ADFS is a new feature in the Windows Server 2008 operating system. It provides a unified access solution for browser-based access for internal and external users. This new feature can even enable communication between accounts and applications between two completely different networks or organizations.
To understand how ADFS works, you can first consider how Active Directory works. When a user authenticates through Active Directory, the domain controller checks the user's certificate. After proving to be a legitimate user, the user can freely access any authorized resources on the Windows network without having to re-authenticate each time he accesses a different server. ADFS applies the same concept to the Internet. We all know that when a web application needs to access back-end data located in a database or other types of back-end resources, the security authentication issues for the back-end resources are often complicated. There are many different authentication methods available today to provide such authentication. For example, the user might implement an ownership authentication mechanism through a RADIUS (Remote Authentication Dial-in User Service) server or through a part of the application code. These authentication mechanisms can all implement authentication functions, but they also have some shortcomings. One drawback is account management. Account management is not a big issue when applications are only accessed by the company's own employees. However, if the company's suppliers and customers all use the application, users will suddenly find that they need to create new user accounts for employees of other companies. The second shortcoming is maintenance. When employees from other companies leave and new employees are hired, users also need to delete old accounts and create new ones.
What can ADFS do for you?
What would it be like if users offloaded account management tasks to their customers, suppliers, or others using the web application? Imagine that the web application provided services to other businesses, and users no longer had to create users for those employees. account or reset your password. If that wasn't enough, users no longer need to log into the app to use it. That would be such an exciting thing.
What does ADFS need?
Of course, Active Directory federation services also require other configurations to be used, and users need some servers to perform these functions. The most basic is the federation server, which runs the federation service component of ADFS. The main role of the federation server is to send requests from different external users. It is also responsible for issuing tokens to authenticated users.
Additionally in most cases a joint agent is required. Just imagine, if the external network needs to be able to establish a federation protocol with the user's internal network, this means that the user's federation server must be accessible through the Internet. But Active Directory federation does not rely heavily on Active Directory, so directly exposing the federation server to the Internet will bring great risks. Because of this, the federation server cannot be connected directly to the Internet, but is accessed through the federation proxy. The federation proxy forwards federation requests from the outside to the federation server, so that the federation server is not directly exposed to the outside world.
Another major component of ADFS is the ADFS Web Agent. Web applications must have a mechanism for authenticating external users. These mechanisms are the ADFS web proxy. The ADFS web proxy manages security tokens and authentication cookies issued to web servers.
In the following article, we will lead you through a simulated test environment to experience the new experience that ADFS service brings to enterprises. Without further ado, let’s start the ADFS configuration test.
Step 1: Pre-installation tasks
To complete the following experiment, users must prepare at least four computers before installing ADFS.
1) Configure the computer’s operating system and network environment
Use the following table to configure your computer system and network environment for the test.
2)Install AD DS
Users use the Dcpromo tool to create a new Active Directory forest for each federation server (FS). For the specific name, please refer to the configuration table below.
3) Create user accounts and resource accounts
After setting up the two forests, users can use the "User Accounts and Computers" (Active Directory Users and Computers) tool to create some accounts in preparation for the following experiments. The following list gives some examples for user reference:
4) Join the test computer to the appropriate domain
Follow the table below to add the corresponding computers to the appropriate domain. It should be noted that before adding these computers to the domain, users need to disable the firewall on the corresponding domain controller.
Step 2: Install AD FS role service and configure certificate
Now that we have configured the computers and added them to the domain, we have also installed the ADFS components on each server.
1) Install alliance service
Install the alliance service on two computers. After the installation is completed, the two computers become alliance servers. The following steps will walk us through creating a new trust policy file and SSL and certificate:
Click Start, select Administrative Tools, and click Server Manager. Right-click Manage Roles and select Add roles to start the Add Role Wizard. Click Next on the Before You Begin page. On the Select Server Roles page, select Active Directory Federation Services and click Next. Select the Federation Service checkbox in Select Role Services. If the system prompts the user to install Web Server (IIS) or Windows Activation Service (WAS) role services, click Add Required Role Services to add them, and click Next when completed. On the Choose a Certificate for SSL Encryption page, click Create a self-signed certificate for SSL encryption, click Next to continue, on the Choose Token-Signing Certificate page, click Create a self-signed token-signing certificate, click Next. Next Select Trust Policy On the page, select Create a new trust policy. Next, enter the Select Role Services page and click Next to confirm the default value. After verifying the information in Confirm Installation Options, you can click Install to start the installation.
[Cut-Page]
2) Assign the local system account to the ADFSAppPool identity
Click Start, in Internet Information Services (IIS) Manager in Administrative Tools, double-click ADFSRESOURCE or ADFSACCOUNT, select Application Pools, right-click ADFSAppPool in the center panel, select Set Application Pool Defaults. In Identity Type, click LocalSystem, and then select OK .
3) Install AD FS Web Agent
In Server Manager in Administrative Tools, right-click Manage Roles, select Add roles, select Active Directory Federation Services on the Select Server Roles page according to the wizard, click Next and select the Claims-aware Agent check box in the Select Role Services window. If the wizard prompts the user to install Web Server (IIS) or Windows Activation Service (WAS) role services, click Add Required Role Services to complete the installation. After completion, on the Select Role Services page, select the Client Certificate Mapping Authentication checkbox (To achieve this step, IIS needs to create a self-signed service authentication.) After verifying the information, you can start the installation.
To successfully set up a web server and alliance server, another important step is the creation, import and export of certificates. We have previously used the role addition wizard to create server authorization certificates between alliance servers. All that is left to do is to create the corresponding authorization certificates for the adfsweb computer. Due to limited space, I will not introduce it in detail here. For related content, you can check the certificate-related articles in the series.
Step 3: Configure Web Server
In this step, what we mainly want to complete is how to set up a claims-aware application on a Web server (adfsweb).
First we configure IIS. All we need to do is enable the SSL settings of the adfsweb default website. After completion, we double-click Web Sites in ADFSWEB of IIS, right-click Default Web Site, select Add Application, and type claimapp in the Alias of the Add Application dialog box. Click the... button, create a new folder named claimapp, and then confirm. It should be noted that it is best not to use capital letters when naming a new folder, otherwise you will need to use the corresponding capital letters when using it later.
Step 4: Configure Alliance Server
Now that we have installed the ADFS service and configured the web server to access the claims-aware application, let's configure the alliance services of the two companies (Trey Research and A. Datum Corporation) in the test environment.
Let's first configure the trust policy. Click Active Directory Federation Services in Administrative Tools, double-click Federation Service, right-click and select Trust Policy, and select Properties. Type urn:federation:adatum in the Federation Service URI option on the General tab. Then verify that the following URL is correct in the Federation Service endpoint URL text box https://adfsaccount.adatum.com/adfs/ls/ Finally, type A. Datum in the Display name for this trust policy on the Display Name tab and select OK Sure. After completion, we enter Active Directory Federation Services again. Double-click Federation Service, Trust Policy, My Organization, right-click Organization Claims, click New, and then click Organization Claim. Type Trey ClaimApp Claim in the Claim name in the Create a New Organization Claim dialog box. Make sure Group claim is selected and click OK. The configuration of another company is basically similar to the above operation, so I won’t go into details again.
Step 5: Access the pilot application through the client computer
Configure browser settings for the adfsaccount federation service
Log in to adfsclient as user alansh, start IE, click Internet Options in the Tools menu, click Local intranet on the Security tab, and then click Sites. Then click Advanced. Type https://adfsaccount in Add this Web site to the zone. adatum.com, click Add. Then type https://adfsweb.treyresearch.net/claimapp/ in the IE browser. But when prompted for home realm, click A. Datum and then click Submit. This way the Claims-aware Sample Application appears on the browser and the user can see the application's selected claims in the SingleSignOnIdentity.SecurityPropertyCollection. If there is a problem during access, the user can run iisreset or restart the adfsweb computer, and then try to access again.
At this point, a basic ADFS test model has been built. Of course, ADFS is still a comprehensive and complex new technology. In a real production environment, we will still have many operations and configurations to do. However, regardless of the configuration, as As mentioned above, ADFS will greatly expand the capabilities of Web applications and expand the informatization level of the company's external business. Let us wait and see how the ADFS technology in Windows Server 2008 is used in practical applications.
[Cut-Page]2) Assign the local system account to the ADFSAppPool identity
Click Start, in Internet Information Services (IIS) Manager in Administrative Tools, double-click ADFSRESOURCE or ADFSACCOUNT, select Application Pools, right-click ADFSAppPool in the center panel, select Set Application Pool Defaults. In Identity Type, click LocalSystem, and then select OK .
3) Install AD FS Web Agent
In Server Manager in Administrative Tools, right-click Manage Roles, select Add roles, select Active Directory Federation Services on the Select Server Roles page according to the wizard, click Next and select the Claims-aware Agent check box in the Select Role Services window. If the wizard prompts the user to install Web Server (IIS) or Windows Activation Service (WAS) role services, click Add Required Role Services to complete the installation. After completion, on the Select Role Services page, select the Client Certificate Mapping Authentication checkbox (To achieve this step, IIS needs to create a self-signed service authentication.) After verifying the information, you can start the installation.
To successfully set up a web server and alliance server, another important step is the creation, import and export of certificates. We have previously used the role addition wizard to create server authorization certificates between alliance servers. All that is left to do is to create the corresponding authorization certificates for the adfsweb computer. Due to limited space, I will not introduce it in detail here. For related content, you can check the certificate-related articles in the series.
Step 3: Configure Web Server
In this step, what we mainly want to complete is how to set up a claims-aware application on a Web server (adfsweb).
First we configure IIS. All we need to do is enable the SSL settings of the adfsweb default website. After completion, we double-click Web Sites in ADFSWEB of IIS, right-click Default Web Site, select Add Application, and type claimapp in the Alias of the Add Application dialog box. Click the... button, create a new folder named claimapp, and then confirm. It should be noted that it is best not to use capital letters when naming a new folder, otherwise you will need to use the corresponding capital letters when using it later.
Step 4: Configure Alliance Server
Now that we have installed the ADFS service and configured the web server to access the claims-aware application, let's configure the alliance services of the two companies (Trey Research and A. Datum Corporation) in the test environment.
Let's first configure the trust policy. Click Active Directory Federation Services in Administrative Tools, double-click Federation Service, right-click and select Trust Policy, and select Properties. Type urn:federation:adatum in the Federation Service URI option on the General tab. Then verify that the following URL is correct in the Federation Service endpoint URL text box https://adfsaccount.adatum.com/adfs/ls/ Finally, type A. Datum in the Display name for this trust policy on the Display Name tab and select OK Sure. After completion, we enter Active Directory Federation Services again. Double-click Federation Service, Trust Policy, My Organization, right-click Organization Claims, click New, and then click Organization Claim. Type Trey ClaimApp Claim in the Claim name in the Create a New Organization Claim dialog box. Make sure Group claim is selected and click OK. The configuration of another company is basically similar to the above operation, so I won’t go into details again.
Step 5: Access the pilot application through the client computer
Configure browser settings for the adfsaccount federation service
Log in to adfsclient as user alansh, start IE, click Internet Options in the Tools menu, click Local intranet on the Security tab, and then click Sites. Then click Advanced. Type https://adfsaccount in Add this Web site to the zone. adatum.com, click Add. Then type https://adfsweb.treyresearch.net/claimapp/ in the IE browser. But when prompted for home realm, click A. Datum and then click Submit. This way the Claims-aware Sample Application appears on the browser and the user can see the application's selected claims in the SingleSignOnIdentity.SecurityPropertyCollection. If there is a problem during access, the user can run iisreset or restart the adfsweb computer, and then try to access again.
At this point, a basic ADFS test model has been built. Of course, ADFS is still a comprehensive and complex new technology. In a real production environment, we will still have many operations and configurations to do. However, regardless of the configuration, as As mentioned above, ADFS will greatly expand the capabilities of Web applications and expand the informatization level of the company's external business. Let us wait and see how the ADFS technology in Windows Server 2008 is used in practical applications.