ADFS



EMS TTT Online ADFSADFSWhile Active Directory Domain Services (AD DS) is often required in Azure subscriptions to support other applications and workloads, customers may elect to deploy Active Directory Federation Services (AD FS) in Azure instead of in their on-premises environment to take advantage of associated features and minimize the on-premises infrastructure changes required for deployment.During this lab, you will run several exercises that will help you achieve a better understanding of how Active Directory Domain and Federation Services can be deployed in Microsoft Azure, including:Kerberos-based single-sign on (SSO) using Active Directory Federation Services for domain-joined clients on the private network. We will use split-brain DNS to direct users on the corporate network to the internal IP for the AD FS federation servers. You will add the federation service to the intranet zone in Internet Explorer via Active Directory group policy, triggering browsers to respond to HTTP 401 challenges from AD FS servers with Kerberos authentication.Configuration of the Web Application Proxy (WAP) role in Windows Server 2012 R2.Creation of public endpoints on Azure virtual machines to make your AD FS deployment available on the public InternetSingle-sign on (SSO) for Office 365. You will configure federation with Office 365Note: To complete this lab, you must have completed all the steps in the Setup/Pre-Requisite guide, including the "On-Premises" hydration and copying the Allfiles folder to the root of the C: drive on the DC1 VMCheck the Current StatusTask Detailed StepsComplete these steps from an internet-connected Windows computer. Allow HollyD to log on to WinServerNote: Currently, we have same sign on. A user can log on to AD or AAD with the same sign on – but they have to do it twice. For a user to be able to log on to AD we need to allow logon to one of our servers.On WinServer VM logged in as Corp\LabAdmin, run Add HollyD to the local Administrators groupSign outLog on to AD and to AAD as a userLog off WinServer, connect to it again but using hollyd@<YourDomain>.<xxx> (usual password)Launch IE and navigate to myapps. – when you are challenged, logon on as hollyd@<YourDomain>.<xxx>Note: Holly does not have any apps yet, but can log on and get to the myapps portal. This is same sign-on, but it is not single sign-on.Configure ADFSTask Detailed StepsComplete these steps from an internet-connected Windows computer. Export the certificate which ADFS will useOpen Internet Explorer and navigate to , signing in as admin@<YourDomain>.<xxx>Select VIRTUAL MACHINES from the navigation bar on the left and connect to WinServer as Corp\LabAdmin and password pass@word1On the WinServer VM signed in as Corp\LabAdminOpen Internet Information Services (IIS) ManagerClick WINSERVER and double-click the Server Certificates iconSelect the STS certificate and click Export…Note: This certificate was created as part of the pre-requisites.In the Export to type \\DC1\C$\allfiles\STSExport.pfx, enter pass@word1 in the Password and Confirm password fields and click OKCreate the AD FS federation serverOn your internet-connected Windows PCBack in Internet Explorer in the manage. portal, with VIRTUAL MACHINES still selected from the navigation bar on the left, connect to DC1 as Corp\LabAdmin with the password pass@word1On the DC1 VM, open Server ManagerClick Manage and select Add Roles and FeaturesClick Next until you get to the Server Roles page and select Active Directory Federation Services roleComplete the install wizard Note: Although this may not require a restart, we suggest you restart DC1 anyway: reconnect to the VM as Corp\LabAdmin then (if necessary) open Server Manager.Select the flag from the top of Server Manager, which should have a yellow exclamation point, and click Configure the federation service on this serverVerify that the Create the first federation server in a federation server farm option is selected and click NextClick Next on the Connect to AD DS tabClick Import… and navigate to the C:\Allfiles folder and select the STSExport certificate that you just exported and click OpenIn the Enter certificate password dialog type pass@word1 and click OKNote: The Federation Service Name field is automatically populated with sts.<YourDomain>.<xxx> - this is because it uses the name on the certificate.Type <YourDomain> in the Federation Service Display Name field and click NextClick Select and enter the LabAdmin Account and password and click NextClick Next 3 more times and then click ConfigureWhen all steps are complete, click CloseNote: Often two or more ADFS servers are installed and configured in a farm. If these deployments are in Azure, you will also need to configure Azure internal load balancing.Verify that the internal ADFS server DNS record existsStill on DC1 sign in as Corp\LabAdmin and open DNS ManagerExpand DC1, expand Forward Lookup Zones and click <YourDomain>.<xxx>Verify that there is a Host record for STS in <YourDomain>.<xxx>Note: This is the IP address that was assigned to the internal ADFS server. We are configuring DNS so that clients on the private network resolve the STS host record to this IP address.Assign AD FS as an intranet site in Internet Explorer via group policyStill on DC1 VM navigate to and open Group Policy ManagementExpand Forest: corp.<YourDomain>.<xxx>, expand Domains, right-click corp.<YourDomain>.<xxx> and select Create a GPO in this domain, and Link it here…Type IE Trusted Sites in the Name field and click OKExpand corp.<YourDomain>.<xxx> , right-click IE Trusted Sites, and then click Edit…Expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, and then click the Security PageIn the right-hand pane double-click Site to Zone Assignment ListSelect EnabledClick Show…Type STS.<YourDomain>.<xxx> in the Value name field, type 1 in the Value field, and then click OKClick OKConnect to the client and update group policySwitch to the WinServer VM, if necessary sign in as Corp\LabAdminOpen Windows PowerShell as an administratorIn the Windows PowerShell console, enter the following command:gpupdate /forceNote: This is probably not necessary at this point, but we want to make sure the changes from this exercise are applied to the WinServer VM.Test Kerberos-based single sign-on to AD FSFrom the WinServer VM, close all Internet Explorer windows and then open Internet Explorer and browse to Click Sign inVerify that you are signed in successfully without being prompted for credentials Deploy a Web Application ProxyTask Detailed StepsComplete these steps from an internet-connected Windows computer. Import the SSL certificate to the PROXYSERVER serverSwitch to the DC1 VMOn the DC1 VM, logged in as corp\LabAdmin open Windows Explorer and browse to the C:\AllFiles folderRight-click STSExport and click CopyOn your internet-connected Windows PC, back in Internet Explorer in the manage. portal, with VIRTUAL MACHINES still selected from the navigation bar on the left, connect to PROXYSERVER as LabAdmin with the password pass@word1On the PROXYSERVER VM logged in as LabAdmin (note this server is not domain-joined, but it has similar local account LabAdmin with the same password)Open Windows Explorer and navigate to the DesktopRight-click and select Paste to paste STSExport on the desktopFrom the Start menu, type certlm.msc, and then press EnterClick YesIn the navigation pane, expand Personal, right-click Certificates, click All Tasks, and then click Import…Click NextType C:\Users\LabAdmin\Desktop\STSExport.pfx and click NextType pass@word1 in the Password field, select Mark this key as exportable… and click NextClick Next, click Finish, and then click OKYou should now see STS.<YourDomain>.<xxx> in the local computer’s personal certificatesConfigure the Web Application Proxy role on PROXYSERVEROn the PROXYSERVER VM, open Server ManagerClick Manage and select Add Roles and FeaturesFrom the Server Roles page select Remote AccessClick Next until you get to the Role Services page, and select Web Application Proxy and complete the wizardFrom the Tools menu select Remote Access ManagementFrom the navigation pane, click Web Application ProxyClick Run the Web Application Proxy Configuration WizardClick NextType sts.<YourDomain>.<xxx> in the Federation service name fieldType corp\LabAdmin in the User name field, enter the password and click NextSelect the STS.<YourDomain>.<xxx> SSL certificate that you just imported and click NextClick ConfigureClick CloseCreate Public EndpointsTask Detailed StepsComplete these steps from an internet-connected Windows computer. Allow HTTPS traffic into the PROXYSERVERNote: Perform the following steps from your internet-connected Windows computer.If not already open, navigate to and sign in using your admin credentials admin@<YourDomain>.<xxx>Click Virtual Machines in the left navigation barClick PROXYSERVER and click the ENDPOINTS tabClick ADD in the command bar at the bottomVerify that the ADD A STAND-ALONE ENDPOINT option is selected and click the right arrow in the bottom-right of the dialog boxSelect HTTPS from the Name field and click the tickClick DASHBOARD and on the right about half way down you can see the DNS name – copy itNote: Often deployments have two or more web application proxies, in which case you will need to create a load balanced set of endpoints for HTTPS to balance the traffic across your Web Application Proxy instances.Add the necessary DNS recordIn Internet Explorer, sign in to (or whichever DNS provider you used to setup DNS for <YourDomain>.<xxx>), locate the DNS setting for your domainCreate a new CNAME record with the host name STS and paste or type the target host Value (something like <YourDomain>.)Verify AD FS is online and accessible from the InternetStill on your local machine, in Internet Explorer, navigate to Verify that the IDP-initiated sign-in page is displayedClick Sign in and sign in with a user name LabAdmin@<YourDomain>.<xxx>Verify that you are signed in successfullyConfigure Single-Sign On for Office 365Task Detailed StepsComplete these steps from an internet-connected Windows computer. Convert the domain to a federated domainOn your local machine, if necessary, open Internet Explorer and navigate to logging on as admin@<YourDomain>.<xxx>Select the Contoso... and directory then click USERSFind and edit the account called MOD Administrator that is using the account name Admin@<YourTenant>.Change the user FIRST NAME, DISPLAY NAME, and the username to Admin2Note: This is to avoid some confusion in future over which admin account we are talking about. – the username should be Admin2@<YourTenant>..Click SaveNote: The reason we need to have an account that has a suffix of @<YourTenant>. is because you need to convert the domain using an account that has a different domain suffix from the one you want to convert. In our case we want to convert @<YourDomain>.<xxx>Sign out and sign in as admin2@<YourTenant>. (e.g. admin2@ MOD485467.) On the DC1 VM logged in as Corp\LabAdmin open Windows Azure Active Directory Module for Windows PowerShell as an AdministratorClick YesIn Windows PowerShell, enter the following command:$cred=Get-Credential In the Windows PowerShell credentials dialog sign in as Admin2@<YourTenant>. with the password pass@word1Enter the following command:Connect-MsolService –Credential $credEnter the following command:Get-MsolDomainHere we can see the current status of the domains within this tenantEnter the following command:Set-MsolADFSContext –Computer DC1.corp.<YourDomain>.<xxx>Enter the following command:Convert-MsolDomainToFederated -DomainName <YourDomain>.<xxx>Enter the following command: Get-MsolDomainNotice that the <YourDomain>.<xxx> is now federated!Close PowerShellTest ADFSNote: These lab steps should be completed from your internet-connected Windows computer.Close all internet Explorer windowsOpen Internet Explorer and navigate to Enter the user name HollyD@<YourDomain>.<xxx> and click the password box (or press tab) - notice that you are redirected to the ADFS sign in page (you may need to wait for the change to take effect)Complete the sign in and verify that you are signed in successfullyTest SSOClose any IE sessions, and go back to the azure admin portal, logging in as one of admins, connect to the WinServer VM but this time sign in as HollyD@<YourDomain>.<xxx>Open Internet Explorer and browse to myapps. Enter HollyD@<YourDomain>.<xxx> and either click the password field or press tab) and you are redirected to the ADFS server, which authenticates you automatically (because you are logged in) and then you are taken to the portalLog off WinServer ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download