Daniel's IT Blog

Hi Everyone,
                  Part 3 of my Windows Server 2008 series is covering Active Directory Federation Services. 

So what is AD FS?

Active Directory Federation Services (AD FS) is a feature in the Windows Server 2003 R2 and Windows Server 2008 OS's that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.

Features in AD FS

In Windows Server 2008, AD FS includes new features that were not available in Windows Server 2003 R2.
This new functionality is designed to ease administrative overhead and to further extend support for key applications:

•	Improved installation: AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.
•	Improved application support: AD FS is more tightly integrated with Microsoft Office SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS).
•	A better administrative experience when you establish federated trusts: Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

The following are some of the key features of AD FS:

Federation and Web SSO

When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSO functionality through Windows Integrated authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organisations to facilitate business-to-business (B2 federated transactions between partner organizations.

Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments.

Extensible architecture

AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with Forest Trust design). AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organisations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies.

Extending AD DS to the Internet
AD DS serves as a primary identity and authentication service in many organisations. With Windows Server 2003 Active Directory and Windows Server 2008 AD DS, forest trusts can be created between two or more Windows Server 2003 forests or Windows Server 2008 forests to provide access to resources that are located in different business units or organisations.

However, there are designs in which forest trusts are not a viable option. For example, access across organisations may have to be limited to only a small subset of individuals, not every member of a forest.

By employing AD FS, organisations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.

AD FS supports distributed authentication and authorisation over the Internet. AD FS can be integrated into an organisation's or department’s existing access management solution to translate the claims that are used in the organisation into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organisations. It can also audit and monitor the communication activity between organisations and departments to help ensure secure transactions.

ok installing ADFS...

First up, install the role through server manager,

you will then get the welcome screen, please ensure the Domain controller or member server is a member of the domain, and bear in mind when you install additiona features of ADFS you MUST seperate the ADFS proxy server and the ADFS feature foles.  You cannot run both on the one box.

Note:  you will be required to install the additional IIS services as well.

In this demonstration i will be installing the ADFS service and the Web Agents. choose next

As I am installing the Web Agents Role, it is prompting me for an SSL certificate, I have some existing ADCS certificates which i could use, or if your organisation has its own set of SSL certificates for IIS, select them now, or alternatively create a new one.  For the purpose of this demo I will create a new certificate.

Again because I am installing the Web Agent feature, one of its sub-requirements is token authentication, at this point it is asking me for a certificate for that.  I will create a self signed one, but in a production environment you would have a certificate signed by a External CA to issue. 

It is now prompting me for my federation server for web agent communications.  In a production environment you should have this on a seperate federation server, but for this demo I am going to point it to the local DC.  Selecting Validate will confirm web agent communication with your desired federation server.

The next stage involves specifying the trustpolicy xml location.  If your organisation has its own policies for this please make the appropriate changes, but I will keep everything as default.

The next part of the install involves configuring your IIS7 components, choose next to the welcome screen.

Leave all IIS components selected as default unless you have specific requirements.

Confirm your installation requirements and choose install.

installation proceding..

installation finishes... choose close

note:  no restart is required.  you can access the AD FS snap in through mmc.  In the example below I have created an AD account store.  Also note you break up your policy for internal clients and external clients (partners).

I am now going to create a new application definition, to do this, right click on applications and select new and application...

The wizard starts, choose next

Now you need to specify whether your application will use token based authentication or claims-aware (.net), in this example I am going to use claims-aware.

now enter your display name and URL path, in this case I will be using my HP SIM application. 

Please note:  Do NOT use ADFS with Sharepoint SSO, use either one or the other not both, although SSO works great, if your organisation has a policy to use ADFS only, ensure you remove the SSO option in your initial sharepoint installation configuration.

Now you specify your identity claims, as HP SIM uses UPN, thats the option ill be selecting, however as you can see by the screen dump you have a few different options.

Now you choose whether to enable the application immediately or not. choose next

Wizard is finished, hit Finish.

As you can see my application is initialised and is using UPN for its IC.

Hi guys,
           Following on from my last post about Active Directory Directory Services, now lets move into Windows Server 2008's other Active directory based services.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides customisable services for creating and managing public key certificates used in software security systems that employ public key technologies.  ADCS Comprises of the following feature compnents, all configurable through Server Manager (I will run through the install procedure later on):

Certification authorities (CAs) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates, retrieve certificate revocation lists (CRLs), and perform smart card certificate enrollment.
 
Online Responder service. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information. 
 
Network Device Enrollment Service (NDES). NDES allows routers and other network devices that do not have network accounts to obtain certificates.

Benefits of AD CS

Organisations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Among the new features of AD CS in Microsoft Windows Server2008 are:

• Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
 
• Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
 
• Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

Hardware and software considerations

AD CS requires Windows Server 2008 and Active Directory Domain Services (AD DS). Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.

CAs can be set up on servers running a variety of operating systems, including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and lab testing before you deploy AD CS in a production environment.

Ok lets go through the install Procedure..

As per usual you use Server Manager to install the role, Select Add Roles, and select Active Directory Certificate Services

Welcome Page is below

i'm going to add our primary role and the feature Certificate Authority Web Enrollment (see above for description on features)
Please note when you add CAWE you will be prompted to install the required IIS Services

If you plan to install Network Device Enrollment Services, please note you need to complete Certification Authority setup before you can install & setup this service.

The next step involves involves selecting whether you use AD DS to simplify issuing of certificates or select standalone mode whereby you have a bunch of extra configuration steps.   Enterprise configuration is the recommended way of deploying certificates.  Choose next

The next step involves configuring your CA.  You can select Root CA if this is your only certificate authority or if you have another CA provider (whether it be internal or external) you can select Subordinate CA.  In this example I will be setting this server up as a Root CA Authority.

The next step involves setting up your private key.  If you dont configure a private key or select an existing key, certificates will NOT be issued to clients.  As i do not have an existing key from another CA etc, i will choose to create a new one.

Before you can issue Certificates, your Private key needs to be encrypted, this Cryptography section of the wizard involves selecting a CSP and a hash algorithm, there are a massive amount of different CSP's, so choose what is appropriate, depending on your organisation's Security policy.

I will be using Microsoft Base Cryptographic Provider 1.0 with a sha1 algorithm for this example.

The next step involves configuring your CA name, Generally you would leave all options as is, as it registers it against the server FQDN, but changing the common name is ok too.  Choose Next.

Now you need to set the Certificate expiry the client/device will have before needing to get a certificate reissued.  The default is 5 Years, which is what I have left mine at.  However in regards to best practices it should be considerably less, but this depends on your internal organisation policies.

Next you need to specify the install location of the database & logs, I am going to leave it as default, however for performance or policy reasons you may choose to change this.

Remember earlier on it asked if you wanted to install the required IIS services?  now here is where you configure the individual IIS components, choose next to the welcome page.

Generally you can leave all the default selections, however I am installing the additiona IIS 6.0 components for my exchange install later on (blog will follow!)  then choose next

Finally we are at the confirmation page, confirm everything is OK and hit next.

Installation starts.

Once completed you will see a screen like the below.

Now you will see the role under server manager (No restart is required for this role) however in my experience i have found it will not function correctly until a restart.  Additionally if you plan to install any other featured of ADCS you will need to restart prior.

Now you will see you have access to the new Certificate Server snap in under Admin Tools.  From here you can view issued certificates, revoked certificates, pending requests, failed requests & templates.

Now, templates.... In Windows Server 2003 R3 you had the previous facilities but NOT templates, I think this is a fantastic feature that they have added, and its dead easy.  For example, I would like to setup a certificate template for Smart Card Authenticated users... EASY!  select Certificate Templates, you will see the preinstalled templates.

Right Click on Certficate Templates and choose new template, and add your required certificate for clients.

As you can see there are heaps of templates available, what I like best about it, is that once you add them they are all preconfigured, there is no additional work required! 

Now clients can connect to the servers iis web site and request new certificates if required.

All they select is 'Request a certificate, the below is displayed..

If any additional information is required it will prompt you here, but in this case i have left everything default, so the user chooses submit, therefore sending a request to the ADCS server for a new certificate, and of course it will appear under pending and or issued certificates under the certserv tool.

User gets a warning message, select YES

Certificate has been issued, select install this certificate..

another prompt..select YES

Certificate Issuing Complete

 COOL

Hi Folks,
I have had a few requests from people out there about the Windows Server 2008 System, mainly in relation to release date, and items such as roles, features and step by step info.

Now, Microsoft released Windows Server 'Longhorn' Beta 3 about 6 weeks ago to Technet Plus subscribers, and now is readily available to everyone, microsoft's official release date on this product has yet to be determined, but all signs indicate that manufacturing will start at the end of this year, ready for early 2008 (as the name Suggests).

Tecnet Plus subscibers will notice that Windows Server 2008 IDS-3 is now available on technet in both standard, & enterprise.
So whats the difference?! As far as I can see there are not too many, however I have come across a few differences thus far.
First up, the installation was slightly different, everyone who has used Longhorn knows you have 2 install methods you can choose, a Windows Server Core install, or Windows Server server, i'm just going to take a moment to explain the differences....Essentially, Server Core is a slimmed-down, appliancelike version of Longhorn Server that functions in a couple of limited roles and does nothing else.

Server Core, as I see it, has three main advantages: it’s extremely focused, which means it does what it does very well, resulting in better performance, resilience and robustness than a full-fledged operating system. It also has limited dependencies on other pieces of the Windows puzzle, in that the Core is designed to work without a lot of other software installed; it can generally work by itself. In comparison, many of the previous Windows components aren’t really necessary -- like Windows Explorer or Internet Explorer, for example, which is something that can’t be said for Windows Server 2003.

All of this translates into a far smaller attack surface than the standard Windows Server product, given all of the material that's been stripped out.

ok back to the differences... during install mode I was not prompted to set an Administrator password, which i thought was a bit strange, but it did speed up the install process.. on my Vm machine it took about 15 Minutes to install the OS.
Upon First load you now actually get prompted to set the Administrator password..

now set your password

You also now have the facility to create a password reset disk, handy, however so far I cannot see a USB key option, which i'm sure will come around prior to final release.
Once your password is set and you log in, you will notice one little difference, nothing important, but in my opinion means they are finally getting closer to releasing the various RC's which is a good sign...In the bottom Right Hand Corner it has always stated Windows Server 'Longhorn' eval..... It now states Windows Server 2008.

I also noticed boot up time is incredibly quicker, os loaded in under 1 minute!
ok, moving right along, naturally you you will get asked to fill in the usual info in the 'initial Configuration Tasks' wizard, i.e Time Zone, Networking, Computer name & domain, automatic updating & feedback, install updates, add roles and add features, enable remote desktop and customise windows firewall

Now lets run you through roles. now server manager is still what you use to install roles and features, in this example we are going to install Active Directory but the screen dump lets you see what roles are available.

Best Practices: Make sure prior to installing Active Directory that you have assigned the server a static IP, and that you have set its DNS primary pointing to its loopback address of 127.0.0.1.
First up you will get your welcome screen

next comes the confirmation screen, notice taht in all prior server versions, once you install AD and restart it is up and running, but in Windows Server 2008 you need to run dcpromo AFTER initial install of AD to activate the role, which i will cover later.

Active Directory starts to install and then finishes.

Now you need to run dcpromo, you access this via selecting the active directory services role in server manager and selecting the link selected in red below.

now lets kick off the dcpromo config. you get the usual welcome screen

go next, now you will hit Deployment Configuration page, please note in this example I am setting up the first dc in my forest.

next comes your forest root domain name, in this example, my FQDN is XtremeIT.com

next comes your AD firest level, in my example i'm going with 2008 and following that is your DNS.

now you will recieve the following warning message

this message is basically telling you it cannot contact another DNS zone, this is of course true, as I am doing a first Domain Controlller install and I am using this DC as my primary DNS If you are running a seperate delegated DNS (i.e you have another DNS Server and appropriate zone)you only need to manually create a connection to this on your other DNS Server and zone.
The next warning message you get is quite lengthy, but all it is talking about here is that if this server will be your primary DNS, you need to ensure your primary DNS settings reflect the server. This is what i was talking about earlier in the best practices section, by point it to 127.0.0.1, if you forgot to do that prior to install, selecting yes on this screen will make the appropriate changes

the next part of the wizard will prompt you about installtion loactions for SYSVOL etc, now best practices on DC's is to segment these directory locations for performance, but in this example i'll leave it as default.

moving along, the next screen prompts you to set a restore password for Authoritive and Non-Authoritive and DS restores, as well as a review of all wizard steps.

hitting next kicks off your install

you will then get a completed screen and naturally the prompt to restart.

once you restart, under server manager you will now see AD installed.
Now please, please, please remember if you plan to install other Active Directory roles like Certificate Services or Federation Services, you MUST install this first and install ONLY this role, meaning although you have the option to install multiple AD roles at once, they will NOT work correctly until this role is installed and configured, so Install the Directory Services role first then move on to other roles.

Ok my next blogs in my Windows Server 2008 series, will cover the following.
Active Directory Certificate Services
Active Directory Federation Services
Active Directory Rights Management Services
Network Policy & Access services
Health Authority Services
Windows Depoyment Services & deploying Windows Server 2008 & Vista
Exchange 2007 Installation & configuration.

Stay Tuned!