, and replicate it as follows
check box, select All DNS servers in this forest, and then click OK.
7. Close the DNS Manager.
8. On TREY-DC1, in the Server Manager, click Tools, and then click DNS.
9. In the DNS Manager, expand TREY-DC1, and then click Conditional Forwarders.
10. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
11. In the New Conditional Forwarder window, in the DNS Domain box, type Adatum.com.
12. In the IP addresses of the master servers box, type 172.16.0.10, and then press Enter.
13. Select the Store this conditional forwarder in Active Directory, and replicate it as follows
check box, select All DNS servers in this forest, and then click OK.
Note: In a production environment, it is likely that you would use Internet DNS instead of conditional
forwarders.
Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com

1. On LON-DC1, open File Explorer, browse to \\TREY-DC1\CertEnroll, and then copy TREYDC1.TreyResearch.net_TreyResearchCA.crt to C:\.
2. Close File Explorer.
3. In the Server Manager, click Tools, and then click Group Policy Management.
Gua de Laboratorio
Pg. 12
4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, right-click Default Domain Policy, and then click Edit.
5. In Group Policy Management Editor, under Computer Configuration, expand Policies,
expand Windows Settings, expand Security Settings, expand Public Key Policies, and then
click Trusted Root Certification Authorities.
6. Right-click Trusted Root Certification Authorities, and then click Import.
7. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Next.
8. On the File to Import page, type C:\TREY-DC1.TreyResearch.net_TreyResearchCAcrt, and
then click Next.
9. On the Certificate Store page, click Place all certificates in the following store, select
Trusted Root Certification Authorities, and then click Next.
10. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.
11. Close the Group Policy Management Editor.
12. Close Group Policy Management.
13. On TREY-DC1, open File Explorer, and then browse to \\LON-DC1\CertEnroll.
14. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Install Certificate.
15. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Local Machine, and then click Next.
16. On the Certificate Store page, click Place all certificates in the following store, and then
click Browse.
17. In the Select Certificate Store window, click Trusted Root Certification Authorities, and
then click OK.
18. On the Certificate Store page, click Next.
19. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close the
success message.
20. Close File Explorer.
21. On LON-SVR1, on the taskbar, click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
23. Close Windows PowerShell.
24. On LON-SVR2, on the taskbar, click Windows PowerShell.
25. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
26. Close Windows PowerShell.
Note: If you obtain certificates from a trusted certification authority, you do not need to configure a
certificate trust between the organizations.
Gua de Laboratorio
Pg. 13
Task 3: Create a DNS record for AD FS in TreyResearch.net

1. On TREY-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand TREY-DC1, expand Forward Lookup Zones, and then click
TreyResearch.net.
3. Right-click TreyResearch.net, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.10.10, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
Task 4: Create a certificate for AD FS

1. On TREY-DC1, in Server Manager, click Tools and click Internet Information Services (IIS)
Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do
not show this message check box, and then click No.
3. In IIS Manager, click TREY-DC1 (TREYRESEARCH\Administrator), and then double-click
Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the following,
and then click Next:
Common name: adfs.TreyResearch.net
Organization: Trey Research
Organizational unit: IT
City/locality: London
State/Province: England
Country/region: GB
6. On the Online Certification Authority page, click Select.

7. In the Select Certification Authority window, click TreyResearchCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type
adfs.TreyResearch.net, and then click Finish.
9. Close IIS Manager.
Task 5: Create a service account

1. On TREY-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, type New-ADUser -Name adfsService, and then press Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
Gua de Laboratorio
Pg. 14
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
Task 6: Install AD FS for TreyResearch.net

1. On TREY-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select Installation type page, click Role-based or feature-based installation, and
then click Next.
4. On the Select destination server page, click Select a server from the server pool, click
TREY- DC1.TreyResearch.net, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check
7. On the Active Directory Federation Services (AD FS) page, click Next.
9. When the installation is complete, click Close.
Task 7: Configure AD FS for TreyResearch.net

1. On TREY-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
TREYRESEARCH\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.TreyResearch.net.
5. In the Federation Service Display Name box, type Trey Research, and then click Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.
Gua de Laboratorio
Pg. 15
Task 8: Add a claims-provider trust for the TreyResearch.net AD FS server

1. On LON-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims Provider
Trusts.
3. In the Actions pane, click Add Claims Provider Trust.
4. In the Add Claims Provider Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the claims provider published
online or on a local network.
6. In the Federation metadata address (host name or URL) box, type
https://adfs.treyresearch.net, and then click Next.
7. On the Specify Display Name page, in the Display name box, type Trey Research, and then
click Next.
8. On the Ready to Add Trust page, review the claims-provider trust settings, and then click Next to
save the configuration.
9. On the Finish page, select the Open the Edit Claim Rules dialog for this claims provider
trust when the wizard closes check box, and then click Close.
10. In the Edit Claim Rules for Trey Research window, on the Acceptance Transform Rules tab, click
Add Rule.
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
12. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account name.
13. In the Incoming claim type drop-down list, select Windows account name.
14. Select Pass through all claim values, and then click Finish.
15. In the pop-up window, click Yes to acknowledge the warning.
16. In the Edit Claim Rules for Trey Research window, click OK, and then close the AD FS
management console.
Task 9: Configure a relying party trust in TreyResearch.net for the Adatum.com application
1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. In the Actions pane, click Add Relying Party Trust.
4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and then
click Next.
Gua de Laboratorio
Pg. 16
7. On the Specify Display Name page, in the Display name text box, type A. Datum
Corporation, and then click Next.
8. On the Configure Multi-Factor Authentication Now page, click I do not want to configure
multi-factor authentication settings for this relying party trust at this time, and then click
Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access this
relying party, and then click Next.
10. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next to
save the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for the relying party
trust when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform Rules tab,
click Add Rule.
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account name.
15. In the Incoming claim type drop-down list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.
17. Close the AD FS management console.
Task 10: Test access to the application

1. On TREY-DC1, open Internet Explorer.
2. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.
3. On the A. Datum Corporation page, click Trey Research.
4. In the Windows Security dialog box, sign in as TreyResearch\April with the password Pa$$w0rd.
5. After the application loads, close Internet Explorer.
6. Open Internet Explorer.
then press Enter.
Gua de Laboratorio
Pg. 17
Note: You are not prompted for a home realm on the second access. Once users have selected a
home realm and have been authenticated by a realm authority, they are issued a _LSRealm cookie by
the relying-party's federation server. The default lifetime for the cookie is 30 days. Therefore, to sign in
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Task 11: Configure issuance authorization rules

1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. Right-click A. Datum Corporation, and then click Edit Claim Rules.
4. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Authorization Rules
tab, click Permit Access to All Users, and then click Remove Rule.
5. Click Yes to confirm deleting the claim rule.
6. Click Add Rule.
7. In the Add Issuance Authorization Claim Rules Wizard, on the Select Rule Template page, in the
Claim rule template box, select Permit or Deny Users Based on an Incoming Claim, and then
click Next.
8. On the Configure Rule page, in the Claim rule name box, type Allow Production Members.
9. In the Incoming claim type box, select Group.
10. In the Incoming claim value box, type TreyResearch-Production.
11. Click Permit access to users with the incoming claim, and then click Finish.
12. In the Edit Claim Rules for A. Datum Corporation window, click OK.
13. In the AD FS management console, click Claims Provider Trusts, right-click Active Directory, and
then click Edit Claim Rules.
14. In the Edit Claim Rules for Active Directory window, click Add Rule.
template box, select Send Group Membership as a Claim, and then click Next.
16. On the Configure Rule page, in the Claim rule name box, type Production Group Claim.
17. To set the User's group, click Browse, type Production, and then click OK.
18. In the Outgoing claim type box, select Group.
19. In the Outgoing claim value box, type TreyResearch-Production, and then click Finish.
20. In the Edit Claim Rules for Active Directory window, click OK.
21. Close the AD FS management console.
Task 12: Test the application of issuance authorization rules

1. On TREY-DC1, open Internet Explorer.
Gua de Laboratorio
Pg. 18
then press Enter.

4. Verify that you cannot access the application because April is not a member of the production
group.

then press Enter.
8. In the Windows Security dialog box, sign in as TreyResearch\Ben with the password Pa$$w0rd.
9. Verify that you can access the application because Ben is a member of the production group.
Results: After completing this exercise, you will have configured access for a claims-aware application
in a partner organization.
Gua de Laboratorio
Pg. 19

EJERCICIO 2: Configurando la aplicacin Web
Escenario
El tercer escenario en la implementacin de la prueba de concepto de la aplicacin AD FS es el
incremento de la seguridad para la autenticacin en AD FS, para ello implementar un proxy AD FS
para el AD FS y un proxy reverso para la aplicacin.
Usted implementar el proxy para la aplicacin Web.
Instalar y configurar el proxy de aplicacin Web
Agregar los certificados
Probar el proxy de aplicacin Web
Task 1: Install Web Application Proxy

1. On LON-SVR2, in the Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and
then click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, expand Remote Access, select the Web Application Proxy check
8. On the Installation progress page, click Close.
Task 2: Add the adfs.adatum.com certificate to LON-SVR2

1. On LON-DC1, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is
running on), and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
Gua de Laboratorio
Pg. 20
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.
Task 3: Add the LON-SVR1.adatum.com certificate to LON-SVR2

Certificates.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand Personal,
and then click Certificates.
8. Right-click lon-svr1.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
Gua de Laboratorio
Pg. 21
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\lon-svr1.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-SVR1\c$\lon-svr1.pfx, and then
click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.
Task 4: Configure Web Application Proxy

1. In the Server Manager, click the Notifications icon, and then click Open the Web Application Proxy
Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following, and then click Next:
Federation service name: adfs.adatum.com
User name: Adatum\Administrator
Password: Pa$$w0rd
Gua de Laboratorio
Pg. 22
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS

proxy box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.
7. The Remote Access Management Console opens automatically. Leave it open for the next task.
Task 5: Configure the test application in Web Application Proxy

1. On LON-SVR2, in the Remote Access Management Console, click Web Application Proxy.
2. In the Tasks pane, click Publish.
3. In the Publish New Application Wizard, on the Welcome page, click Next.
4. On the Preauthentication page, click Active Directory Federation Services (AD FS), and
then click Next.
5. On the Relying Party page, click A. Datum Test App and click Next.
6. On the Publishing Settings page, in the Name box, type A. Datum Test App.
7. In the External URL box, type https://lon-svr1.adatum.com/adatumtestapp/.
8. In the External certificate box, select lon-svr1.adatum.com.
9. In the Backend server URL box, type https://lon-svr1.adatum.com/adatumtestapp/, and
then click Next.
10. On the Confirmation page, click Publish.
Task 6: Test Web Application Proxy

1. On TREY-DC1, on Start screen, type Notepad.
2. Right-click Notepad, and then click Run as administrator.
3. In Notepad, click File, and then click Open.
4. In the File name box, type C:\Windows\System32\Drivers\etc\hosts, and then click Open.
5. At the bottom of the file, add the following two lines, click File, and then click Save:
172.16.0.22 adfs.adatum.com
172.16.0.22 lon-svr1.adatum.com
6. Close Notepad.
then press Enter.
9. In the Windows Security dialog box, sign in as TreyResearch\Ben with password Pa$$w0rd.
10. After the application loads, close Internet Explorer.
Gua de Laboratorio
Pg. 23
Note: You edit the hosts to force TREY-DC1 to access the application through Web Application Proxy.
In a production environment, you would do this by using split DNS.
Results: After completing this exercise, you will have configured Web Application Proxy to secure
access to AdatumTestApp from the Internet.
Gua de Laboratorio
Pg. 24
Task 7: To Prepare for the Next Module

1. Volver el estado de las mquinas virtuales al snapshot creado antes de iniciar el laboratorio.
Gua de Laboratorio
Pg. 25
Conclusiones:
Indicar las conclusiones que lleg despus de los temas tratados de manera prctica en este
laboratorio.
Redes y Comunicaciones de Datos

Rbrica
1.
Resultado
Los estudiantes, implementan y mantienen Redes de Computadoras y

Sistemas de Telecomunicaciones de datos, proporcionando seguridad a
los medios involucrados, aplicando tcnicas y herramientas modernas.
1.3. Desarrolla soluciones de seguridad informtica en ambiente de

procesamiento y transferencia de la informacin.
Criterio de
desempeo
Curso
Administracin de Sistemas Operativos Avanzados
Actividad
Implementacin de AD FS
Nombre del Alumno

Docente
Quispe Ruiz Pablo David Josu

Csar Arce Zarate
Fecha
26/05/2016
Periodo
Semestre
Semana
13
Seccin
Excelente
Bueno
Requiere
Mejora
No
Aceptable
Instalacin y configuracin del AD FS
2-0
Configuracin de una aplicacin interna para

el AD FS
2-0
Configuracin del AD FS para un socio

federado
2-0
Configuracin de un proxy para una aplicacin

Web
2-0
Total
20-17
16-13
12-9
8-0
Criterios a Evaluar
2016-1
Puntaje
Logrado
Adicionales
Bonificacin
Penalidad
Puntaje Final
Comentario al
alumno o alumnos
Excelente
Bueno
Requiere mejora
No Aceptable
Gua de Laboratorio
Descripcin
Demuestra un completo entendimiento del problema o realiza la actividad
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
cumpliendo con la mayora de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
con pocos de los requerimientos especificados.
No demuestra entendimiento del problema o de la actividad.
Pg. 26
Gua de Laboratorio
Pg. 27

Lab13 - AD FS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab13 - AD FS

Uploaded by

Copyright:

Available Formats

Administracin de Sistemas Operativos Avanzado

Laboratorio 13: Implementacin de AD FS

Configurar una aplicacin interna para AD FS

Configurar AD FS para un socio federado

Configurar una aplicacin Web para usuarios externos

Una computadora con:

Administracin de Sistemas Operativos Avanzado

Administracin de Sistemas Operativos Avanzado

Task 1: Create a DNS record for AD FS

Task 2: Create a service account

Administracin de Sistemas Operativos Avanzado

box, and then click Next.

Task 5: Verify AD FS functionality

Administracin de Sistemas Operativos Avanzado

Administracin de Sistemas Operativos Avanzado

Task 1: Configure a certificate for the application

Common name: lon-svr1.adatum.com

6. On the Online Certification Authority page, click Select.

Administracin de Sistemas Operativos Avanzado

14. Close IIS Manager.

Task 2: Configure the Active Directory claims-provider trust

E-Mail-Addresses: E-Mail Address

Task 3: Configure the application to trust incoming claims

Administracin de Sistemas Operativos Avanzado

Task 4: Configure a relying-party trust for the claims-aware application

Task 5: Configure claim rules for the relying-party trust

Administracin de Sistemas Operativos Avanzado

Task 6: Test access to the claims-aware application

Administracin de Sistemas Operativos Avanzado

10. Notice that you were not prompted for credentials.

12. Close Internet Explorer.

Administracin de Sistemas Operativos Avanzado

Administracin de Sistemas Operativos Avanzado

Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com

Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com

Administracin de Sistemas Operativos Avanzado

4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Administracin de Sistemas Operativos Avanzado

Task 3: Create a DNS record for AD FS in TreyResearch.net

Task 4: Create a certificate for AD FS

Common name: adfs.TreyResearch.net

Organization: Trey Research

6. On the Online Certification Authority page, click Select.

Task 5: Create a service account

Administracin de Sistemas Operativos Avanzado

Task 6: Install AD FS for TreyResearch.net

Task 7: Configure AD FS for TreyResearch.net

Administracin de Sistemas Operativos Avanzado

Task 8: Add a claims-provider trust for the TreyResearch.net AD FS server

Administracin de Sistemas Operativos Avanzado

Task 10: Test access to the application

Entregable 4. Capture la pantalla que muestre el resultado del paso 8.

Administracin de Sistemas Operativos Avanzado

Task 11: Configure issuance authorization rules

Task 12: Test the application of issuance authorization rules

Administracin de Sistemas Operativos Avanzado

then press Enter.

Entregable 5. Capture la pantalla que muestre el resultado del paso 4.

5. Close Internet Explorer.

10. Close Internet Explorer.

Administracin de Sistemas Operativos Avanzado

Task 1: Install Web Application Proxy

Task 2: Add the adfs.adatum.com certificate to LON-SVR2

Administracin de Sistemas Operativos Avanzado