IntroToADM04_high

And we're back to continue our introduction active directory with Active Directory Federation
services so far we've covered eighty D.S. and eighty C.S. we're just going to keep trucking until we
get to the end of Active Directory and all of its different components we start off with a D.F.S. and a
quick overview what it is what we use it for and what parts make it up jumping right into Lesson one
what is identity Federation what identity Federation scenarios and the benefits of deploying it really
comes down to why would we use Active Directory Federation's services we have domain trusts we
learned about those in Active Directory Domain Services what's the advantage to this over that
identity Federation is a process that enables identification authentication and authorization across
organizational and platform boundaries this is a nice advantage over actor director Domain Services
when you want to cross that boundary we talked about Domain Services as a as an organizational
boundary that's what it's for it's to contain your organizations users computers groups and other
objects and identity Federation requires a trust relationship between two organizations or entities
and allows organizations to retain control of resource access and their own user and group accounts
now those two just to make sure we don't get a little confused are different what Active Directory
Federation Services allows for is one side of that trust to manage resources and one side to manage
accounts and we're going to get to that in just a minute identity Federation scenarios include
Federation for business to business if I want to connect to a partner organization and allow their
accounts into my applications or vice versa Federation for business to consumer or business to
employee and a web single sign on scenario enables businesses to provide single sign on for
business partner or other business you know that as a separate domain. This one allows for a
business that has a perimeter network domain to prettification for internal user accounts for
example I'm at work I log into internal websites no trouble I'm blogging my computer already is
using authentication credentials I already have have acquired I go home at the end of the day I want
to get into those same resources can I do that this allows me to do so by logging into those resources
through an external path and using Federation services to connect my internal domain account to
that extra resource and align me in with the same credentials the last nail federation with an
organization across multiple web applications if for some reason the organization has low level
occasions that use different potentially different than occasions stores or different than occasion
mechanisms that can't automatically authorize a user through Windows itself this is a scenario you
could use you could also use Federation services for that benefits of deploying Well I think in our
conversation about what those scenarios are we've gone over some of those benefits improved
security and control over authentication it doesn't allow for anything additional to say Active
Directory Domain Services what it does is it extends that security and control over authentication
potentially outside the boundaries of your existing organization regulatory compliance the ability to
authenticate users from outside without having to expose your internal authentication mechanisms
to the outside world using FS to cross perimeter network boundaries and interoperability with
heterogenous systems if you're interacting either internally or externally with non Windows systems
works with actor director Domain Services or Active Directory lightweight directory services which
we're going to get to later and it can optionally here at the bottom extend actor director Domain
Services to the Internet we're going to jump Brad across real quick and we're going to install this
role and take a look at what it comprises all right here we are on the desktop of our demo
environment going to launch server manager We're going to add roles and features we've seen this
now twice with both Domain Services and Certificate Services and we're going to install our next
role in this case Federation services once again we get our features if we need any. We don't in this
case we do have options there are components to Federation services we haven't talked about yet in
this case we're just going to go ahead and install the Federation service itself we're not going to
worry about the proxy or the web agents We'll talk about them later we're not actually going to
implement them in any demos but this is the screen where you would like to install those where
you're going to use them and we'll cover that quickly later on and we install this installation
shouldn't take very long at all and you should be able to jump right in and configure within sixty
seconds that's finished we close this now right away we get Fs on the left side our status

1
IntroToADM04_high
configuration required for Federation service at server click the More button and that's going to
take us to our initial configuration requirement I'm going to leave this and we'll come back to it in a
few minutes so that wraps up our demo really jump in the lesson to talk a little bit more in detail
about federation trusts and what they are what is a federation trust Well it is the ability of one
organization to trust another for some component of authentication in this case it's a resource
partner organization trusting an account partner organization we're allowing if we're the resource
partner we're allowing those accounts to authenticate to use our resources that's the way these
trusts flow it is one way by default and in this case in terms of the diagram it an interesting little
pointer the arrows in any diagrams where you see trust involved the arrows pointing to where the
accounts are the resource partner is trusting in that direction the account partner the A.T.F. S.
Components we've already talked about one of these the A.D.'s domain controllers we've used those
in Domain Services we've seen them we've set them up the rest of these are Federation service is
specific a D.F.S. Federation servers I have for the sake of the conversation combined them in
definition your account Federation servers servers and resource Federation server's. We have the
same definition just on different sides of this trust Federation server is a computer that runs a
specialized web service that can issue manage and validate requests for security tokens and identity
management they sit on both sides of this equation they communicate with each other to allow
resources and users to communicate with each other server proxies your both account and resource
federations are proxies allow for the exchanging of the components required to it to accommodate
that authentication through perimeter network boundaries we don't necessarily want to expose our
actual Federation servers to in this case the Internet or to another organization so we allow for
proxies to sit in perimeter networks to pass those communications through internal firewalls and the
A.T.F. S web agent is a piece of software that sits on a web server and allows for authentication or
allows for applications on that server to on our requests using the tokens provided by Active
Directory Federation services so in this one we're going to talk a little bit more about how this
process works I talked about in the last slide this one is going to walk us through a step at a time in
step one an external user access is a web application by logging on to that web application they type
that U.R.L. into a browser and attempt to get that location because it's a resource in the resource
partner organization I'm going to hit that resource Federation server that resource Federation
server is going to send me to my account better ration server to get a token containing my
credentials and tying those to a claim that's what this arrow between the activity Domain Services
and the account Federation server are it's going to go and get my user account connected to the
claims built within the account Federation server and send that back to me I'm going to pass that
back to the resource Federation server and say Not only am I a user attempting to authenticate but
here are my claims per my account organization into your organization those claims get mapped to
the resources in the resource organization and sends me to the web server to actually get access to
the application. Configuring these components it's a lot of components we have Federation servers
we have Federation proxies we have Web agents we have a number of things to configure to make
this all work so configuration options what are trust policies another demonstration we're actually
going to run through the initial configuration of the Federation services console the web proxy agent
convey options we're going to talk about and then what are claims the foundation of this entire
service service configuration options to get this running there are a number of things I have to do I
have to create trust policies what users do we want to access what resources and that goes along
with the second one organizational claims those claims are very similar to groups they are going to
be used across the boundary to define how access is granted account stores those are the accounts
we're going to be tying to from Active Directory and then create configure up locations we need
applications to be able to consume Federation services to allow access to those users trust policies
the config settings that define how to configure a federated trust and how the Federated trust works
resource partner trust policies include token life time how long the tokens I'm going to get are good
for Federation service your eyes an endpoint U R L's again the servers have to know about each
other my accounts Federation services and the resource organization Federation services have to be

2
IntroToADM04_high
aware of each other and the option to use a Windows trust relationship for this partner if one exists
in this case the kind of the idea Federation services is not to use Windows trusts in addition the
account trust partner policies include location for a certificate we want to make sure that the
resources were long into are valid we're going to use certificates for that and options for configuring
how resource accounts are created and I go ahead and jump back to the demo real quick and we're
going to look at this initial configuration and see what these options look like in the actual software
this is our all service task details we did the installation we got the note of the notification that more
configuration was required post deployed configuration required We're going to click on the link
right here in the action column to bring that snapping up. This is what it's going to give me one of
the really nice things about eighty FS especially in this case in Server two thousand and twelve is
that it gives us a smoother installation and configuration experience gives me right here step one
configure this federation server we want to do service we don't have one already this is a new farm
we don't have in this case we can use a standalone server it's just this server the reason we have the
farm option it says right here high Vale ability and load balancing if we have tens of thousands of
users accessing resources across boundaries we may want to allow for high availability I'm going to
keep that here just for the sake of this demonstration select the certificate and report then click
NEXT this screen gives me a lot of information no certificates representing a federation service
name were found in the certificate store what this is telling me is a D.F.S. needs a certificate
because I have to be able to encrypt and decrypt information across this transaction I don't have a
certificate so we'll leave this here we're going to jump over to. Us and we're going to get a
certificate we're essentially in this case going to create one of our own you'll see this first time you
launch in and out of Internet Information Services Manager I asked manager we're not to worry
about web platform I'm going to turn that off we're already on the server and right here on the
server served if it gets I don't have any certificates here I want to create in this case again for the
sake of the demonstration I'm going to create a self science to get really quickly this is not
necessarily what you would do in a scenario involving actual business to business transactions you're
going to want trusted certificates from trusted certificate providers to avoid any potential issues
with validation of those are difficult for verification of the information within them I'm in this case
not needing to do all of that and since this is technically a web server I'm going to select web hosting
we're going to have to come back to this in a minute so for now will select this there's my certificate
now. Just for the sake of again demonstration and what you might do next we're going to go back to
Federation services and go previous we're going to try one more time to get that certificate it's
going to give me an error still going to give me the same error message because right here no
certificates representing Federation's or his name were found in the certificate store so the fact that
I have the certificate doesn't quite help me yet if you read through the rest of this use this if it snap
in to install the certificate in the local computer personal certificate store I didn't put it there I put it
in a web hosting something you might actually run into if you're implementing this process going to
jump back to I.A.S. see this here now I have to open the certificate snapping we did this in our a
D.C.S. demos Add Remove certificates that's what I want to manage I want to manage them for this
computer which is my next option Local me to view of all the certificates issued to this machine in
this case it's looking right here and I don't have any certificates installed I put the certificate I had
issued here under web hosting server dot com toso dot com to get this certificate to where the
software needs it right click and drag copy it's now in the personals difficult store now one more
time we jump back to our wizard previous next certificate has been found and the wizard picks it up
fills it in force automatically service account in this case you want to select it in this case this is
being asked for because we selected server from the beginning it needs an account to make sure
that right here it's used in all Federation servers in the far we need to make sure that these servers
can communicate with each other and with other domain resources. So so far we've seen a couple
that configuration options we've crossed some boundaries from the Federation services wizard to
the I.A.S. wizard or the I ask console and the shit if it's console there are a number of pieces to this
equation and keeping track and sort of be problematic but hopefully in a normal organization you'll

3
IntroToADM04_high
have these various pieces already set up ahead of time and want to do quite all of these steps but it's
handy to know what they are what the potential pitfalls are depending on your scenario so we're
going to jump back in here with our account specification we're going to grab a service account put
in a password and this one's nice it gives us a little bit of a recap what we've done in the Wizard
what this is going to do once we click OK we will go through all of these details let it run again this
doesn't take very long at all and at this point you're ready to start actually can configuring
Federation services I'm going to just let this run in the background we won't stick around and watch
that one so now that we're back from that demo we can take a look at some a little bit more
information about FS and I can go too far into it again as an overview the web proxy agent
configuration options something we talked briefly about at the very beginning now going to go into a
little bit about what those configuration options are as I'd mentioned a web proxy agent is a piece of
software that runs on a web server that services claims requests from Federation services directly to
your web applications you have two options install the A.D.F. as web agent on the I.I.S. server
Windows token based authentication requires I sat the extensions claims aware authorization can
authenticate natively with this be done net or determine how to collect user credential information
from browser clients and web applications outside we have some other way we want to do this it can
be customized a D.F.S. claims this is the last piece to Federation services we've imagined we've got
the server set up we've got our proxies in place we've got our actual Federation servers in place
we've got our applications running we have to configure claims to allow that access to actually
happen we in Federation services can allow one of any of these three types of claims identity group
or custom that allows. Certain types of users or certain types of accounts in the account partner into
the resources the resource partner and identity claim you P.N. indicates a Kerberos V five protocol
style user principle name user at realm in this case it may be user at domain it could also be an e-
mail account or an email name or a common name which is something we would have in our
directory group membership can also be a basis for a claim or we have a number of other options we
can use to provide the basis for a claim through the custom option in this case employee ID number
if that's something you're tracking in your directory service the model view in takeaways after this is
over there will be questions provided in the deck that you can look through answer check the
answers that are provided and see how you do thanks for watching this module will be back with
module five Active Directory Rights Management Services in just a little while.