AD FS Configuring a Relying Party Trust

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the IIT free training video on configuring a relying party trust in Active Directory Federation services in Windows Server 2012 r2 before I get started let's have a quick look at the network that has been built in the previous videos and at what I will be performing in this video in this video I will be configuring a relying party trust on the IT free training Active Directory Federation server this server is located in the IT free training domain the relying party trust is essentially the configuration on the Active Directory Federation server in the IT free training domain this trust is used to create claims that will be sent to the highcosttraining domain there is also configuration that needs to be performed on the highcosttraining Active Directory Federation server however this will be covered in a later video when I look at claims provider trust s' in this case notice that the server that is running Active Directory Federation services is also running a standalone certificate authority this is done to reduce the number of servers required however more than likely it would not be done in this way in a production environment in the IT free training domain notice that an enterprise CA was used to issue certificates both networks have a domain controller that is the basics of each network Active Directory Federation services was installed in previous videos so it is assumed in this video that it has been installed and up and running I will now change to my server in I T free training running Active Directory Federation services and look at how to configure a relying party trust from my Windows Server 2012 r2 server first I will open server manager to configure Active Directory Federation services I will select the Tools menu and select the menu option ad FS management from ad FS management select the container relying party Trust s' to create a new relying party trust right-click on the container and select the option add relying party Trust to start the wizard once I'm past the welcome screen the next screen asks for some information about the relying party trust the easiest way to obtain this information is accessing the other Active Directory Federation server directly if I cancel out of here I will next open the endpoints container endpoints are what provide access to functionality of Active Directory Federation services if I scroll down the section that I'm interested in is metadata the metadata that I am particularly interested in is this XML file this file contains all the configuration information about this server another Federation server can read this information and use it in this case the information to configure a relying party trust I will now go back and run the relying party trust wizard again and skip the welcome screen and go back to the data source screen for the Federation metadata address I will put in the computer name of the Federation server in the highcosttraining domain in order for this to be resolvable I have configured DNS forward in between I T free training and highcosttraining in some cases you may not have a direct connection between the two servers if this is not the case you can use the second option import data about the relying party from a file if you use this option you will need to export the data from the server and exchange it with the other company for example sending them a USB key in the mail they will also need to send you their metadata as a last resort you have the option enter data about the relying party manually this option means that you will need to enter in all the data for the trust relationship which is a time consuming process so I would recommend using the metadata if you can since I have a direct resolve Apple connection between the two servers I will press next and let windows attempt to contact the other server which will result in an error message notice at the end of the error message could not establish a trust relationship for the SSL TLS secure channel the problem is that a secure connection could not be made between the two servers because the certificate used by this server is not trusted by the other server to correct this problem I will right-click the start menu and enter in MMC to open Microsoft management console once open I will select the file menu and then select the option add remove snap in once add or remove snap-ins has appeared it is just a matter of adding certificates from the list when I attempt to add the snap in windows will prompt me for the scope of certificates that I want to manage in this case I will select the option computer account as the certificates that I want to manage are the local certificates for the computer once I press next I will be asked if I want to manage the certificates on this computer or another computer in this case I will leave it on the default option of the local computer and press finish and then ok to go back to the console if I expand down to certificates under personal notice that the Active Directory Federation Services certificate is listed here if I double-click the certificate and open it I can view the details of the certificate the last tab certification path will show the certificate chain this certificate is part of the certificate at the bottom is the certificate for this Active Directory Federation services at the top you can see the certificate for the enterprise CA this is the root CA certificate for the enterprise CA on this network in order for the other Federation servers to trust this Federation server I will need to export this certificate to do this I will press the button at the bottom view certificate to view this certificate once the certificate is open I next need to press the details tab and then press the button at the bottom copy the file to start the certificate export wizard once I am past the welcome screen on the next screen I need to decide which format to export the certificate in in this case I do not need to export the private key so the first option D er will work fine so I will press next and move on on the next screen I need to press browse and in this case I will save the certificate to a USB flash drive as I T free training root certificate once the file name has been entered all I need to do is complete the wizard and the certificate will be exported to the USB flash drive certificate has been exported I will remove the USB flash drive and change to the Active Directory Federation server running in the highcosttraining domain the certificate that I exported from IT free training needs to be added to the local certificate store on this server to do this I will open Windows Explorer and browse to the USB thumb drive and then double-click on the IT free training root certificate once the certificate is open I next need to press the button install certificate to start the import wizard once the import wizard has opened on the welcome screen I need to decide which certificates stored I want to store the certificate in in this case the certificate will be used by the server so I need to select the option at the bottom local machine and move on on the next screen I need to decide where to store the certificate in this case I will leave it on the default option of automatically select the certificate store based on the type of certificate just to prove a point in most cases Windows will decide the correct location but in this case Windows will choose the wrong location to store this certificate once I press next I can press finish to complete the wizard and the certificate will be imported and stored in the local certificate store to have a look at where Windows put the certificate I will right-click on the Start menu select run and run MMC from MMC I will add the certificates snap-in once the certificate snap-in has been added it will ask me which certificates i want to manage in this case i need to make sure that computer account is selected and then complete the wizard and go back to MMC if I now expand down to certificates under intermediate certificate authorities notice that the certificate has been imported into this location if I open the certificate notice that under certificate information there is a statement saying the root certificate is not trusted and it needs to be moved to the root certificate store in order to do this I will right click the certificate and select the cut option I then need to navigate to trusted root certification authorities and paste the certificate in there notice now the certificate has been added and if I open the certificate there is no longer any message saying that it is not trusted or in the wrong certificate store the certificate from highcosttraining will also need to be exported for use on the it3 training network so while I am in the certificates snap-in I will navigate to certificates under personal there are two certificates listed in here the first certificate is the certificate from the Federation install and the second certificate is the root certificate for highcosttraining so I will double click the second certificate to open it once open I will select the details tab and press the button copy the file to launch the export certificate wizard once I am past the welcome screen on the next screen I will be asked if I want to export the private P since the standalone CA is also installed on this server the private key is available to be exported whenever you export certificates to third parties make sure that you do not export the private key just like when I exported the certificate in IT 3 training I will choose the default option of de R and save the certificate file to the USB flash drive now that the certificate has been exported to the USB flash drive I can remove the flash drive and change back to the I T free training Federation server like on the highcosttraining server I need to open the USB thumb drive and double click on the highcosttraining certificate in order to import it to the local certificate data store once the certificate is opened I will press the button install certificate to launch the import certificate wizard from the import wizard I will select local machine and move on on the next screen rather than allowing Windows to decide where to put the certificate I will instead press the Browse button and select the certificate store trusted root certification authorities to ensure that the certificate is stored in the right location once this is done I can complete the wizard now that the certificate has been imported I can go to certificates under trusted root certification authorities you can see the certificate that I just imported if the certificate does not appear press f5 to refresh the view now that the certificate has been imported I can close down MMC go back to server manager and run the ad FS management tool under the Tools menu once a DFS management has been opened I will expand down to relying party trust s' right-click it and select add relying party trust to launch the wizard once I am past the welcome screen I will enter in the name of the highcosttraining Federation server once this is done and I press next notice that this time the wizard is able to contact the other server and move on to the next screen without issue on this screen I will change the default display name to something a bit more descriptive you also have the option to add notes in here if you wish once entered I will move on to the next screen this screen asks if you want to configure multi-factor authentication for example if you wanted to use extra authentication such as smart cards in this case I will not configure any additional authentication methods so I will accept the default option and move on to the next screen of the wizard the next screen determines the default permissions for the trust by default all users will be granted access in some cases this may be what you want in this case I will select the second option deny all users access to this relying party when this is selected only users that I configure will be allowed to use this trust the next screen will show you all the information about the trust that is about to be created as you can see as I go through the tabs there is a lot of information that is configured in the trust once I press next the trust will be created the last screen of the wizard has a tick box that will open the rules dialog of the trust and allow you to edit those rules in this case I will clear this tick box and edit the rules a different way once I press close I will be taken back to ad FS management if I right-click on the trust that I just created I can select the option edit claim rules the rules have three tabs the first tab is issuance transform rules this tab allows rules to be transformed before being sent to the other party for example you could create a custom rule that modifies the data retrieved from Active Directory and sends it to the other party in a different format the tab delegation authorization rules allows rules to be created that determine if a requester is allowed to impersonate another user in this case I will create a new rule on the tab issuance authorization rules to do this I need to press the button add rules to start the rules creation wizard to create the rule I first need to select a template notice that in the list there are a lot of different templates to choose from the rules created in here determined who can use the trust if there is no matching rule in here then the user will be denied access in this case I will select the option send group membership as a claim this will allow authentication to happen based on group of membership once selected and I move on to the next screen I need to configure some information about the rules first I will enter in a meaningful name for the claim once entered I will next configure a group for the claim by pressing the Browse button in this case I will use the domain users groups if you want to restrict the access to particular users you will need to create your own group and put the users that you want to have access to the trust in that group in this case there are two domains in the forest so two domain user groups have been found in this case I will select the domain users group in the domain I t free training the next option that I will configure is under outgoing claim type you will notice that there are a lot of options here the option you choose here will determine what the other side will see in this particular case I will select group however a different option could be chosen if you wanted to change what the other party was seeing at the bottom notice that you can enter in a value for the claim in this case I will enter in web application essentially this will accept the group name domain users and change it to the group name web application as far as the other party is aware the group name is web application once I press finish the rule will be created if I exit out of edit claim rules notice that the new relying party trust has been configured since the rule has been created it is ready to go however before this will work the claim provider trust must be created on the other side but I will leave that to an upcoming video I hope that you've enjoyed this video from I T free training and found it informative I hope to see you in future videos from this course and others till then good bye and thanks for watching

Info

Channel: itfreetraining

Views: 60,106

Rating: 4.9172416 out of 5

Keywords: Relying Party Trust, ITFreeTraining, Active Directory Federation Services, Active Directory (Software), Software (Industry), Windows Server (Operating System), Windows Server 2012 (Operating System)

Id: a1xeAA0g4_A

Channel Id: undefined

Length: 17min 52sec (1072 seconds)

Published: Tue Jul 22 2014