Beruflich Dokumente
Kultur Dokumente
Objetivos:
Al finalizar el laboratorio el estudiante ser capaz de:
Instalar y configurar AD FS
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con lquidos, ni comida al aula de Laboratorio.
Al culminar la sesin de laboratorio apagar correctamente la computadora y la pantalla, y
ordenar las sillas utilizadas.
Equipos y Materiales:
DVD:
De Windows Server 2012
Gua de Laboratorio
Pg. 1
Procedimiento:
Escenario A
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que estn
ejecutndose en la red de A. Datum. A. Datum desea proveer un nivel mximo de funcionalidad y
acceso a las otras compaas. Los departamentos de seguridad y operaciones desean asegurarse
que los socios y los clientes puedan acceder solamente a los recursos que correspondan.
A. Datum tambin est trabajando en la migracin de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Para cumplir con los requerimientos solicitados, A. Datum planea implementar AD FS. En la
implementacin inicial, la compaa planea usar AD FS para usarla para implementar SSO para los
usuarios internos quienes acceden a una aplicacin en un servidor Web.
Como uno de los administradores de A. Datum, es su responsabilidad implementar la solucin AD FS.
Como una prueba de concepto, planea implementar una aplicacin a peticin, y usted configurar AD
FS para habilitar a los usuarios internos para acceder a la aplicacin.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-SVR1
y LON-CL1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.
Gua de Laboratorio
Pg. 2
Task 3: Install AD FS
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and
then click Next.
4. On the Select destination server page, click Select a server from the server pool, click
LON- DC1.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check
Gua de Laboratorio
Pg. 3
Task 4: Configure AD FS
1. On LON-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click
Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.
12. On the Results page, click Close.
Note: The adfs.adatum.com certificate was preconfigured for this task. In your own environment, you
need to obtain this certificate.
Gua de Laboratorio
Pg. 4
Results: In this exercise, you installed and configured AD FS. You also verified that it is functioning by
viewing the FederationMetaData.xml file contents.
Gua de Laboratorio
Pg. 5
Organization: A. Datum
Organizational unit: IT
City/locality: London
State/Province: England
Country/region: GB
Gua de Laboratorio
Pg. 6
User-Principal-Name: UPN
Display-Name: Name
9. In the Edit Claim Rules for Active Directory window, click OK.
Pg. 7
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and
then click Finish.
9. In the Success window, click OK.
Pg. 8
10. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
11. In the Claim rule name box, type Pass through UPN.
12. In the Incoming claim type drop-down list, click UPN, and then click Finish.
13. On the Issuance Transform Rules tab, click Add Rule.
14. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
15. In the Claim rule name box, type Pass through Name.
16. In the Incoming claim type drop-down list, click Name, and then click Finish.
17. On the Issuance Transform Rules tab, click OK.
Note: It is critical to use the trailing slash in the URL for step 2.
3. In the Windows Security window, sign in as Adatum\Brad with the password Pa$$w0rd.
4. Review the claim information that the application displays.
5. Close Internet Explorer.
Entregable 2. Capture la pantalla que muestre el resultado del paso 4.
Task 7: Configure Internet Explorer to pass local credentials to the application automatically
1. On LON-CL1, on the Start screen, type Internet Options, and then click Internet Options.
2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.
3. In the Local intranet window, click Advanced.
4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and
then click Close.
6. In the Local intranet window, click OK.
7. In the Internet Properties window, click OK.
8. On LON-CL1, open Internet Explorer.
9. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/, and
then press Enter.
Gua de Laboratorio
Pg. 9
Note: It is critical to use the trailing slash in the URL for step 9.
Results: After completing this exercise, you will have configured AD FS to support authentication for an
application.
Gua de Laboratorio
Pg. 10
Gua de Laboratorio
Pg. 11
Note: In a production environment, it is likely that you would use Internet DNS instead of conditional
forwarders.
Gua de Laboratorio
Pg. 12
Note: If you obtain certificates from a trusted certification authority, you do not need to configure a
certificate trust between the organizations.
Gua de Laboratorio
Pg. 13
Organizational unit: IT
City/locality: London
State/Province: England
Country/region: GB
Pg. 14
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
Gua de Laboratorio
Pg. 15
Task 9: Configure a relying party trust in TreyResearch.net for the Adatum.com application
1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. In the Actions pane, click Add Relying Party Trust.
4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and then
click Next.
Gua de Laboratorio
Pg. 16
7. On the Specify Display Name page, in the Display name text box, type A. Datum
Corporation, and then click Next.
8. On the Configure Multi-Factor Authentication Now page, click I do not want to configure
multi-factor authentication settings for this relying party trust at this time, and then click
Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access this
relying party, and then click Next.
10. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next to
save the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for the relying party
trust when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform Rules tab,
click Add Rule.
13. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account name.
15. In the Incoming claim type drop-down list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.
17. Close the AD FS management console.
Gua de Laboratorio
Pg. 17
Note: You are not prompted for a home realm on the second access. Once users have selected a
home realm and have been authenticated by a realm authority, they are issued a _LSRealm cookie by
the relying-party's federation server. The default lifetime for the cookie is 30 days. Therefore, to sign in
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Pg. 18
9. Verify that you can access the application because Ben is a member of the production group.
Entregable 6. Capture la pantalla que muestre el resultado del paso 9.
Results: After completing this exercise, you will have configured access for a claims-aware application
in a partner organization.
Gua de Laboratorio
Pg. 19
Gua de Laboratorio
Pg. 20
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
20. In the Certificates snap-in window, click Computer account, and then click Next.
21. In the Select Computer window, click Local Computer (the computer this console is
running on), and then click Finish.
22. In the Add or remove Snap-ins window, click OK.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.
32. Close the Microsoft Management Console and do not save the changes.
Pg. 21
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\lon-svr1.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close the
success message.
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
20. In the Certificates snap-in window, click Computer account, and then click Next.
21. In the Select Computer window, click Local Computer (the computer this console is
running on), and then click Finish.
22. In the Add or remove Snap-ins window, click OK.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-SVR1\c$\lon-svr1.pfx, and then
click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear the
success message.
32. Close the Microsoft Management Console and do not save the changes.
Password: Pa$$w0rd
Gua de Laboratorio
Pg. 22
172.16.0.22 adfs.adatum.com
172.16.0.22 lon-svr1.adatum.com
6. Close Notepad.
7. Open Internet Explorer.
8. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.
9. In the Windows Security dialog box, sign in as TreyResearch\Ben with password Pa$$w0rd.
10. After the application loads, close Internet Explorer.
Gua de Laboratorio
Pg. 23
Note: You edit the hosts to force TREY-DC1 to access the application through Web Application Proxy.
In a production environment, you would do this by using split DNS.
Results: After completing this exercise, you will have configured Web Application Proxy to secure
access to AdatumTestApp from the Internet.
Gua de Laboratorio
Pg. 24
Gua de Laboratorio
Pg. 25
Conclusiones:
Indicar las conclusiones que lleg despus de los temas tratados de manera prctica en este
laboratorio.
Criterio de
desempeo
Curso
Actividad
Implementacin de AD FS
Fecha
26/05/2016
Periodo
Semestre
Semana
13
Seccin
Excelente
Bueno
Requiere
Mejora
No
Aceptable
2-0
2-0
2-0
2-0
Total
20-17
16-13
12-9
8-0
Criterios a Evaluar
2016-1
Puntaje
Logrado
Adicionales
Bonificacin
Penalidad
Puntaje Final
Comentario al
alumno o alumnos
Excelente
Bueno
Requiere mejora
No Aceptable
Gua de Laboratorio
Descripcin
Demuestra un completo entendimiento del problema o realiza la actividad
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
cumpliendo con la mayora de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
con pocos de los requerimientos especificados.
No demuestra entendimiento del problema o de la actividad.
Pg. 26
Gua de Laboratorio
Pg. 27