ADFS 2016

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay for this slob I need to DC I need a CA which already have they were part of our other lab I need to ad FS server Active Directory Federation services I need a app out on the web like office 365 and then I need a client that needs to authenticate to that I could be locally could be out in the internet could be in our network could out be on the Internet now we don't want to allow this machine to access our user account database well we need our users to be able to access this web app so what's going to happen is our client will contact the web app in an attempt to sign in the web app is going to automatically redirect me to our ad FS server to authenticate at no point time won't put my user account name the password on the old website once identica this ad FS server will redirect me back will redirect the client and a toku who are clean back to the web app so I can do whatever I want to do whatever that web app does so basically I'll be in with medication here generated claim then redirect the client back to this web app they do this all the time to sow office 365 works ad FS isn't do one utility that does this but this is the one created by Microsoft it's really difficult to do what they did in the lab and the write-up that I'm showing everything's joined to the domain well that's really easy to get that to work if everything's going to them we're not going to do that this client will be like your machine at home you won't be joined to the main this one won't be joined to the main this one will this will be the only regime that can access our Active Directory database the problem is warping generate a certificate to this machine from RCA well it's not a publicly created certificate so it won't be trusted so we've got to take our certificate from here and make it trust it here we also need to tell a client to trust it we need to create a certificate for this machine as well well we're not going to contact Verisign for this lab is great certificates for they here so what we're going to do is create a self signed certificate then make our domain trust it and also make our client trusted so we have to deal with some certificate issues which is kind of good because we just did the certificate lab so you're gonna see how to me mainly generate certificates from a powershell command it's extremely confusing lab some of the things that they do in this lab or Poorna ties other things they do is take shortcuts by joining everything to the DC to get their own to get certificates we're just going to generate certificates manually so guys I have I don't have my client set up yet but I have the ad FS created okay you don't have to follow along with this lab this is not going to be part of your test but I do want you to see the lab once it's a cool lab but it's it's it's a confusing lab last night the class watched me like I was speaking Swahili you know and when I said you know they could go they didn't just grow they ran so just bear with me I know it's it's a little bit boring when you sitting and watching but if you want to follow along and you have your infrastructure in place you're more than welcome to guys I'm just going to set up my client some tricks that I did here is for this lab I'm not going to create another DNS server I'm just going to use the DNS this DC as the DNS for my fake web app I'm not going to go and register normally this would be registered on the internet with the ISP and so you'd be able to just go to that website but just type in the name so I'm going to fake that with this DNS server I'm also going to point the client to the same DNS server so everyone can resolve names let me just change the clients hostname and I can't do it that way okay so the first thing I'm going to do is install a DFS on this machine it is already joined to the domain I set up the IP address I need to make sure I signed in as a domain admin which I'm going to do now this machine and this machine aren't going to the mate only on ad FS server is the web app and this client are not joined to the domain I said that for the benefit of the video because the video can't see me pointed so I'm going to install Active Directory Federation services and I'm only installing the web server just to be able to generate a domain certificate an easy way to generate the domain certificate a TFS default settings the web server default settings and I'm also going to create a website just to test that my certificate is trusted and there's no issues again I'm signing as a domain admin when I do this you can also practice while you're watching if you want to do that as well well that's no I can't move on I'm gonna walk through the wizard to configure no I can't do this yet either so the first thing I'm going to do is create a website while putting it in mind that pub border and this is only for testing my certificates in generating my certificate and I'm going to create a a document called index.html so I have that document created I'm going to now the first thing I'm going to do is generate any certificate or this web server we already have our CA set up that was in a previous lab so it's going to be my fully qualified domain name going to use my CA to generate the certificate so there's my certificate now I'm going to create a site to use that certificate to test the certificate to make sure everyone trust me I'm gonna gate to the path where I created the web content I'm gonna I haven't listened on port 443 and I'm gonna use that certificate I'm going to use because this script that we're going to use is written in net I need to use Internet Explorer to test everything so I'm just going to verify that I can get to my secure website so my website is secure I trust it no problem now that I have that done I have a certificate I cannot actually now generate I can configure the ad FS server I'm going to create a server farm my server farm it's going to the first server in the server farm guys a farm is just a group of computers all doing the same function so I'm just going to click Next use my current credentials to do this process guys I'm not going to create a surface account and I should create a service account so when this runs it runs under some other account other than my domain admin but I'm just going to use my domain admin account to start and to run this service right here normally I should create a managed service account I'm not going to bother with that I'm just going to use my domain admin I'm going to create an internal database for this I'm creating my database started my database and now it's populating it with some data starting the service okay I'm gonna click close close I really need to restart the service so I'm gonna do that now okay while that's going on I'm going to take my root certificate on my CA and export it so I can share it this web app doesn't trust my CA so any certificates that I sign from that CA on trusted either so right now generated certificate here and it used this certificate to sign it someone take this certificate from here the route 1 and share it so both these machines can import ok so I'm going to go to my this machine is running so I'm gonna launch an MMC and add some snap ins to it I'm going to add this certificate snap-in guys when we did the CA lab we didn't really talk about this but this is a way you can manage certificates on a client so I'm adding the snapping under trusted root certificate authorities I see I have one for my CA I'm going to right-click and export it I'm just gonna leave it in CER format I'm gonna create a folder called cert and put it in that folder then I'm going to share that folder so I just took my root CA the certificate from my roots share that exporting now I'm going to share it to other people and get to it just so we know the IP of my CA is 8.4 so guys I'm going to go to my web app now I can import this in one of two ways I can open up MMC again add the certificate snap-in then import that certificate there or I could just use the internet explorer you can manage search right from within internet explorer if I go to the gear and go to internet options then under content I have the certificate button I'm going to go to trusted with certificate authorities then import a certificate well someone give to this machine when I access my share from the other machine copy it paste it on my desktop so that's a cert I exported already so now I'm going to import that certificate and put it in trusted route because that's when I had highlighted that's the tab that I went to next finish showing you the signature do you trust it yes so now if I go to I trust that certificate the only reason I created that website to make sure my certificate works if you're not yeah yeah if you know if you're not getting a secure connection you did something wrong there's no point in going on with the a DFS lab until you got those certificates walking guys I also need to do the same thing for my cloning because again my certificate authority is entrusted on the inner one the Internet so I mainly have to do this step in real life you most likely purchase certificates to use with these devices so you don't have to go through this step guys I can't use edge to do this lab I have to use Internet Explorer yep so I'm gonna watch Internet Explorer and just I'm gonna pin it to my taskbar go to content certificates trusted roots and import my certificate after I copied over cause I could just browse and go directly to the network path from here but remember to supply authentication that's call it search or service so I just access them over the network place it in my trusted route so if you look in this list you will see that not only do you trust these publicly available certificates you know from like global sign you know all these ones that are trusted on the Internet we get these two Windows updates incidentally I also trust the one for my certificate authority too so any certificate signed by my CA I'll trust now so let's verify that we can get to the website securely and I can it's a trusted website so that's good hopefully my ad FS has been rebooted I no longer need the website the website served its purpose I don't even need is installed at this point so I'm going to remove those items I'll remove the website it doesn't really matter but in a secure environment if you're not running a service if you're not using it don't have it installed because if there's a potential you know overflow buffer and some piece of software if you have something installed I'm also going to delete the content that means that's something you need to maintain and update if I don't need it don't install it that's the secure way to secure this way to install a web server is uninstall the web service you know especially in this case it serves its purpose I'm just going to remove it if I click the right thing also I don't want you to get confused and think that that web service is being used for ad FS it's not that I can I can everyone can trust my certificate the easiest way to do that is with HTTPS while that uninstalls and it's gonna require another reboot guys I'm gonna create a self signed certificate worn my web app like any good admin I searched the internet and came up with a PowerShell command that I customized for creating a certificate so this will create a self-signed certificate for my web app the thing is guys if you used to create the self-signed certificate within AI is it doesn't put the fully qualified domain name it just puts the the short name so I need a web certificate with a fully qualified domain name so that's why I had to use this this method just create that cert so guys I'm going to show you that my host name is set my IP is set but guys you know when you're part of a workgroup you're not part of a domain you don't see the fully qualified domain name so if I do an IP config all I don't see the domain name anywhere so I'm gonna fake that I'm gonna go to my network settings gods I didn't do this just to purposely show you how to do this I'm gonna go to ipv4 under advanced and DNS I can put in a fake name here that's it for a part of it to me so when I click OK ok and close do ipconfig/all it now shows up as a domain name it's a relatively common thing to do Linux boxes do it all the time so what I'm going to do is I'm going to create in DNS my DNS server a fake dot-com zone so I'm going to go to my DC everyone is pointing to this DC for name resolution so I'm going to use this to host a fake comm namespace in real life we're going to get this as a registered namespace on the internet but for right now we're just doing it internally again this is a part of the Labatt's that I showed you from the internet these are kind of some prereqs that you need to have done for it to work the lab that they using everything is joined to the same domain which really simplifies everything but it really I don't think it gives you a good understanding of what's going on in the background so I'm gonna create a new zone called fake calm I'm gonna store it in Active Directory guys and just to my IP address is 170 216 0.6 the hostname is CS 0 1 - web app so in DNS I'm going to create a house record for that machine under fake comm new host record and it's going to be 172 16 0.6 and I'm going to create a point of record to there's my entry for cs0 one web app calm and my forward lookup thing so on web up I should be able to resolve CS zero one dot - web app dot fake I get a name I get an IP back and that's look up 172 16 0.6 I get a name back so everything is looking good as far as DNS okay guys let's take our first break then I'll start creating my certificate my self signed certificate so if you do your Dunkin Donuts run do it now [Music] [Music] yeah [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] yeah [Music] [Music] [Music] [Music] [Music] [Music] [Music] there's the influence [Music] are we missing anyone okay [Music] [Music] [Music] it's recorded okay so guys what I'm going to do now is install guys I'm instead of doing everything all at once installing everything on once I'm just going to install each feature as I need it so initially I'm going to install a web server on my web app while that's install I want to sign back into my a DFS to finish the removal process of the website okay my web server is installed now I'm going to my real machine because this script is all my real machine again guys I pilfered this off the internet I just did a search of creat self-signed certificates PowerShell within the first view it actually created the game II link so I'm going to connect to my web app the name of that server is actually web app so enter PS session DM name web this will not only implicate myself signed certificate it's also going to export it for me at the same time the last line exports it guys in real life when you export certificates you really should export them with a password so someone gets ahold of that certificate they can't do anything with it this will give our standard password when I export the certificate so the first one just checks my version number of PowerShell the next one creates my certificate this one sets a password a secure password this defines my path or where I want to export my password and this actually exports it I light and everything pressing f8 guys I also put this on d2l Faline this script so there is certain time when X in my PS session and close this out so if I go to my web app now I should have a certificate there for me and it should also be exported to my C Drive there it is I'm going to create a folder move that certificate into it this is running really slow I'm going to share that folder because this is a self-signed certificate no one trusted generally this is used for a lab environment you don't really use self-signed certificates in a production environment when I say no one trust it this machine doesn't even trust it guys I'm just going to edit the bindings on my default website sorry and add a certificate just to test it I'll undo this in a little bit so if I go to http I don't trust it so I need to import that certificate on all three machines but adfs my client in this machine itself so I'm doing the same thing I'm just going to use the internet explorer go to trusted routes import it guys when I created this cert I created a pie44 Kayson with that PowerShell command so I have to use that one it's not a CRE type certificate I can import the certificate in a bunch of different list formats that PowerShell created in that format so I'm going to choose that search it's going to prompt me for my password because remember I script exported with password which is wise I'll copy this close this out reopen it I still don't trust it one second let me just clear everything let me see oh I know why guys I got to delete that certificate I'll show you why in a moment look what the name is it's not CF 0 1 so I need to delete that certificate and redo it [Applause] same thing I'm just going to go to the web app and delete that oh it's not there anymore so our recreate the certificate I'm going to go to my web app delete the old one and move this into there re-imported it's a piee type certificate there's the certificate that I created I really don't need this one anymore and try again now we're gonna do it's gonna try to manually import it here let me see what I'm doing let's do a shoot the web app let me look at my script again and why still where's finding this other certificate from oh I need to change it in an IAS as well okay yeah okay guys I forgot the update and I asked what the new certificate that I imported okay so there my website is using that certificate I'm just going to remove this by oh no I just want to leave this for a little bit I need to go import it on my ad FS in my client so I'm going to go into Internet Explorer a trusted root 1:22 16 0.6 it's a bie type certificate let's see if we trust it I trust it so I'm going to do that to my client there's my self signed certificate and I trust it okay so I'm just gonna remove those bindings one my default website we're gonna have to play with this later sorry guys let me fix that before I screw something else up this machine so slow I want to make sure that I use Internet Explorer as my default web app okay so I'm going to remove this binding okay now I'm going to start configuring the rest of my web app server I need to install some other things I'm going to install dotnet 3.5 guys I'm not sure that I need all of this I definitely need the first one that includes dotnet to and.net three we're using dotnet two for this application I'm going to install some software because normally the application will be hosting here is like office 365 well Microsoft will give me the code for office 365 but there is a dotnet identities SDK sdk stands for software development kit and then there's a sample app I'm gonna use that sample app and host that sample app to test my claims so it's written dotnet 2.0 I also need to run to install the identity server runtime environment so I'm gonna install this windows identity foundation 3.5 this is my runtime environment for the disclaims type stuff here's the problem this no longer exists like a Windows Update or anything like that or or in demand so what I have to do is I have to install this from the DVD this this guy can get to normal Windows installation but this I have to install directly from the DVD so I'm gonna click Next and it's saying wait something that you're trying to install doesn't exist provide an alternate location of where that file is so I'm going to add a DVD Drive and put in it the ISO for Windows 2016 server I'm not sure which one to use I'm gonna use this one click okay now I have a DVD drive in my machine open it up under the sources folder I have this sx s folder that's what I need right there so I'm going to copy this location down here supply an alternate path X s stands for a side-by-side store so it's saying that dotnet 3.5 is not part of your typical installation but you can get it from this location normally Network admins put the ISO on some sort of network share so you can access it I'm just putting it on a DVD so I'm supplying a path where you install the.net 3.5 stuff the ice up it's just the Windows Server insulation I thought it was already on the computer you know this is yeah not not the actual VHD ID it's the actual ISO of the installation media and we put it on I can't look on the virtual machine but it's on our II drive we've an ISO folder and in there is all the ISOs guys well that's installing I'm going to download another piece of software the Windows identity foundation software development kit it's a free download and I'm getting this URL from that document this document right here right here I probably have a type of somewhere guys I'm going to lower my yep ie enhance security configuration real life don't do this you don't want to be serpent put stuff on the web I had a type of here guys ASP here's the download I only need this one guys there might be a sample app that I can use from here but I don't know I don't know what effect that's gonna have so I'm just gonna stick with this one okay I think it's downloaded I think I clicked on it twice this machine is running so slow so I've already downloaded it I'm gonna install it guys I'm not going to hit run until this is done if I try to run it without having this installed it gives me an error this Windows identity foundation 3.5 this is the runtime so this is a little piece of software that runs on your computer and this is used for development the reason why we're installing this is they have a predefined sample app so we can use the hosts on our web app to test our ad FS setup the only problem is the code on it is wrong so we have to fix some code that's what this document that was the big thing about this document it showed me what code to fix yep okay that's installed now I'm going to install this so what I installed is this so here's my sample app guys that was installed with that software I'm gonna copy all this go to my net pup folder and create a new folder for a new application and paste it in I'm not expecting you to know this but the code is wrong with this thing so what we need to do is edit this code at that code and guys I'm getting this from the document I need to take this code and comment it up by doing this that code isn't effective I'm gonna save it now we need to edit this document and comment out some code or delete some code again you're not going to memorize this this is just going to be something that you look up it's not going to be intuitive at all guys you need to appreciate how much work went into getting this to work and the fact that it's not going to be on your final okay so guys this whole section from here to here I just need to delete and save it so now we have our web app we got this from the software and we're where we installed so now I'm going to host that app in our webserver I'm going to host it as a virtual website under our default app so guys I'm going to right-click go to application pool I'm going to right-click our default application pool and go into advanced settings and I'm going to change this to true what we're doing here I have no clue you're following the documentation okay now I'm going to do it again but go to the basic settings don't take it let me go back out right now it's going to default to dotnet 4.0 but we need to run a 2.0 application I'm gonna change it to 2.0 application now I'm going to the default website I'm going to edit the bindings I'm going to add HTTPS and select our web certificate guys I'm not sure wearing it wouldn't need that but where it made that but it's there so the next thing I'm going to do is add an application to our default website I'm going to call this a claim app and I'm gonna browse for that location where we copied that code which is inet pub claim app click ok guys now I need to run some software that tells this machine when in there ever whenever someone connects to you before you do anything redirect them to the ad FS for the claim so write some software we have a web app set up we didn't write the code we just copied it from somewhere else as networkers we're never going to write the code someone else has one develop that web app so what we need to do is tell this machine if someone comes here you redirect them over here then we got to go to this machine that says you get a redirect give them a claim then redirect them back so we have to do it at both ends so what we're going to do is run this piece of software that is in that SDK we're gonna run this utility right here okay so we're gonna browse now we're going to type in the path for our application to where that web config is don't give the local path give the network path see s01 web app dot fake comm port slash plane that's where that file is located you know if you go to that website they'll find that file the example is the local path we don't want to use that sorry guys let me just verify this I've got this wrong guys got put that down here here we're just going to browse for that code that's what we have it that's the URL that's the local path for the web.config when they connect to us where do we want to send them so HTTP s CS zero one - ad FS that's our other web server Pinto so calm so I was able to talk to my ad FS server and get a claim so everything is working well up to this point let me just close all this out click Next we're going to leave the certification chain disabled because we're using a self-signed certificate no encryption if there's any updates to our metadata from either the ad FS go get those updates you know go check the check for updates and a schedule task so if there's any anything in that XML file that's changed this will get the update click finish so our web app is set up now we need to go to our ad FS when you get a redirect give them a claim then go back because remember who's going to talk to the ad FS the client so I need to give the client claim and send decline back to here ok let's take a break guys and then we'll do the next part ok then we're almost finished this lab is almost finished it's not intuitive it's not difficult once someone lays out the steps but if you go to read this document it goes into all kind of weird directions that I didn't go they created a service account they have you do device registration we don't need to do that the ad you create aliases and stuff like that I didn't do that I just created a simple DNS zone this is the part we just finished now will in this part okay so let's take a break we'll finish this part test it see that it works then we're good to go and then next time we meet I'm going to do another life central store and maybe Daka we'll see how it goes okay guys this part only takes like five minutes at this point is everyone completely lost find it interesting I'll look into it later or this was a waste of my time guys when you sit when you do that when you go to study for the test set this up you'll have a working adfs environment to study with trust me if you do any of the office 365 stuff this is going to be on the test this is one life those things like IPAM you'll get a lot of questions on the test with it okay so guys I'm going to go to my ad FS now we've already told our what about what someone connects to you redirect them over here for a dedication no we need to tell this ad FS server just redirect the client in the claim back to the web app okay so I'm going to go into ad FS now I'm gonna do a relay party trust it's going to be a quick guys incidentally just add a little more confusion this was written for 2012 the wizard that we're looking at is slightly different some of the things that now are part of the wizard is no longer part of the wizard so you have to go through the wizard then edit it to edit some things so I'm going to click start and now we're going to point to the web app so [Applause] everything when this documentation is all in the same domain in real life that's never going to be in the same to me this is our web app to point into our web app there's an XML file that they have to read we open that fed util it created this document that I'm pointing to so that's what that's where we're going to redirect them back that's our application inside of that it's going to be hosting this XML file I'm just looking to see if I have any typos it doesn't appear so okay it does appear so HTTP I'm just gonna open up this in a browser let me make sure I can just get to the web app okay that's good let me go back to the web app and see if there's an issue with that okay that that's working let me I might need to start this machine okay I'm just gonna go through that wizard again guys not sure why it didn't work out I want to rerun the Fed you too [Applause] I've got an end slash so I'm gonna hide that end slash just gonna test it make sure have no typos it works I'm gonna try to back to go back here and see if I can help connect let me see if the browser thing if it's a parallel thing [Music] I'm just gonna write it to a firewall the Far exist okay let me try something else I'm gonna copy this table back over and see if I made a mistake I know it isn't okay guys I'm not gonna have you sit here while diagnosis I'm gonna diagnose this and then upload it I'll upload the video but you guys can go I'm gonna finish this up because it's going to be something little I don't know what it is yet because this file does exist you're welcome to stay if you want though that should should show up it's just a misspell or something honestly I don't I don't know I think I know one of this I didn't install this yes p.net now that's it [Music] no it wasn't in the booklet but first time I dealt with this I remember that was the issue I was hoping to have a nice clean video mind set up what is the lab all visible ad FS it's chapter 13 in the book right after certificates and the next lab that you're gonna be doing in central as well yes which is a part I think of chapter 6 okay let's see if this works out there it is that was it [Music] yeah okay there's the name that's going to display guys this isn't part of the the documentation this menu kind of changed so I'm just not changing anything I'm gonna press cancel redo it okay [Music] that was the problem let me see I see it sees two names remember ah I've got the slash yeah so let me see right so let me try to know let me try to delete it from here she's gonna regenerate it hoping I still had that typed in here here's the URL for the ad FS [Applause] it's a pain only one identifier okay one more one more step I'm going to right-click this and change add a rule this isn't the documentation doesn't really do this justice so this is going to be send a claim using a custom rule I'm gonna call this if you get one little space you're wrong [Applause] okay so now it's done yes the plan go to the website or yeah and now remember these user accounts don't exist or I might have to create another user account I don't know if it walks for the domain admin but we'll see yeah it doesn't want further to me not good okay I got a plate another user account so I'm gonna go to my DC click another user account yeah yeah just it's almost done wait wait okay I'm going to I think it's just a browser thing one more time it doesn't help with this computer when it's so small okay guys I'm giving up on this I want to redo it oh there it is besides we're I think it was so authentic ation true contoso so it actually worked yeah I need to redo the video though without that error yeah okay I had two two issues only three issues well because I put the backs I forgot the backslash I forgot to install dotnet asp.net I also screwed up the certificate okay but it worked let me just try one more time took me over to concur so authentic kidding me sent me back with a claim sorry web browser area I don't work for you the first thing I try to do no it was like I want to say months ago a year ago but the innocent here's the thing I've been trying this lab for years like 2008 2009 air so it's working hey you know I'm getting a claim every single time yeah so it is working it does work on the stop the video
Info
Channel: Brian Faris
Views: 3,852
Rating: undefined out of 5
Keywords:
Id: TlzH0wnPD2I
Channel Id: undefined
Length: 120min 46sec (7246 seconds)
Published: Tue Nov 27 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.