Course Transcript

Microsoft Windows Server 2012 R2 -

Configuring Advanced Services: Federation
Active Directory Rights Management Services
1. Windows 2012 R2 AD RMS Overview

2. Implementing AD RMS in Windows 2012 R2

3. Protecting Content with Windows Server 2012 R2 AD RMS

Active Directory Federation Services

1. Windows Server 2012 R2 AD FS Overview

2. Installing AD FS on Windows Server 2012 R2

3. Windows Server 2012 R2 AD FS Authentication

4. AD RMS and AD FS in Windows Server 2012 R2

Windows 2012 R2 AD RMS Overview
Learning Objective
After completing this topic, you should be able to
◾ recognize features of AD RMS

1. Meet your instructor

Microsoft Windows Server 2012 R2 - Configuring Advanced Services: Federation

[Welcome to Microsoft Windows Server 2012 R2 - Configuring Advanced Services: Federation]

Hello, my name is Jason Gates and I'm a Microsoft Certified Trainer, or MCT. In this course, I
want to talk to you about two important areas or challenges that administrators face today, that
is information protection and access scenarios. In regards to information protection, one of our
big nightmares, of course, is important data like intellectual property or customer data or
employee data...well having that data accidentally leave our organization and be seen by
unauthorized eyes. How do we protect these files? Well if it is on a File server, they are
protected by File server permissions but as soon as they are stuck on that USB drive, those
permissions don't follow the file. That is where Active Directory Rights Management Services,
or ADRMS, comes in. RMS can provide protection for that file, no matter where that file goes.
So it stays encrypted, it stays protected, and only authorized eyes can actually consume that
file.

So in this course, I will show you how to install, configure Rights Management Services. Now
the other scenario or challenge I want to address has to do with access. In the case of
providing access between business organizations or providing access to users...are using their
own consumer devices like Internetwork Operating System, or IOS, devices and tablets, and
such are providing access to the cloud where there are several challenges with those different
types of scenarios. Do we want to create additional Active Directory environments or additional
databases between organizations? Do we need to manage duplicate users in both
organizations? Well you don't have to with Federation Services.

Federation Services addresses those different access scenarios and provides a simplified
solution to a complex problem. So in this course, we will also look at Federation Services and
how it can help you in those particular scenarios. That is, how it can help you provide access
between business organizations, how it can help you with bring your own devices, or how it
can help you connect to the cloud.

2. AD RMS uses
Protecting content has historically been about where that content lives – as in applying
Windows NT File System, or NTFS, file security or BitLocker drive encryption. But what if that
file content is attached as an e-mail or slips away out of the building on a USB drive and it is
no longer protected on that file server? Oh! Neither of those permissions nor that encryption is
going to follow the file. And in today's world, content – especially mobile...well that is where
Rights Management Services, or RMS, comes in. RMS's job is to provide protection on that file
regardless of where it is living, and it does this by encrypting the content and enforcing
Security Policies via licenses. Only authorized license users can access RMS protected
content.

This way data is not leaked unintentionally to unauthorized users – maybe by accidentally
forwarding that e-mail or, you know, a USB drive accidentally leaving the building. RMS will
protect that content and require the user to be authorized before they can access it. Now RMS
is especially designed to work with Office, Office documents, and Office Services like Outlook
and SharePoint. So with RMS, organizations can protect the full scope of different types of
documents and communications, their intellectual property, and their internal communications.
They can protect their customer data and this helps organizations better comply with
regulations and increase their security.

Let's talk now about the RMS topology. Now the typical RMS topology is going to include a
server cluster. Now this can be a single server or a group of servers that are part of the same
RMS cluster. Don't confuse this with failover clustering. An RMS cluster is responsible for
actually providing the certificates and licenses the clients are going to use to protect their
content...so also the RMS cluster, it helps enforce the policies. It is also a central point of
administration. Now the RMS servers are supported by an RMS database and that is where
you are going to find the configuration, the templates, logs, and all the keys. Then, of course,
there are the RMS clients themselves. And this requires RMS-aware applications that can
enforce the actual licenses and the information in their licenses provided by the RMS cluster.
And this includes applications like Office but it can also work with other applications you have
been made RMS aware. Now clients create the protected content and then they share with
other clients who can consume that content. Both the producer and the consumer do this by
interacting with the RMS server clusters using HTTP and HTTPs

3. AD RMS process
RMS is not much different than Public Key Infrastructure, or PKI, in that it relies on certificates
and trust. For starters, at the top of the trust chain we have this server licensor certificate, or
SLC. This is a self-signed certificate that the RMS servers give themselves, and from that
certificate they issue other certificates and authenticate those certificates. We have the
machine certificate, for instance, the machine certificates issued by the RMS server, digitally
signed by the RMS server...and identifies the machines. Next we have certificates and licenses
for protecting content or publishing content, and we have certificates and licenses for
consuming content. For example, if I give you a protected file, what you do is you use your
rights account certificate, or RAC, to request a Use License, or UL. The rights account
certificate identifies you on your specific computer. The rights account certificate is issued to
you from the RMS server.

Now how did I protect the content in the first place? Well to protect the content, in the first
place, there is a bootstrap process. That is, the first time you protect content or even user
consume content, these certificates are issued to you. So I protected my file, I went and talked
to the RMS server, I authenticated, and they issued to me a client licensor certificate, or CLC,
and it was digitally signed again by the server licensor certificate. Then what I do is I use my
CLC to actually issue a Publishing License, or PL, that is attached to the file. Each file has its
own Publishing License and it contains who can access the file and what they can do with the
file. So I might have a file that I restrict who can print to it, I might have a file that restricts who
can read it, I might have a file that is read-only and, of course, these are going to be encrypted.
These are all packaged in the individual Publishing Licenses and will follow the file around. So
it is the CLC that allows me to generate these Publishing Licenses. It is the RAC that allows
you to request to Use License and to consume the content.

So here is a workflow to give you, kind of, a perspective of where those certificates and
licenses fit. So we have got an individual who is our author and the first thing that they do is
they go into their documents, say for instance Office, and they issue a protect command. In
Office, there is a ribbon and there is the ability to actually apply RMS protection. And when
they do this, there is a bootstrap process that takes place where it talks to the RMS server
through discovery. And in an Active Directory environment, that is done through server
connection points, so that the client can contact Active Directory, find the RMS server, and in
this process request – what is known as – a client licensor certificate. The RMS server issues
the client licensor certificate that the author can then use to establish the level of protection or
level of access. And this is attached to the file in the form of a Publishing License. The next
thing that happens is the author sends it to the intended recipient. This could be an e-mail,
maybe in a shared folder – it does not really matter. The whole point of RMS, remember, is it is
not relying on some underlying storage technology. So the Publishing License is attached to
the file. It is a part of the metadata.

So when the recipient receives it and goes to open it, if it is the first time they have ever
opened RMS content in the environment, they will talk to the RMS server. If they have already
talked to the RMS server before, then they will simply identify themselves. And in this process
they are going to request from the RMS server a Use License. And the way they do this is they
actually take the Publishing License and they present it back to the RMS server and it is really
interesting because the recipient can't decrypt the Publishing License, they can't read it. They
have to give it to the RMS server who decrypts it, reads it for them, and says, "Oh! Well you
are actually in the Publishing License. I'm going to grant you a Use License." So it grants them
a Use License that the recipient can then use to extract the rest of the file, so that is a very
important exchange. Now notice the supporting roles in all of this, for the RMS server distorts
configuration and perhaps its templates and other important keys. To do this process, we have
a database for discovering authentication. The RMS server is also reliant on Active Directory.

[A connection of different components is displayed. The AD RMS server is connected to AD

RMS databases, Active Directory, Information author, and Information recipient.]
Implementing AD RMS in Windows 2012 R2
Learning Objective
After completing this topic, you should be able to
◾ install and configure AD RMS

1. Demo: Installing AD RMS

In this next demonstration, I want to show you how easy it is to install Rights Management
Services, or RMS, and talk a little bit about the requirements. So to start things off with, I'm
logged in with an account that I have created and dedicated for the installation and
management of RMS. I call it adrmsadmin. I'm on the destination server, the server that will
become my RMS server and I'm going to do a basic RMS installation. And it is truly
straightforward much like the other roles. I'm going to use the Add Roles Wizard and I have got
a couple of clicks here and then it is going to be installed. So I'm going to choose Active
Directory Rights Management Service. Here are the additional features like .NET 4.5 in there,
RMS Console, and the Internet Information Server, or IIS, components that support RMS. So
of course, I need those, so we will choose add those. We will Next through this, then I have
got the list of actual RMS Role Services. Notice it is a short list. If I want to integrate RMS with
Active Directory Federation Services, I can certainly do that. I'm not going to do that now. I
have got my IIS components listed here for me, I'm going to need these. I'm not going to make
any changes and we will Install it. Now this will just take a minute or two for it to install and
then I follow that up with configuration.

[The Windows Start screen is open. The instructor clicks the Desktop tile and the Dashboard
page in Server manager is displayed. Next the instructor clicks the Adds Roles and Features
hyperlink and it opens the Adds Roles and Features wizard. Then the instructor clicks the Next
button. Next the instructor selects Active Directory Rights Management Services and a dialog
box listing additional features is displayed. The instructor clicks the Adds features button and
the Adds Roles and Features wizard is displayed. Then the instructor clicks the Next button
and stops at the Role Services step. In the view pane, two role services are listed. The two role
services are Active Directory Rights Management Services and Identify Federation Support.
The Active Directory Rights Management Services option is selected. Then the instructor clicks
the Next button and the Web Server Role (IIS) page in the view pane is displayed. The IIS
components are listed in the page. Then the instructor clicks the Next button and then clicks
the Install button.]

Now while it is installing, let me show you some of the prerequisites that you want to be sure
you meet before you actually go through the installation and configuration of RMS. So let me
bring up first of all this diagram of my environment. So I have got a variety of servers here
playing different roles. I have got the RMS server that I'm currently installing RMS on, I have
Active Directory, I have a Certificate Authority, or CA, and I have a SQL Server. So one of the
important requirements is to make sure that you have access to a database. Now you can use
the Windows internal database on the RMS server itself, but that is really not recommended for
production environment. It is just for testing. When you configure your database, it is important
to grant the installation account sysadmin privileges, so it can properly configure the database.
You also need to make sure that you maintain connection or access for the RMS server to be
able to perform, of course you know, make logging, be able to write to the logs, be able to write
to the configuration information, and so forth.

[The Adds Roles and Features wizard is open. The instructor navigates to a page displaying a
diagram of different servers connected to each other. The connection of servers is as follows:
HQNet is connected to four servers that are ENT-RMS1, ENT-DC1 Domain Controller DNS
Server, ENT-APP1 Certificate Authority, and ENT-SQL1. Lists of requirements are listed that
are as follows: Database access is critical - separate server is recommended RMS installer
account needs sysadmin permission in the SQL Server instance Firewall configuration:
HTTP\HTTPS and SQL ports 1433, 1434 RMS server needs to be in same forest as users -
dedicated server is recommended RMS requires a service account]

So all of that is going to need to be accessible. So you want to make sure that you have the
proper firewall ports open. The RMS server also needs to be part of the same Active Directory
domain as the users accessing content, at least in the same forest. It is useful to have a
dedicated server as your RMS server. The reason for that is if you co-locate it, it complicates
configuration. So dedicated RMS server...and not only that the RMS server might need to be
externally accessible. So putting it on same as a domain controller, it could, of course, be a
security concern. Then we want to configure a service account for the running of RMS
Services and this should not be the system account. So for enhanced security and scalability,
you want to create a service account as well.

[A page having a diagram of different servers connected to each other and the requirements
listed is open. Lists of requirements are listed that are as follows: Database access is critical -
separate server is recommended RMS installer account needs sysadmin permission in the
SQL Server instance Firewall configuration: HTTP\HTTPS and SQL ports 1433, 1434 RMS
server needs to be in same forest as users - dedicated server is recommended RMS requires
a service account RMS install account needs to be an Enterprise Admin Users must have an
email address in AD]

So let's actually look at a few of these. Let's start by looking at my SQL Server. So we can see
that my installation is complete, but we are still going to take a peek at this first. So here is my
SQL Server and I have configured my SQL Server with the installation account here
RMSADMIN. And I have added to the Security node on this SQL Server instance and I have
granted it the appropriate permission that it needs – the sysadmin permissions. I have also
needed to enable the SQL Server Browser service and I have configured the necessary
firewall ports, so my database is accessible. Let's look at Active Directory now. So here is the
actual admin account that I assigned to that SQL Server sysadmin permissions. It is also the
account that I used to install RMS. And if you will notice, it is a member of the Enterprise
Admins group. So it can properly create that service connection point. Then I have got my
dedicated account for RMS Services that I have also created. Another thing that I have done
here is I have also created a DNS record for access to my RMS Services. All right, so those
are some of the important requirements that you need to have in place. Once you have
designed and planned and installed RMS, you are ready for the next step and that is to
perform the post configuration.

[A page having a diagram of different servers connected to each other and the requirements
listed is open. The instructor minimizes the screen and the Add Roles and Features Wizard is
displayed. Then the instructor clicks the Finish button to close the wizard and the Server
Manager is displayed. Next the instructor navigates to SQL Server Installation Center window
and then navigates to Microsoft SQL Server Management window. The left pane includes a list
of folders. The Security node is expanded and includes the Login sub-node. The Login sub-
node consist a list of installation accounts. The account HQ\ADRMSADMIN is selected. The
instructor the account HQ\ADRMSADMIN and the Login Properties - HQ\ADRMSADMIN
window is displayed. The view pane consist a list of server roles. The server roles, public and
sysadmin are selected. Then the instructor navigates to a window that displays SQL Server
Browser service enabled. Next the instructor navigates to Active Directory Users and
Computers window. The view pane includes a list of accounts. The ADRMSADMIN account is
selected. The instructor clicks the account ADRMSADMIN and the ADRMSADMIN Properties
dialog box is displayed. The instructor clicks OK and the Active Directory Users and
Computers window is displayed. Next the instructor selects the account ADRMSSVC. Then the
instructor navigates to the page displaying the diagram with different servers connected to
each other.]

2. Demo: Configuring AD RMS

In this next demonstration, I want to complete my installation of RMS by walk you through the
Configuration Wizard. Now I should point something out new in Server 2012...is the ability to
install RMS to server core and to do it remotely, and that is not what I have done. I'm actually
configuring and I have installed RMS interactively on a dedicated GUI-based installation of
Windows Server. Now since I have done the initial add role, I'm actually alerted to the fact that
I need to perform the configuration. So here in my GUI, it tells me configuration is required and
I have a link that I can jump into. Plus, there are alerts attached to the flag and the Add Roles
Wizard. I'm going to go ahead and click this link here Perform additional configuration. And
this will take me to the same place where I can walk through the Configuration Wizard with
you. So the first question this wizard presents me is – why are you here, and what do you want
to do? Well I'm here because I want to create my first RMS server in my root cluster and
configure it. I want to point out though that you can actually add additional servers to your RMS
cluster, so there is an option to join the existing RMS cluster.

[The Server Manager that includes the AD RMS page is open. The view pane includes a
server ENT-RMS1 listed in a tabular format. The IPv4 Address for this server is 10.0.10.4,
which has the Manageability value as 'Online - Performance counters not started.' A banner
that states "Configuration required for Active Directory Rights Management Services at E.." is
displayed. Then the instructor clicks the More link and All Servers Task Details window is
displayed. The window includes an information displayed in a table. The instructor clicks the
link 'Perform additional configuration' from the column Action and AD RMS Configuration ENT-
RMS1.hq.ent.ad window is displayed. Then the instructor clicks the Next button. The Create or
Join an AD RMS Cluster page having two options is displayed. The two options are Create a
new AD RMS root cluster and Join an existing AD RMS cluster. The option 'Create a new AD
RMS root cluster' is kept selected.]

And I also want to point out that in the text here, it refers to an additional topology or additional
role in RMS called the license-only cluster. So for scalability purposes, it is useful to join an
existing root cluster because members of the same root cluster will share information. But if
you have a special case, a department, or an application that needs to have access to Rights
Policy templates then no one else in the organization should have access to...well that might
dictate creating a license-only cluster. For most cases, you are going to be extending your root
cluster using the join option here. I'm going to choose create because this is the first one, and
when I do this it needs to know about the configuration database. Now there are a couple of
options. We have spoken a little bit about these and that is I can choose a Windows Internal
Database that would be installed and configured on this server. Now that is useful for demos
and for labs, but for the recommended approach for production...is to use an external server.
So I'm going to put in the name with my external server. Another recommendation that I'm not
following here is to actually refer to my SQL Server using an alias record.

[The Create or Join an AD RMS Cluster page is open. The instructor clicks the Next button and
Select Configuration Database Server page is displayed. The page includes two options:
Specify a database server and a database instance and Use Windows Internal Database on
this server. The option 'Specify a database server and a database instance' is selected. Then
the instructor adds the server name as ent-sql1 in the text field.]

And the reason for that is – in the event the database has to be migrated using an alias record
gives another level of abstraction and agility to my configuration, I'm just going to actually list
the name of the server directly there, and I can verify that it detects the server name just fine
by going into the Select Computer option there. And then I can select the actual Database
Instance that is available on that server. Then I'm using the DefaultInstance. Now I need to
Specify the service account and this was preconfigured as well. So I have got my service
account ready to go...provide its credential information there...oops, it did not like that. So let
me do that again. Oh! I have a typo. Well that is why...adrmssvc and now it is able to verify.
So you saw there, what happens if it can not detect the account exists – you get a nice
warning message. The next thing I need to do is specify my Cryptographic mode and there are
a couple of things with this. First of all, in 2012 I can turn on Cryptographic Mode 2 (RSA
2048-bit keys/SHA-256 hashes), which has enhanced cryptography and stronger keys. Now
anytime I'm using enhanced cryptography, one of the things I should be aware of is
compatibility.

[The Select Configuration Database Server page is open. The instructor clicks the Select
button and in the dialog box the instructor enters the object name as ent-sql1 and clicks the
Check Names button to verify it. Next the instructor selects the option DefaultInstance for the
dropdown list labeled as Database Instance. Then the instructor clicks the Next button and
Specify Service Account page is displayed. Next the instructor clicks the Specify button and
Windows Security dialog box is displayed. The dialog box consists of two text field options:
User name and Password. The instructor adds the credentials and clicks OK to verify the
security. The dialog box is closed and the Specify Service Account page is displayed. Then the
instructor clicks the Next button and Specify Cryptographic Mode page is displayed. The page
includes two options: Cryptographic Mode 2 (RSA 2048-bit keys/SHA-256 hashes) and
Cryptographic Mode 1 (RSA 1024-bit keys/SHA-1 hashes). The option 'Cryptographic Mode 2
(RSA 2048-bit keys/SHA-256 hashes)' is selected.]

So one of the things you will need to do when you are selecting your Cryptographic mode is
evaluate your client compatibility. And this has a lot to do with older and legacy clients who
don't have support for Cryptographic Mode 2 (RSA 2048-bit keys/SHA-256 hashes) and
newer clients that might require a hot fix or a service pack to support the latest cryptography
that is found in 2012. So keep that in mind. Client compatibility is an important factor in regards
to what decision that you make here. I'm going to select Cryptographic Mode 2 (RSA 2048-
bit keys/SHA-256 hashes) and click Next. In addition to selecting my Cryptographic mode, I
need to identify where I'm going to store my RMS cluster key. And this, of course, is a very
important key because if it is compromised, it is going to affect the integrity of my entire RMS
solution. Now Microsoft recommends using an external cryptographic service provider, or CSP,
for key storage, primarily a hardware storage module.

[The Specify Cryptographic Mode page is open. The page includes two options: Cryptographic
Mode 2 (RSA 2048-bit keys/SHA-256 hashes) and Cryptographic Mode 1 (RSA 1024-bit
keys/SHA-1 hashes). The option 'Cryptographic Mode 2 (RSA 2048-bit keys/SHA-256 hashes)'
is selected. The instructor clicks the Next button and Specify AD RMS Cluster Key Storage
page is displayed. The page includes two options: Use AD RMS centrally managed key
storage and Use CSP key storage. The option 'Use AD RMS centrally managed key storage' is
selected.]

What we are going to do for demonstration purposes is have RMS store the cluster key in its
configuration database and protect it with a password. But you will need to have, in your
design, identified how you are going to protect and store the RMS cluster key. I'm going to give
my cluster key protection – a password here. Now the next question is – where is my RMS
web site? And it has identified that IIS has been installed. Of course, that was installed when I
selected the Add Roles Wizard and chose RMS. This is the IIS-dependent component. A
Default Web Site has been defined. And what it is going to do is create a virtual directory in
that Default Web Site. Now if I have an existing web site on this machine that I want to add
RMS to, I also need additional IIS6 compatibility. So in the components that I selected during
installation, I want...I would want to include IIS6 compatibility. Now I'm not doing that, I'm using
the Default Web Site. I can stay with the defaults and click Next. And then I need to decide
how I'm going to provide a connection to that web site – whether I'm going to use Secure
Socket Layer, or SSL, or I'm going to use just HTTP.

[The Specify Cryptographic Mode page is open. The instructor clicks the Next button and in a
new page the instructor adds the password in the text fields and then clicks the Next button.
The Select AD RMS Cluster Web Site page is displayed. The option Default Web Site is
defined for the parameter 'Select a Web site for the virtual directory.' Then the instructor clicks
the Next button and Specify Cluster Address page is displayed. The page includes two
connection type options: Use an SSL-encrypted connection (https://) and Use an unencrypted
connection (http://). The option 'Use an SSL-encrypted connection (https://)' is selected. The
value of the Port is set as 443.]

Now there are a couple of factors with this. First of all, communication to RMS is going to be
encrypted, but for additional protection and protection against spoofing, it is recommended that
you use SSL. Also, if I choose unencrypted here, it tells me that I'm going to lose some
integration with Active Directory Federation Services, or ADFS. So if I'm also using this with
ADFS, I want to Use an SSL-encrypted connection (https://). Now I need to provide the
actual Fully-Qualified Domain Name, or FQDN, and so I'm going to use rms.hq.ent.ad.
So here is the actual Fully-Qualified Domain Name that I'm using. Now keep in mind that this
also needs to have corresponding records in DNS. Because I selected SSL, I also need to
identify the certificate that I'm going to use for SSL. Now I can create a self-signed certificate
here. I can also elect to choose an existing SSL certificate if one has been installed already, in
which case I can actually see the different certificates...click on the Properties, and identify the
certificate that I want to use. I can also elect to use a certificate for SSL later. If I have actually,
already installed the SSL certificate and took the added step of binding it to the Default Web
Site, then I may not be get an option at all to make this selection here. It will just allow me to go
past this point.

[The Specify Cluster Address page is open. The instructor types 'rms.hq.ent.ad' in the text field
labeled 'Fully-Qualified Domain Name:' Then the instructor clicks the Next button and Choose
a Server Authentication Certificate page is displayed. The page includes three options: Choose
an existing certificate for SSL encryption (recommended), Create a self-signed certificate for
SSL encryption, and Choose a certificate for SSL encryption later. The option 'Choose an
existing certificate for SSL encryption (recommended)' is selected. The certificates that are
chosen are listed in a tabular format. The certificates listed are rms.easynomadtravel.com and
rms.hq.ent.ad. To view the Properties and Refresh the page there are two buttons: Properties
and Refresh.]

So since I have not done that I need to select a certificate. I'm not going to do a self-signed
certificate. I'm going to choose this one here that I created and added that purpose. Next I
need to identify the service licensor certificate, or SLC, a friendly name that I'm going to refer
to the certificate by. And lastly...has to deal with the service connection point, or SCP, which is
used by clients to discover RMS through Active Directory. Now an important thing here is in
regards to who has permission to actually create an SCP. Only members of the Enterprise
Admins group can perform this action. So if you are configuring RMS and you are not a
member of the Enterprise Admins group, then what you will have to do is choose Register the
SCP later and then have your enterprise administrator go into RMS and configure the SCP. In
my case, I created an account just for the installation and configuration of RMS. I have made it
a member of the Enterprise Admins group, so I can select the Register the SCP now option.
This is a summary of the decisions that I'm making, so you can see there is the internal FQDN.
Here is the SSL Certificate, here is the actual Service Account that I have specified in the
Cryptographic Mode. So if everything looks well, I'm going to click the Install button and that
finishes my configuration.

[The Choose a Server Authentication Certificate page is open. The instructor clicks the Next
button and Name the Server Licensor Certificate page is displayed. The page includes a Name
text field that includes the name as ENT-RMS1. Then the instructor clicks the Next button and
Register AD RMS Service Connection Point page is displayed. The page includes two options:
Register the SCP now and Register the SCP later. The option 'Register the SCP now' is
selected. Then the instructor clicks the Next button and Confirm Installation Selections page is
displayed. The page includes the summary of all the options that were selected in the previous
pages. Then the instructor clicks the Install button and the installation progress bar displaying
the installation is in process is displayed. The installation is complete and the AD RMS page in
Server Manager is displayed.]

So I finished the installation and I finished the configuration. So let's open up the RMS Console
and have a look around. I'm going to go to the Tools menu, select Active Directory Rights
Management Services and I'm doing this directly on the RMS server. So when I do this, I get
this security certificate error message that appears. Now this message should not alarm you if
you are only getting this when you are directly accessing the RMS Console on the RMS server.
If you get a message like this from a remote location, then that should not tell you that there is
probably something wrong with your certificate. The reason I'm getting this message is there is
a built-in security feature in Windows Server that protects it from certain types of attacks, and
so that is the reason I'm getting this message; I can safely ignore. Here I am in my RMS
Server Cluster in the console, and there are some things I can change and some things I can't
change. You can see here, here is the Cryptographic mode that is set to 2 – that is something I
can not change. I can see the different URLs, I can scroll down and I can see my database
location. But there are some configuration changes that I can change, and there are some
settings that I might want to change immediately after I install and configure RMS.

[The AD RMS page in Server Manager is open. The instructor clicks the Tools menu and
selects Active Directory Rights Management Services option. The Active Directory Rights
Management Services page having a Security Alert message box is displayed. The message
is "Information you exchange with this site cannot be viewed or changed by others. However,
there is problem with the site's security certificate." The instructor clicks the Yes button for the
parameter 'Do you want to proceed?' The message box closes and the AD RMS Server
Cluster page in the view pane is displayed. The page includes Cluster details category and
Database category.]

For any reason if I need to alter the Service Account, there is an option to do that here in the
Actions pane. A lot of the cluster administration can be done from the Properties of the RMS
cluster node here. So here I can add an e-mail address as an Administrative Contact. Notice I
can see there is the Cryptographic Mode and the name of the cluster and those are not
changeable. If I go to cluster URL though, this might be where I need to indicate an extranet
URL. And this is where I would recommend doing this if you plan on providing access to RMS
for extranet clients and external clients to do this as soon as possible. So it is part of their CLC,
client licensor certificate. I can also view a few other things in here regarding my configuration.
Here are my RMS servers, here is the service connection point. I can go in and make just a
couple of changes in regards to setting that if I need to do. Here is where I can enable or
disable logging. If I have proxy on my network and that limits access to external networks, well
I need to configure a proxy here. And then, here is my Server Certificate, which I can export
and this is the RMS cluster key.

[The AD RMS Server Cluster page in the view pane is open. The instructor right-clicks the ent-
rms1 (local) node and a shortcut menu is displayed. The instructor selects the Properties
option and ent-rms1 (Local) Properties window is displayed. The page includes seven tabs:
Server Certificate, Proxy Settings, Logging, SCP, General, Cluster URLs, and AD RMS
Servers. The General tabbed page includes 'ent-rms1 (Local)' as the 'Display name for cluster',
'ent-rms1' as the 'Actual cluster name', and the value set for Cryptographic mode is set to 2.
The page also includes a text field to add an e-mail address. Next the instructor clicks the
Cluster URLs tab. The Cluster URLs tabbed page includes two options: Intranet URLs and
Extranet URLs. The instructor selects Extranet URLs. Next the instructor clicks the AD RMS
Servers tab. The AD RMS Servers tabbed page includes the server ENT-RMS1. Then the
instructor clicks the SCP tab. The SCP tabbed page includes an option: Change. The instructor
selects the option, Change. Two more options is displayed. The two options are Set SCP to
current certification cluster and Remove current SCP. The Remove current SCP is selected.
Next the instructor clicks Logging tab. The Logging tabbed page includes an option: Enable
Logging that is selected. The page also includes two text fields labeled as 'Logging server:'
and "Logging database:" The text field labeled as Logging server includes the server name as
ent-sql1 and the text field labeled as 'Logging database' includes the database as
'DRMS_Logging_rms_hq_ent_ad_443.' Next the instructor clicks the Proxy Settings tab and
then clicks the Server Certificate tab. The Server Certificate tabbed page includes 'RMS' as
Friendly name and Production as Hierarchy. The page also includes Export Certificate button.
Then the instructor clicks the Cancel button and the AD RMS Server Cluster page is
displayed.]

Additional management tasks can be found in regards to the policies and the operations of
RMS. If I expand it you can see there is Trust Policies, Rights Policy Templates, Rights
Account Certificates and we are going to be looking at those a little bit later on. Now one final
thing I want to bring up is the Super Users group. The Super Users group might be another
configuration you consider after you install RMS. And the Super Users group is a special group
that has granted full owner rights or recovery permissions. So content that has been expired or
content that does not actually require the author's credentials, well it is accessible by the Super
Users group and even if a template is deleted the Super Users group...members of the Super
Users group can still access that content. One of the things to be aware of though is that the
Super Users group – because of its power and scope – really needs to be regulated, needs to
be audited, and you might not even enable it at all. So you might consider not using it.

[The AD RMS Server Cluster page in the view pane is open. The instructor expands ent-rms1
(Local) node in the left pane. The sub-nodes are Trust Policies, Rights Policy Templates,
Rights Account Certificates, Exclusion Policies, Security Policies, and Reports. The instructor
navigates to a page displaying a diagram of different servers connected to each other. The
connection of servers is as follows: HQNet is connected to four servers that are ENT-RMS1,
ENT-DC1 Domain Controller DNS Server, ENT-APP1 Certificate Authority, and ENT-SQL1. The
page includes a list of points for SUPER USERS GROUP. The points are listed below. Special
group granted recovery permissions (full owner rights) Members of Super Users group can
recover expired content or content without author credentials Must have email address
attribute Must be enabled Be wary of using]

If you do decide to use the Super Users group, you can configure it in your Rights
Management Console on your Security Policies. It is not enabled by default. There is an option
to change that, here it says, "Super users is disabled." But in my Actions pane I can enable it.
Once it is enabled, I need to identify what group in Active Directory that I'm going to use as a
Super users group. So I can change that by selecting that change link and then set the Super
user group. Here I think that is enough...there we go ADRMS Super Users. I have
predefined this group in Active Directory. So if you are going to use a Super user group, it
needs to be a Distribution group. It needs to have an e-mail address attribute and it ideally is a
universal group, so that it is available in the global catalog, especially if you have multiple
domains. So you want to be able to resolve its members from any domain, so I have already
set that up and I can click OK to that, and that is how you set your Super user group. So those
are a couple of configurations you might consider after you do your installation and
configuration of RMS.

[The page displaying a diagram of different servers connected to each other is open. The
instructor minimizes the screen and the AD RMS Server Cluster page is displayed. Then the
instructor clicks the Security Policies sub-node and the view pane includes the Security
Policies page. The page includes a link, 'Change super user settings.' The instructor clicks the
link 'Change super user settings' and it displays a banner that states 'Super users is disabled.'
Next the instructor clicks the option: Enable Super Users, in the Action pane. The banner
changes to 'Super users is enabled.' The instructor clicks the link 'Change super user settings'
and in the Super Users dialog box, the instructor sets the super user group as
ADRMSSuperUsers@easynomadtravel.com. The instructor clicks OK and the Security
Policies page is displayed. The page includes a parameter 'Super user group' that has the
value as 'ADRMSSuperUsers@easynomadtravel.com.']
Protecting Content with Windows Server 2012
R2 AD RMS
Learning Objective
After completing this topic, you should be able to
◾ configure AD RMS policies

1. AD RMS rights policy templates

Now when I hear the word template I would think saving time...and Rights Management
Services, or RMS, Policy templates like any other template does just that. Its job is to save
time and provide consistency. Now it accomplishes this because it basically is a predefined set
of permissions for specific users and groups in your organization. So it helps administrators
because they can define these, which allows them to enforce access boundaries around
certain types of content, while the end users are provided a very easy way to apply security.
So the templates can be tailored to meet different business needs and compliance
requirements. For instance, you might create a template that restricts who can actually edit a
specific RMS type of document – maybe the finance document; you don't want them to be able
to be printed. So you can disable printing, you can disable macros, you can limit maybe save
permissions. So RMS templates are really about making it easier for users and making it
easier for administrators to apply protection.

2. Demo: AD RMS rights policy templates

In this first demonstration, I want to show you how to actually protect content without using a
Rights Policy template. So I'm going to log in to the domain as a standard username jupiter
and we are going to go to my Desktop here, and I'm going to open up Word and it is
prompting me for activation. We will just ignore that and we will send a Secret note to my
friend in Saturn. Now what I can do is I can go to File here and this is Office 2010. And
because I'm using Windows 8.1, it has some RMS client in it, and because I'm using Office
2010, which also has an RMS client in it, so it is an RMS-enabled application. I can choose
Protect Document and I have several different options including the option to Restrict
Permission by People. Here I can choose Restricted Access and I can apply protections
that are enforced by my RMS solution. So I click Restrict permission to this document.

[The ENT-Client1 on V96 - Virtual Machine Connection window is open. The window includes
two user login tiles: HQ\jupiter and Other user. The instructor clicks HQ\jupiter and adds the
password in the password text field to login. The Windows 8.1 Start screen is displayed. Then
the instructor clicks the Desktop tile and then opens WinWord using the Run command. The
Windows word is open. The instructor types 'Secret note to Saturn' in the word document. Next
the instructor clicks the File menu and from the list of options, the instructor selects the Info
option. In the view pane, the instructor clicks Protect Document option and list of options are
displayed. The instructor selects 'Restrict Permission by People' and in it selects the option
'Restricted Access.' The Permission dialog box having two text fields labeled as 'Read' and
'Change', and a option 'Restrict permission to this document' are displayed. The instructor
selects the option 'Restrict permission to this document.']

Now the first time that jupiter does this, you might actually see a message pop up indicating
the communication between the RMS server and the client because I have actually done that
already. I have not seen that network dialog box come on. Now I can indicate what kind of
access I want to provide – Read access or Change access or I can say Give all users Read
access. If I choose More Options, I can actually see my access levels in more detail including
the ability to do things like print expiration on the document, limit printing, limit copying, and so
forth. In my case, I'm going to Add saturn and we are going to grant them Read permission
like so. Now I'm going to Save this document and I'm going to save it on the Network. Now I'm
saving it on the RMS server but that has nothing to do with the protections. The document can
go anywhere really and as long as Saturn can talk to the RMS server and retrieve a Use
License, then they can consume the content.

[The Permission dialog box is open. The instructor clicks the More options button. The More
options dialog box includes a tabular format having a list of users been provided permission to
the document. The table consists of two columns: Name and Access Level. The column Name
contains an entry as jupiter@easynomadtravel.com, which has the Access Level as Full
Control. The additional permission for users is listed below. The options are 'This document
expires on,' 'Print content,' 'Allow users with read access to copy content', and 'Access content
programmatically.' Next the instructor clicks the Add button and Add Users dialog box is
displayed. The instructor types 'saturn@easynomadtravel.com' in the text field labeled as
Read and then clicks OK to close the Add Users dialog box and Permission dialog box. The
Word document having the Info option selected is displayed. Then the instructor saves the
document as 'Secret note to Saturn.']

So let me actually stop for a moment and just reiterate what happened. When I actually applied
protections what happened is the RMS server issued me a Publishing License, and it could
actually have been issued from my client licensor certificate, or CLC. There is a process called
bootstrapping, so the very first time that a client communicates with the RMS server, the RMS
server provides the necessary certificates. Now I had already gone through that bootstrapping
process, I described that a moment ago, and so I had my client licensor certificate, I use that to
generate a Publishing License, and in that Publishing License, it indicates that Saturn has
Read permission and that jupiter has Full Control. That is now attached to the metadata of this
file and we will follow this file wherever this file goes.

[The Windows Word document is open.]

Now to consume this content, let's jump over to Saturn's machine. Here is Saturn, and Saturn
is going to open this up. Now Saturn is using Office 2013, which is the latest version of Office.
Again, it is also using RMS 2.0 – the latest RMS client, and it is a separate download that I
included on this machine. Now Saturn has not gone through the bootstrapping process and
that is what is actually presented here. It says, "To create and consume content with restricted
access, you must contact your RMS server and here is the URL." So we are going to say OK
to that. It is going to prompt me to authenticate and during this process Saturn is going to
receive the rights account certificate or the RAC and use the RAC to request a Use License,
which contains the necessary keys to decrypt the file. And there we are "Secret note to
Saturn." Now I'm getting a couple of additional messages. Notice – it tells me how I have to
activate because it is a new installation and I have not put the product key in. But the point I
want to make is notice that it flags me that this actually has been restricted and I can choose
View Permission and it tells me exactly what kind of permissions I have. So that is actual
RMS in action but without Rights Policy templates. And Rights Policy templates are going to
make it a lot easier, so let's look at that next.

[The Windows Word document is open. The instructor closes the word document and
navigates to Saturn machine. The instructor opens the Docs folder and double clicks the word
document 'Secret note to Saturn.' The Active Directory Rights Management Services message
box is displayed. The instructor clicks the OK button and Windows Security dialog box is
displayed. Then the instructor types the credentials for username and password and clicks OK.
The Word document having the text 'Secret note to Saturn' is displayed. Two messages are
displayed at the top of the screen. The first message states 'RESTRICTED ACCESS
Permission is currently restricted. Only specified users can access this content.' The instructor
clicks the View Permission button and My Permission dialog box is displayed. The dialog box
list down the type of permission granted to the user and then the instructor clicks OK and the
word document is displayed.]

Remember what a Rights Policy template is for. It really helps automate the application and
enforcement of our RMS permissions, helps users and the administrators, and provides a
more consistent environment. Now in order to use Rights Policy templates, clients have to
have them available so they can click on them and apply them to their documents. So we need
to consider how we are going to distribute them from our RMS server. Now there are three
different ways of doing this. You can export your Rights Policy templates from the configuration
database, put them in a shared folder, and push them out via scripts and Group Policy. Or if
you have a new generation of clients – say Vista Service Pack 1 or greater, you can configure
a schedule task and rely in a registry path and this enables these clients to periodically pull a
shared folder location, and retrieve the latest Rights Policy templates. With the latest clients
and the latest product of Office, you have improvements in regards to this automatic retrieval
of Rights Policy templates. So with Office 2013 and the separate download of RMS client 2.0,
they have improved the ability for clients to retrieve the Rights Policy templates and remove
some of the administrative tasks around them.

[The Windows Word document is open. The document includes points on Distribute Rights
Policy Templates. The points listed are as follows. 1) Manually - shared folder\scripts 2)
Automatically (Vista SP1+) - scheduled task 3) Improved Automatically - with Office 2013 with
AD RMS Client 2.xSP2+)*]

So what I want to do is walk you through configuring and distributing Rights Policy templates.
So let's distribute some Rights Policy templates. I'm in my RMS Console, I'm going to right-
click the Rights Policy Template node here, and the first thing I need to do is to find a template
files location. I do that by going to the Properties and enabling the export option and
identifying a location. So I'm going to put in a Universal Naming Convention, or UNC, here.
Now this is a shared folder, I have predefined this, and I have assigned it the appropriate
permissions. Let me show you what it looks like here. Here is my RMSTemplates folder, and if I
go to the Properties and go to Security, what is real important is that the RMS service
account has Write permission. And the reason why Write permission is important, of course, it
needs to be able to publish those templates there. Users need to be able to consume those
templates, so they need to have Read permissions. So wherever you are going to apply those,
whether using groups or individual users, the appropriate permissions need to be in place, and
this will actually bark at you if it is not. So we are going to click OK, there we go.

[The Windows Word document is open. The document includes points on Distribute Rights
Policy Templates. The instructor navigates to RMS console that includes a navigation pane
and view pane. In the navigation pane, the node Rights Policy Templates is selected. The
instructor right-clicks the node Rights Policy Templates and a shortcut menu is displayed. Then
the instructor selects the Properties option and Rights Policy Templates Properties dialog box
is displayed. The instructor selects the option Enable export and specifies the location as
'\\entrms1\rmstemplates.' Then the instructor navigates to C: drive and selects the folder
RMSTemplates. Next the instructor right-clicks the RMSTemplates folder and a shortcut menu
is displayed. The instructor selects the Properties option and the RMSTemplates Properties
dialog box is displayed. The instructor clicks the Security tab and the Security tabbed page
includes Group or user names listed and Permissions for each group or user having options,
'Allow' or 'Deny'. Next the instructor clicks the OK button and the C: Drive folder is displayed.
Then the instructor navigates to Right Policy Templates Properties dialog box and closes the
dialog box by clicking the OK button. The RMS console having Distributed Rights Policy
Template Information in the view pane is displayed. The page includes the Template file
location as "\\ent-rms1\rmstemplates."]

Now the next thing I'm going to do is create my Rights Policy template and I do that from the
Actions pane and this starts...the creates Rights Policy Template Wizard. So the first thing to
do is give it a name. So I'm going to call it ENT CC for Easy Nomad Travel Company
Confidential...Next. Now here is the heart of my template. This has to do with which
users are going to have which rights. So what I can do is click Add and put in the e-mail
address of a user or a group. So I want to point out that we are using e-mail addresses. So I
have said this earlier and that is the users and groups that you are going to be using with
RMS...need to have the e-mail attribute defined. So I have got a group defined called
employees and its e-mail address has been defined on the object in Active Directory or I can
choose the Anyone option there. Now let's have a look here at these permissions. Now for this
permission or this template, the permission I want to set is View but notice I have many other
options. We can grant Full Control to a particular group of users, we can grant Edit, Save
permissions, control printing, control forwarding, control replying for e-mails, allow or disallow
macros, viewing or not viewing, and even editing the permissions here and you can create
custom rights. Now one of the things I should point out is these permissions are enforced by
the RMS client and the RMS aware application.

[The RMS console that includes Distributed Rights Policy Template Information in the view
pane is open. The instructor clicks the Create Distributed Rights Policy option in the Actions
pane. The Create Distributed Rights Policy Template is displayed. The template includes five
steps that are listed in the navigation pane. The five steps are listed below. 1. Add Template
Identification Information 2. Add User Rights 3. Specify Expiration Policy 4. Specify Extended
Policy 5. Specify Revolution Policy The first step 'Add Template Identification Information' is
selected. The view pane includes a table titled as Template identification and it has three
columns: Language, Name, and Description. Below the table there are three buttons: Add,
Edit, and Remove. The instructor clicks the Add button and Add New Template Identification
Information dialog box is displayed. The language option is set as English (United States).
Next the instructor types the Name in text field as ENT CC and in the description filed the
instructor types 'Easy Nomad Travel Company Confidential.' Then the instructor clicks the Next
button and the second step to Add user rights page is displayed. The instructor clicks the Add
button and in the Add User or Group dialog box, the instructor types
'employees@easynomadtravel.com' in the text field for the option 'The e-mail address of a
user or group.' The other option is Anyone. Then the instructor clicks OK and the dialog box
closes. Next the Add User Rights page includes a list of permissions. The instructor selects the
option View Rights. The page also includes Create Custom Right button and a option 'Grant
owner (author) full control right with no expiration' that is selected.]

Occasionally, there might be a slight difference in the way that applications enforce or interpret
these permissions. So for example, with the Save as permission the question might be – well
does protection follow the new copy that is created when you Export or do a Save as? Well
that depends on the RMS aware application, so keep that in mind. Then we have got Grant
owner (author) full control right with no expiration, so this is like the owner creator and
owner permission in Windows NT File System, or NTFS. So we granted Full Control and that is
a good option to have and then we have Rights request URL. This is also useful and that you
can have within your business a procedure and a place where users, who need to request
additional permissions, have a place to go. They can send an e-mail and they can say, "Hey, I
need these other permissions." And based on your business there, you might be qualified or
not qualified but you have a place to go to, kind of, mitigate their inability to access a
document. So this is your user and rights and really, kind of, the heart of the template. There
are a couple of other settings I can define. I can put an expiration on the content, I can do
some custom settings in the Extended Policy – a tab, and then here in number five, I can
define a Revocation Policy.

[The Add User Rights page is open. The text field labeled as 'Rights request URL:' is empty.
The instructor clicks the Next button and the page modifies to the third step 'Specify Expiration
Policy', then to fourth step 'Specify Extended Policy', and then finally to 'Specify Revocation
Policy.']

Now there are some implications with using these others say, for instance, that a Revocation
Policy in 2008 R2 – this is actually no longer supported. So if you use it, you want to be, you
know...thoroughly understand the implications of using revocation. I'm going to just stop here
and I'm not going to define any of the other settings. But we will stay with just that basic set of
permissions, so there is my first policy template. The next thing I want to show you is how to
distribute the templates to the clients, and remember there are three different ways: manually,
automatically, and using the new RMS client 2.0. I'm going to show you the automated way
and the new way. Manually just really means about...it really means just copying the template
files and making the registry changes. Now if you are going to do it automatically, that really
means that you are relying on a scheduled task. So if I go into Task Scheduler and I drill down,
I can find the Active Directory Rights Management Services Client scheduled tasks and there
are two; one for automatic retrieval and one for manual retrieval. And I can right-click on this
and I can Run this, I can Enable this. And this will automatically retrieve the latest templates. I
think it is every seven days. I think...is what is configured by default. But you can come in here
and you can actually alter this by changing the values here.

[The Add User Rights page having the final page 'Specify Revocation Policy' is open. The
instructor clicks the Finish button and the RMS console having Distributed Rights Policy
Template Information page is displayed. The policy ENT CC is listed in the page. Then the
instructor navigates to the Task Scheduler window and in the navigation pane under the
Windows node, selects the sub-node Active Directory Rights Management Services Client.
The view pane includes two templates listed that are AD RMS Rights Policy Template
Management (Automatic) and AD RMS Rights Policy Template Management (Manual). The
instructor right-clicks the AD RMS Rights Policy Template Management (Manual) and a
shortcut menu is displayed. The shortcut menu includes the options: Run, End, Disable,
Export, Properties, and Delete. Similarly the instructor right-clicks the AD RMS Rights Policy
Template Management (Automatic) and a shortcut menu is displayed. The shortcut menu
includes the options: Enable, Export, Properties, and Delete. The instructor clicks the Run
option for 'AD RMS Rights Policy Template Management (Manual)' and clicks the Enable
option for 'AD RMS Rights Policy Template Management (Automatic).']

Now that is not the only thing I need to do, that is certainly enough to retrieve the template
files, which I have actually done already. They get stored in the local computers in the Users
profile, in the AppData location under a folder called DRM. And you can see I have created a
Template, so I have got a couple of templates. So we have already been retrieved and you can
copy these down manually. The next question is – how do I inform my rights-aware
applications of these templates? Well that is done in a registry change, so I'm in my Registry
Editor in this location here for Office. And what I need to do is create a New expandable string
and this is called AdminTemplatePath, and I need to configure this with that local AppData
location and I would go ahead and put the path in this notepad to make this fast and easy for
the demo, there we go...click OK to that. Now that I have done that when the user goes to
Office, say they open up Word and then they want to actually protect this document, they go
Protect Document and you can see there is the template. So just with a single click, they can
apply those permissions without having to select the different permissions themselves.

[The Task Scheduler window having the Active Directory Rights Management Services Client
sub-node selected is open. The instructor navigates to the folder Templates in the following
path. \\AppData\\Local\\Microsoft\\DRM\\Templates The folder contains two templates. Next the
instructor navigates to Registry Editor located at the following location.
Computer\HKEY_CURRENT_USER\Softare\Microsoft\Office\14.0\Common\DRM The
instructor right-clicks on the screen and a shortcut menu having the option New is displayed.
The New option includes further more options: Key, String Value, Binary Value, DWORD (32-
bit) Value, QWORD (64-bit) Value, Multi-String Value, and Expandable String Value. The
instructor selects Expandable String Value option and the instructor names it as
AdminTemplatePath, which has the value data as '%localappdata%\Microsoft\DRM\Templates'
Next the instructor navigates to the Windows 8.1 Start screen and types winword in the search
bar. Then the instructor clicks enter and it opens the Windows Word document. Next the
instructor clicks the Protect Document option and mouse hovers on the multiple options in
Restrict Permission by People. The options are Unrestricted Access, Restricted Access, ENT
CC, Finance, and Manage Credentials. Next the instructor clicks the ENT CC option and the
Permissions for the Protect Document changes to ENT CC: Easy Nomad Travel Company
Confidential.]

Now let me show you what this looks like with the new RMS client. So that was really kind of a
look at the automatic way of doing it. And by the way it may not seem very automatic because
we had to make a registry change and turn on the scheduled task, you know, you can do those
things through Group Policy. I should point that out before I go into the next part. Here is, if I go
to client one here and open up Group Policy, you can create an RMS Policy that actually sets
those registry keys, and configures that scheduled task. That might be one way you do that,
you might do system center, you might do scripts. All right, the new way to do this with the
latest in Office 2003 and the RMS client is to not do anything really except create your
templates. And that is because you can go in here and retrieve the templates with this option
here. So I can choose connect to RMS and retrieve those templates and there they are. So
that is amazing, I did not have to do any registry change, I did not have to do anything in
regards to Group Policy. I was able to retrieve those from the configuration database. So they
continue to make this easier and easier with new...with each new release of RMS and, of
course, Office and the other rights-aware applications.

[The Windows Word document is open. The instructor navigates to ENT-Client2 on HV96 -
Virtual Machine Connection. The office 2003 RMS client window is displayed. The page
includes a navigation pane that consists of the following tabs: Info, New, Open, Save, Save As,
Print, Share, Export, Close, Account, and Options. The Info tab is selected and in the view
pane the Info page is displayed. The page includes three options: Protect Document, Inspect
Document (Check for Issues), and Versions (Manage Versions). Then the instructor minimizes
the screen and navigates to ENT-Client1 on HV96 - Virtual Machine Connection. The instructor
opens Group Policy Management Editor that includes a registry key listed in the view pane.
The registry key is DRM. Next the instructor minimizes the screen and navigates back to ENT-
Client2 on HV96 - Virtual Machine Connection. The office 2003 RMS client window is
displayed. The instructor clicks Protect Document option and a list of options are displayed.
The list includes, Mark as Final, Encrypt with Password, Restrict Editing, Restrict Access, and
Add a Digital Signature. Then the instructor selects Restrict Access option and another option
is displayed. The option is 'Connect to Rights Management Servers and get templates.' Then
the instructor selects the option 'Connect to Rights Management Servers and get templates.'
Again the instructor clicks Protect Document option and selects the option Restrict Access.
The Restrict Access option opens a list of options that are Unrestricted Access, Restricted
Access, ENT CC, and Finance.]

3. Demo: AD RMS exclusions and recovery

Let's have a look now at some of the other administration tasks that I can do for RMS. For
example, one of the things I can do is I can configure Exclusion Policies. And Exclusion Policy
allows me to, kind of, restrict applications, users, or specific RMS versions from using my RMS
Services. So I can come in here and I can exclude a specific user. I click the link, I can enable
it, and then I can specify the user by their rights account certificate putting in their e-mail
address. I can also do this for Applications, I can come in and select an application and
indicate the application by putting in the actual application's file name in executable and putting
in the specific versions that I want to restrict. And finally, I can do this also based on RMS
clients, which they refer to here is the Lockbox. So there is an older RMS solution that I was
using and I want to restrict it. I can do that here as well.

[The RMS console is open. In the navigation pane, the ent-rms1 (Local) node is expanded and
its sub-node Exclusion Policies is selected. The view pane includes the Exclusion Policies
page. The page includes two sections: User Exclusion and Application Exclusion. The User
Exclusion section includes a link: Manage AD RMS user exclusion list. Then the instructor
clicks the link 'Manage AD RMS user exclusion list' and then clicks the Enable User Exclusion
option in the Actions pane. Next the instructor clicks Exclude RAC option in the Actions pane.
The Exclude User dialog box is displayed. The dialog box includes two options: Use this option
for excluding rights account certificates of internal users who have an Active Directory Domain
Services account and Use this option for excluding rights account certificates of external users
who do not have an Active Directory Domain Services account. The first option is selected.
Then the instructor clicks the Cancel button and the RMS console is displayed. Next the
instructor clicks the Applications node in the navigation pane, which is a sub-node of Exclusion
Policies. To enable Application Exclusion, the instructor clicks the Enable Application Exclusion
option in the Actions pane. The Add application to be excluded page is displayed. The page
includes three text fields labeled as Application file name, Minimum version, and Maximum
version. Then the instructor enters APP EXE as Application file name, which has the value for
Minimum version as 1 and value for Maximum version as 3. Then the instructor clicks the
Cancel button and the RMS console having the Application Exclusion Information section
displayed. Next the instructor clicks Disable Application Exclusion option in the Actions pane.
Next the instructor clicks the Lockbox node in the navigation pane, which is a sub-node of
Exclusion Policies. The view pane displays the section of Lockbox Version Exclusion.]

4. Demo: Using AD RMS to protect content

The last thing I want to do is talk about extending the scope of RMS to include partner
organizations. So we have underneath Trust Policies, Trusted User Domains and Trusted
Publishing Domains. Now Trusted User Domain is a trust between RMS clusters who are in
different forest, and this is going to allow an RMS server to accept certificates for users, which
were issued by partner's RMS cluster. It is not quite the same as a forest trust in Active
Directory, but it does help configure each environment to accept each other's identities – for
RMS purposes, I should add. Now in order to do this, you need to import and export domain
information. So I'm going to import the other domain. I have got another domain called
unitogames and so I have already saved or created the exported information. So we are just
going to Browse to the share here and it is a binary file and click Open. And we will call it UG
for short and there it is – it has been added. And then what I would need to do is export it so
they can import the information for this domain, which is easynomadtravel. So we will choose
export and well call it ENT and we will Save that, so now they – on the other end in their RMS
cluster – can import that.

[The RMS console is open. In the navigation pane, Trust Policies node, which is the sub-node
of ent-rms1 (Local) is selected. The view pane includes the section of Trusted User Domains.
The Trust Policies node is expanded and includes Trusted User Domains and Trusted
Publishing Domains sub-node. Then the instructor selects the sub-node 'Trusted User
Domains.' The view pane includes a section for Trusted User Domain Information. Then the
instructor clicks Import Trusted User Domain File option in the Actions pane. The dialog box
named Import Trusted User Domain File is displayed. The page includes two text fields. The
text field labeled as 'Trusted user domain file' includes the following path. \\ug-
app1\public\unitogames.com.bin Then the instructor types 'UG' in the text field labeled as
'Display name' and clicks the Finish button. Next the instructor navigates to the RMS console
and in the section Trusted User Domains, the domains that are listed are UG and Enterprise.
Then the instructor selects the domain Enterprise and then clicks the option 'Export Trusted
User Domain File' in the Actions pane to export the binary file saved as file name ENT.]

Now there are a couple of other implications and other configurations that you need to do. So
there are some other requirements in regards to Trusted User Domains. You need to ensure
that you have got Name resolution. So I have already configured DNS forwarding, so that
Name resolution is successful and, of course, Network access. We just demonstrated the
exchange of the binary files. And other important thing is the RMS servers need to detect
which domain that the users belong to or which forest, and that is done through the Exchange
attribute. And if you already have exchange, you don't have to do anything about this. It is
added in part of the user. Otherwise, you need to actually extend the schema and there is
documentation in TechNet and instructions on how to do that. The other thing I need to do
is...because we don't have an Active Directory for stress, the actual authentication is different.
And so I need to allow Anonymous authentication in the RMS licensing pipeline. This is only
required if I don't have an Active Directory forest trust. So in order to do that, I actually have to
go into Internet Information Server, or IIS, I have to go into the actual web site that belongs to
RMS, onto licensing, I'm going to Switch to Content View there. The next thing I need to do is
right-click on license and Switch to Features View, and then under Authentication, I need to
right-click on that. So we will just double click on it and we need to right-click on Anonymous
Authentication and Enable that, okay. So those are some of the things you need to do if you
are configuring Trusted User Domains.

[The RMS console that includes the section of Trusted User Domain Information in the view
pane is open. The instructor navigates to open TUD Reqs - Notepad file. The text file includes
a list of points on TUD Requirements. The points are listed below. Name resolution Network
access Exchange of .bin files Exchange attribute (need to extend schema if you don't have
Exchange) Anonymous authentication for licensing pipeline Next the instructor navigates to IIS
and in the navigation pane of the IIS window, the instructor righ-clicks the licensing Web site
and a shortcut menu is displayed. The instructor selects the Switch to Content View option and
the view pane list a number of ASMX files. Then the instructor right-clicks the license.asax file
and a shortcut menu is displayed. The instructor selects the Switch to Features View option.
The view pane modifies from a list of ASPX files to displaying a list of ASP.NET features listed.
Next the instructor double clicks on the Authentication feature and four Authentications are
listed. The names of the four authentications are Anonymous Authentication, ASP.NET
Impersonation, Forms Authentication, and Windows Authentication. Then the instructor right-
clicks the Anonymous Authentication option and a shortcut menu is displayed. Next the
instructor selects the Enable option and the status for Anonymous Authentication modifies to
Enabled from Disabled. Next the instructor again navigates to the TUD Reqs - Notepad file.]

Now let's contrast this with a Trusted Publishing Domain. So I want to come back in here, I can
select Trusted Publishing Domain. Now a Trusted Publishing Domain is often considered less
secure but more friendly. For instance, you don't need to connect to the partners RMS cluster
when you consume protected content. That is because when you create a Trusted Publishing
Domain, or TPD, you actually exchange each server's private keys in addition to the server
certificates. This way your RMS cluster can issue Use Licenses for content that was originally
protected by a different RMS server. The problem is the sharing of these private keys can be a
security risk. And so, because of that, a Trusted Publishing Domain is often configured just
between forest that belongs to the same organization or perhaps when you are
decommissioning another RMS cluster. Now one of the things I should point out is both trusted
publishing domain and trusted user domain might have some additional requirements
depending on your organization. One of the things that makes this simpler is if you are using
Active Directory forest trusts. But of course, that is not always an option.

[The TUD Reqs - Notepad file is open. The instructor navigates to RMS console and selects
Trusted Publishing Domain in the navigation pane. The view pane includes the section of
Trusted Publishing Domain Information having RMS domain listed.]
Windows Server 2012 R2 AD FS Overview
Learning Objective
After completing this topic, you should be able to
◾ describe how AD FS works

1. Identity federation
One of the challenges facing IT admins today is providing secure access for applications and
users who are not necessarily behind the same physical network borders, maybe you are one
of them. Are you under pressure to provide users access to web-based applications, but from
any device and from anywhere? Maybe you are under pressure to provide Single Sign-On
experience for these web applications or for applications in the cloud. Maybe you have got
business partners or customers that need access to your SharePoint site or maybe you have
got users who need access to someone else's SharePoint site or someone else's application in
the cloud. And you could consider, maybe, a traditional forest trust but you might be concerned
about making your firewall more porous and look like swiss cheese. Well these are some of
the concerns among some of the others that has given rise to many identity framework
solutions.

Now Microsoft solution is called AD FS or Active Directory Federation Services and it is in

Windows Server 2012 R2. It is an identity and authentication framework, which means it
supports basically extending your Active Directory Services from beyond your local network,
providing an identity solution for applications in the cloud or between business partners or to
support those Bring Your Own Device scenarios that we hear so much about. Now AD FS is
becoming more and more important as a result of these pressures. So you want to pay careful
attention to what we are talking about in this next lesson. It is good stuff here.

To illustrate how Federation service works, imagine a scenario where you have a web site with
content that you need to share with a business partner. Well if you are in that situation, you
have several decisions that you need to make, for example, how are you going to authenticate
your business partner's users? Now you might do what many have done before and that is to
create a separate database of user account information that you maintain. And maybe they
help you build this information but the problem will become synchronizing the information. For
example, what happens if a user account in another location is terminated or changes roles?
Well it is unlikely that they are going to inform you and so your database will go stale and it will
continue to grant access to this unauthorized individual.

Now AD Federation Services can address some of these concerns because it provides an
identity framework that can be used over the Internet. In the scenario that I just described,
rather than maintaining multiple user accounts and multiple user databases for your
applications, Federation Services could be used to create a trust relationship between these
organizations. This would allow the resource partner to safely rely on the account partner's
user store, and the account partner's user store will be able to present identity information in
the form of what are called claims. And they could do this securely using standard web
protocols like HTTPs and SAML, which stands for Security Assertion Markup Language. So we
are not having to adjust our firewall dramatically, but we are able to provide a secure
relationship and authenticate those users in that account partner's domain.

It is the job of AD FS to process claims and issue claims for those users who are trying to
access a claims-based application. Now claims are useful ways of describing a user because
they are not limited to merely group membership. Now group membership can still be used, of
course, but what if you want to grant access to your web application based on the user's age
or maybe you want to grant access based on their location or their e-mail address or some
other attribute in Active Directory? So how does this work? Well what Federation Services
does is, it can be configured to process authentication request from a user, then transform
those requests into a digitally signed token. Now inside this token, AD FS has inserted the
users claims, which were derived from Active Directory in the account store.

Now there might be some additional rules and processing that takes place, but the net result is
the user's browser has a digitally signed token. And inside of it are all of its necessary claims
that it then presents to a web application. Now the web application is configured to trust the
Federation server, and because the user's claims were digitally signed by that Federation
server, well then the web server is going to process them. Now this is great because there is a
great diversity of claim types. And the use of SAML tokens and some of the standard web
protocols are some of the key strengths to AD Federation Services.

2. AD FS components
So let's have a look now at Federation Services and some of the components. Now, of course,
we have our Federation servers running Windows Server 2012 R2 and we have met the
necessary prerequisites. Meaning, it is a member of the domain. We have installed the Secure
Socket Layer, or SSL, certificate and we have DNS records in place for discoverability. Now
this Federation server has several configuration areas, for instance, we might want to
configure the claims rules. Claims rules control which claims are going to present for the
application. And what is great about Federation Services in the claims rules is we are in
control. So unlike a Kerberos ticket, which basically takes all of the groups that the users are
member of and puts that in a ticket, well we can control whether or not we want to present
group information or other types of information depending, of course, of what that application
actually needs.

Now where do we get the information they are going to be part of our claims? Well that is
where the claim providers and the attribute store comes in. Now by default we have Active
Directory, our primary identity, our authenticator, and primary attribute store. We can also use a
SQL database for additional attribute information, and we can use a partner organization as
the claims provider. And as its name implies, a claims provider might be needed to consume
tokens from another identity partner, so you can create these claims providers. Now another
important concept I want to highlight to you is the relying party and relying party trusts. That is
just another name for the actual claims-aware applications. Those are the parts in our network
that are able to consume these claims.

So we generate them from information in Active Directory in our attribute stores, maybe in
additional claims provider. We generate the claims with this information, and we can present
them to these relying party trusts. Now in order to do this in a trusted secure manner, there are
some certificates that are going to be in place, some digitally signed certificates and
authentication certificates to establish trust. And then there are endpoints that we communicate
through. And these are URLs, basically, that we use to retrieve metadata from our Federation
server or access the application or access Federation Services. Now the last thing I want to
mention is the Federation Server Proxy or Web Application Proxy as it is now called in R2. In
some cases, you might need to configure a Federation server that is forward and out in your
demilitarized zone, or DMZ. We will talk about that next.

[The Federation Services components include Federation server, Federation Server Proxy,
Claim rules, Claim providers, Claim provider trusts, Attribute store, Replying parties, Relying
party trusts, Certificates, and Endpoints.]

Now another important role that you could add to your Federation service environment is the
Web Application Proxy. Now Web Application Proxy replaces your Federation Server Proxy,
but it is a remote access role. And just like the diagram displays it here, the Web Application
Proxy sits in front of your firewalls in that neutral zone – that screen network called the DMZ
typically, and it intercepts in our communications from external Internet clients. It does that and
the reason why this is useful is it provides additional defense in depth. So the Web Application
Proxy has a reverse proxy feature allowing us to publish internal applications to our Web
Application Proxy, protecting those claims-based applications. It protects them from direct
access from unauthorized users. So the Web Application Proxy becomes an important part of
our topology when we are using Federation Services and we are having external users from
the Internet connect to our claims-based applications.

The other nice thing about the Web Application Proxy is it supports a lot of the new features in
2012 R2 in Federation Services. And this includes support for the Bring Your Own Device
scenarios like support for Apple devices and other types of non-Windows devices accessing
our application in an authenticated fashion. So the web application supports workplace join,
multifactor authentication, multifactor access control, and web Single Sign-On. All of those
features we appreciated about Federation Services. The Web Application Proxy can leverage
those and do that forest for Internet clients.
Installing AD FS on Windows Server 2012 R2
Learning Objective
After completing this topic, you should be able to
◾ recognize requirements and steps for deploying AD FS

1. Demo: Preparing for AD FS

Hi let's dig in now and build up a federated environment. In order to do this though, it is
important to keep the big picture in mind because there are a lot of components, a lot of
wizards in clicking. So let's review for a moment where we are going to go and talk about the
different roles. So in my situation and what I'm going to demonstrate is I have got a client
accessing the sample application and, of course, this application is going to want to know who
that user is. And that user is going to be required to present a claim, so we can authorize the
user before granting access to the application. What is going to happen is, we are going to
configure our claims-based application to say, "Hey, you need to be authorized first. Present
me a claim." And so the client is going to be redirected to a Federation server. So we are going
to configure the application so the client gets redirected to the Federation server.

[The ad FS diagram.vsdx is open in Microsoft Visio Professional and includes two diagrams as
follows: RESOURCE PARTNER and ACCOUNT PARTNER. The ribbon of the Microsoft Visio
Professional contains the menus as follows: FILE, HOME, INSERT, DESIGN, DATA,
PROCESS, REVIEW, and VIEW. The FILE menu is open. The RESOURCE PARTNER
diagram includes a Web server Claims-based App, an ADFS, and an ENT-DC1 Domain
Controller DNS Server Certificate Services connected to the Corpnet. The ACCOUNT
PARTNER includes an ADFS connected to an UG_DC1 Domain Controller DNS Server
Certificate Services. The RESOURCE PARTNER and the ACCOUNT PARTNER are
connected to the Internet.]

Now this Federation server is going to be part of the RESOURCE PARTNER or part of the
organization that is serving the application. So these two are going to need to be made aware
of each other and trust each other. Moreover, this Federation server, by default, is going to use
its, kind of, Active Directory environment as the default account provider. So it can authorize
the user and retrieve attributes and other types of information from the Active Directory – is the
identity store, and create a claim that is needed for that web application depending, of course,
on the web applications requirements. However, we can extend this topology to not only
include a single identity provider here, but we can have an external business partner as the
identity provider, assuming, of course, this client does not belong to this HQ domain but
instead belongs to this UNITOGAMES domain. In order for this to work, we need to extend our
federated environment to include a trust to the other Federation server...to the account partner.
So it can be responsible for actually providing the claim information that the client can then turn
around and present to the Web Server.

[The ad FS diagram.vsdx is open in Microsoft Visio Professional and includes two diagrams as
follows: RESOURCE PARTNER and ACCOUNT PARTNER.]
So we are going to, kind of, walk through many of the steps required to make the different
components aware of each other, trust each other. This relies on exchanging of certificates and
the like. So these are the general steps that we are going to follow. So let's actually start on the
Federation server in the HQ easynomadtravel domain as you can see here. One of the things
we want to do is before we can install and configure Federation Services, we need to make
sure that we have designed it well, we have configured our environment to meet the
prerequisites. So some important prerequisites for federation environment is going to be that it
needs to be a member of a domain and it needs to be, of course, patched up. Another
important requirement is, if you want to, make sure name resolution is working. So in my
example, we have got a claims-based application entry here in DNS, the Federation server,
and the Federation service has an entry in here. And then for my partner organization, if I
wanted to extend it, well I need to also have a name resolution path to the other domain and
vice versa. So they also would need a path here, I'm doing that using what are called
conditional forwarders. So you can see here, here is the actual partner organization domain
and I'm pointing to its DNS server and I have created an additional conditional forwarder on
their server pointing back.

[The ad FS diagram.vsdx is open in Microsoft Visio Professional and includes two diagrams as
follows: RESOURCE PARTNER and ACCOUNT PARTNER. The instructor minimizes the
window. Next the instructor opens the ENT_ADFSI on HV96 – Virtual Machine Connection
window enters the password in the Password field. As a result, the ENT_ADFSI on HV96 –
Virtual Machine Connection is displayed, which includes two files as follows: Certificate
Notes.ps1 and setup adfs.ps1. The setup adfs.ps1 is partially displayed and contains the
following code: 1 #REVIEW\DESIGN AD FS SCENARIO 2 #CONFIGURE\VALIDATE
PREREQUISITES: 3 4 #1 AD FS servers joined to the domain & all patched up 5 #2 Configure
DNS – records? Forwarding? 6 7 #3 Create a service account 8invoke-command ent-dcl –
scriptblock {Add-kdsRootKey –EffectiveTime (Get-Date) AddHours(-10)} 9invoke-command
ent-dcl –scriptblock {New-ADservicesAccount ADFSgmsa – DNSHostName ent-
adfs1.hq.ent.ad –ServicePrincipalNames http/… 10 11 #4 obtain a (trusted) SSL Certificate –
called server communication… 12 #Install the certificate on the default website 13 14 #5 Install
ADFS role 15 install-windowsfeature ADFS-Federation –IncludeAllSubFeature –I… Next the
instructor opens the ENT-ADFS1 on hv96.EARTHFARM.LAB window. The navigation pane of
the window contains the following nodes under ent-dc1: Forward Lookup Zones Reverse
Lookup Zones Trust Points Conditional Forwarders Global Logs The Conditional Forwarders
node contains the ug.unitogames.com subnode. The partially displayed view pane of the
window contains the following entries: Name -msdcs -sites -tcp -udp DomainDnsZones
ForestDnsZones (same as parent folder) (same as parent folder) (same as parent folder) Adfs
ENT-ADFS1 ENT-APP1 ENT-Client1 ENT-Client2 ent-dc1 ENT-EDGE1 ENT-RMS1 ENT-SQL1
Claimsapp Type Start of Authority (… Name Server (NS) Host (A) Alias (CNAME) Host (A)
Host (A) Host (A) Host (A) Host (A) Host (A) Host (A) Host (A) Alias (CNAME) Data [39], ent-
dc1.hq.ent.a… Ent-dc1.hq.ent.ad. 10.0.10.1 Ent-adfs1.hq.ent.ad. 10.0.10.5 10.0.10.3
10.0.10.102 10.0.10.104 10.0.10.1 10.0.10.2 10.0.10.101 10.0.10.103 ENT-APP1.hq.ent.ad
Next the instructor clicks the ug.unitogames.com subnode and the following IP Address is
displayed in the view pane: 10.0.10.253. The instructor minimizes the window and navigates
back to the ENT-ADFS1 on hv96.EARTHFARM.LAB.]

Next thing I need to do is create the appropriate service accounts. Service account is going to
be used by Federation Services and so what I'm going to do is use a group-managed service
account. And that means using the KdsRootKey command and actually creating the service
account. You can see here, this is an example using PowerShell to generate the account and
register its service principal name. You can also do this in the wizard but it is going to be
important to have a dedicated account for Federation Services. Moving on, now to the next
requirement and that has to do with certificates. The next thing I need to do is obtain and install
an Secure Socket Layer, or SSL, certificate, and this is required before it actually run the
Configuration Wizard. Now let me make a couple of comments about certificates before I go
much further. Active Directory Federation Services, or AD FS, relies heavily on certificates and
there are three types of certificates that it uses. It uses Token Signing and Token Decrypting
certificates, and these are typically self-signed and auto-generated and managed by
Federation Services.

[The setup.adfs.ps1 is open in Windows PowerShell ISE and the following code is displayed: 1
#REVIEW\DESIGN AD FS SCENARIO 2 #CONFIGURE\VALIDATE PREREQUISITES: 3 4 #1
AD FS servers joined to the domain & all patched up 5 #2 Configure DNS – records?
Forwarding? 6 7 #3 Create a service account 8invoke-command ent-dcl –scriptblock {Add-
kdsRootKey –EffectiveTime (Get-Date) AddHours(-10)} 9invoke-command ent-dcl –scriptblock
{New-ADservicesAccount ADFSgmsa – DNSHostName ent-adfs1.hq.ent.ad –
ServicePrincipalNames http/… 10 11 #4 obtain a (trusted) SSL Certificate – called server
communication… 12 #Install the certificate on the default website 13 14 #5 Install ADFS role
15 install-windowsfeature ADFS-Federation –IncludeAllSubFeature –I… Next the instructor
opens the Certificate Notes.ps1 and the following note is displayed: 1 # A note about
Certificates: http://technet.microsoft.com/en-u 2 # ADFS uses THREE TYPES of certificates 3
4 31/2 TOKEN SIGNING\TOKEB DECRYPTING – self-signed, auto generated 5 6 33
SERVER (SSL) COMMUNICATIONS – issued by trusted CA 7 #(SAN for Workplace Join) 8
#(Needs to be trusted by partners) 9 10 #Subject Names and Subject Alternative Names: 11
12 #CN:adfs.hq.ent.ad 13 #DNS:adfs/hq.ent.ad 14 #DNS: enterpriseregistration.hq.ent.ad 15]

The certificate that I need before I actually configure Federation Services though is the service
or SSL communication certificate. Now a real important here is that, it is a certificate that is
trusted by a certificate authority, or CA, and that is because typically we are accessing
Federation Services from the Internet. So clients and partner organizations need to be able to
readily trust this certificate. This is why it is recommended to use a third-party certificate
authority that is well known and well trusted for this particular certificate. Now if you are using
an Internal Certificate server to issue this certificate, again it has to be trusted. So you might
have to take some additional actions to make sure that it is trusted. So for example, that is
what I'm doing in my lab here. I have an Internal Certificate server that is going to issue the
certificate, and I have a partner organization that is also issuing a certificate. And we need to
mutually trust each other's certificate servers.

[The Certificate Notes.ps1 is open in Windows PowerShell ISE and the following note is
displayed: 1 # A note about Certificates: http://technet.microsoft.com/en-u 2 # ADFS uses
THREE TYPES of certificates 3 4 31/2 TOKEN SIGNING\TOKEB DECRYPTING – self-signed,
auto generated 5 6 33 SERVER (SSL) COMMUNICATIONS – issued by trusted CA 7 #(SAN
for Workplace Join) 8 #(Needs to be trusted by partners) 9 10 #Subject Names and Subject
Alternative Names: 11 12 #CN:adfs.hq.ent.ad 13 #DNS:adfs/hq.ent.ad 14 #DNS:
enterpriseregistration.hq.ent.ad 15]

So here is our real quick way to do that.

So let me open up Certificate Manager and we will go here and open up Group Policy
Management, and we will Edit the Default Domain Policy. So it is convenient. And what I'm
going to do is I'm going to basically distribute the Certificate server...the trusted certificate
authority certificate in my network for that other organization, so that the clients will trust it. And
we will go to Public Key Policies and then Trusted Root Certificate Authorities. Now there is
one certificate in here already been distributed for my own internal certificate authority and I
can just as easily add another, and here is the certificate authority for my partner organization.
And so that, when we go and interact with each other and I access resources in their federated
environment, this certificate will go a long way in trusting me...any certificate issued from this
root certificate authority. So click yes to this, there we go. And so the next thing we will do is we
will do a quick gpupdate, add a little /force. Now to verify that I received that certificate
and I am now trusted, I'm going to go to Internet options, go to Content, go to Certificates,
click on Trusted Root Certification Authorities, and it should be in this list. There it is.

[The Certificate Notes.ps1 is open in Windows PowerShell ISE and the following code is
displayed: 1 # A note about Certificates: http://technet.microsoft.com/en-u 2 # ADFS uses
THREE TYPES of certificates 3 4 31/2 TOKEN SIGNING\TOKEB DECRYPTING – self-signed,
auto generated 5 6 33 SERVER (SSL) COMMUNICATIONS – issued by trusted CA 7 #(SAN
for Workplace Join) 8 #(Needs to be trusted by partners) 9 10 #Subject Names and Subject
Alternative Names: 11 12 #CN:adfs.hq.ent.ad 13 #DNS:adfs/hq.ent.ad 14 #DNS:
enterpriseregistration.hq.ent.ad 15 16 #Don’t forget CRLs! 17 #Optionally, you may need a cert
for your Web apps The instructor opens the Server Manager window. The partially displayed
window includes four options as follows: Manage, Tools, View, and Help. The instructor clicks
the Tools option and selects Group Policy Management from the drop-down list. As a result,
the Group Policy Management window is displayed. The Navigation pane includes two nodes
as follows: hq.ent.ad and Sites. The hq.ent.ad node is expanded and contains the following
subnodes: Default Domain Policy, Domain Controllers, Group Policy Objects, WMI Filters, and
Starter GPOs. The instructor right-clicks the Default Domain Policy and selects the Edit option
from the shortcut menu. As a result, the Group Policy Management Editor window is displayed.
The navigation pane includes Policies and Preferences node under Computer Configuration.
The Policies node includes the following subnodes: Software Settings, Windows Settings, and
Administrative Template. The instructor expands the Windows Settings subnode and selects
Security Settings, Public Key Policies. Next the instructor selects Trusted Root Certificate
Certification Authorities. As a result, the following details is displayed in the partially displayed
view pane: Issued To RootCA Issued By RootCA Next the instructor right-clicks the Trusted
Root Certification Authorities and selects Import from the shortcut menu. As a result, the
Certificate Import Wizard is displayed and the instructor clicks Next. The File to Import page of
the wizard is displayed. The instructor then clicks the Browse button. As a result, the Open
dialog box is displayed. The dialog box contains a folder – Software for ADFS Demo and two
certificates as follows: ent-rootca and ug-rootca. Next the instructor selects ug-rootca and
clicks the Open button and then clicks Next. As a result, the Certificate Store page of the
wizard is displayed; the instructor clicks Next. The Completing the Certificate Import Wizard
page is displayed; the instructor clicks the Finish button to complete the wizard. The Certificate
Import Wizard message box is displayed, the instructor clicks OK to close the message box
and navigates to the Windows PowerShell and executes the gpupdate /force command. The
‘Updating policy…’ message is displayed. Next the instructor opens the Internet Explorer,
clicks the Tools button, and selects Internet options from the drop-down list. As a result, the
Internet Options dialog box is displayed. The dialog box contains seven tabs as follows:
General, security, Privacy, Content, Connections, Programs, and Advanced. The General tab
is already selected; the instructor clicks the Content tab. As a result, the Content tabbed page
is displayed. The page contains three sections as follows: Certificates, AutoComplete, and
Feeds and Web Slices. The Certificates section includes three buttons as follows: Clear SSL
state, Certificates, and Publishers. The instructor clicks the Certificates button and the
Certificates dialog box is displayed. The dialog box includes six tabs as follows: Personal,
Other People, Intermediate Certification Authorities, Trusted Root Certification Authorities,
Trusted Publishers, and Untrusted Publishers. The Personal folder is already selected. The
instructor clicks the Trusted Root Certification Authorities tab. As a result, the Trusted Root
Certification Authorities tabbed page is displayed. The page contains a list of certificates. The
instructor clicks Close to close the page.]

Now since I'm in the Internet Explorer, the next thing I want to show you is in a lab environment
you might find it convenient to turn off certificate revocation checking. And this brings up
another important point. Not only do I have to be concerned with making sure their certificate is
trusted, but then my clients in the partner organization can validate the certificates not been
revoked. So you might recall from our lesson in certificates that there is this thing called the
certificate revocation list, or CRL, and that needs to be accessible. For ease of demonstration,
I'm going to actually tell Internet Explorer not to bother to check for certificate revocation.
Obviously, that is not a recommended security practice. All right, now the next thing I need to
do is request the SSL certificate. Now that my clients and my partner organization has trust in
the issuer, I need to request a certificate for my Federation server. And keep in mind that when
you do, if you are going to be using workplace join, you need to make sure that you configure
the Subject Alternate Names. And with those Subject Alternate Names, you need a name and
they are called enterpriseregistration.

[The Content tabbed page of the Internet Options dialog box is open. The instructor clicks the
Advanced tab. As a result, the Advanced tabbed page is displayed. The page contains
sections as follows: Accelerated graphics, Accessibility, Browsing, HTTP Settings,
International, Multimedia, and Security in Settings. Next the instructor unchecks the Check for
server certificate revocation checkbox under Security and clicks OK and navigates back to the
setup adfs.ps1, which displays the following code: 1 # A note about Certificates:
http://technet.microsoft.com/en-u 2 # ADFS uses THREE TYPES of certificates 3 4 31/2
TOKEN SIGNING\TOKEB DECRYPTING – self-signed, auto generated 5 6 33 SERVER (SSL)
COMMUNICATIONS – issued by trusted CA 7 #(SAN for Workplace Join) 8 #(Needs to be
trusted by partners) 9 10 #Subject Names and Subject Alternative Names: 11 12
#CN:adfs.hq.ent.ad 13 #DNS:adfs/hq.ent.ad 14 #DNS: enterpriseregistration.hq.ent.ad 15 16
#Don’t forget CRLs! 17 #Optionally, you may need a cert for your Web apps]

So what I'm going to do is use the Certificates snap in here. I'm going to request an SSL
certificate for this Federation server from my enterprise certificate authority. And when I do, I
need to make sure that I configure it. I'm following those recommendations here in terms of the
Subject Names and Subject Alternate Names. So I'm going to choose Common name and
then I need to include a couple of DNS names here, there we go adfs.hq.ent.ad,
enterprisedeviceregistration.hq.ent.ad. And assuming I have got
permission, the certificate should be passed to my Certificate server, my request should be
granted, and it should install the SSL certificate. So it is available when I run the Federation
Service Wizard. All right, so assuming I have met the requirements, the next step is to actually
install Federation Services, which is really easy to do. I can run this install-
windowsfeature command and then what we will do is we will walk through the
Configuration Wizard.

[The setup adfs.ps1 is open in Windows PowerShell ISE. The Instruct opens the Console 1
window. The partially displayed navigation pane contains the following subnodes under
Certificates (Local Computer): Personal Trusted Root Certification A… Enterprise Trust
Intermediate Certification A… Untrusted certificates Third_party Root Certificate Trusted
People Client Authentication Issuer… Remote Desktop Certificate Enrollment Requ… Smart
Card Trusted Roots Trusted Devices The Personal subnode is expanded and contains
Certificate folder. The instructor right-clicks the Certificate and selects All Tasks, Request New
Certificate from the shortcut menu. As a result, the Certificate Enrollment wizard is displayed;
the instructor clicks Next. The Select Certificate Enrollment Policy page is displayed; the
instructor clicks Next. As a result, the Request Certificates page of the wizard is displayed. The
page includes the following three checkboxes under Active Directory Enrollment Policy:
Computer Computer Authentication Web Next the instructor checks the Web checkbox. As a
result, the Certificate Properties dialog box is displayed. The page contains seven tabs as
follows: Subject, General, Extensions, Private key, Certification Authority, and Signature. The
Subject tab is already selected. The Subject tabbed page includes two sections as follows:
Subject Name and Alternative name. Both the section contains a Type drop-down list and a
Value field. Next the instructor selects Full DN in the Type drop-down list box and enters
adfs.hq.ent.ad in the Value field under the Subject name section and clicks the Add. The
instructor then selects DNS in the Type drop-down list box and enters
enterprisedeviceregistration.hw.ent.ad under the Alternative name section and clicks Add and
then OK. Next the instructor clicks the Enroll button in the Request Certificates page of the
Certificate Enrollment wizard. After a while, the Certificate Installation Results page of the
wizard is displayed. The instructor clicks Finish to complete the wizard and then navigates
back to the setup adfs.ps1 page.]

2. Demo: Installing and configuring AD FS

So let's walk through that Configuration Wizard now. I have installed Active Directory
Federation Services, so we will choose Configure the federation service on this server.
Now couple of things...it comes up and asks me about and that is regarding the basic
requirements, making sure I have the correct privileges and that I'm doing this with an
administrator account and that I have a publicly trusted SSL server authentication
certificate...emphasis on publicly trusted. Now I'm using an internally-trusted Certificate server
for demonstration purposes. But as I mentioned a moment ago, typically you are going to use
a third-party certificate for that and more info on the prerequisites can be found there. Now
down here, which option am I going to select? Well this is the first Federation server in my
farm. So that is going to be the option, but unless I can add additional servers to my farm,
these are the credentials that I detected...that I'm running this wizard from. So we will leave it
as is. Now I need to select the certificate that I requested and had installed. So there it is –
Federation Service Name and what do I want to...what do I want the display name to be? So
let's call it Easy Nomad Travel, click Next to that.

[The Dashboard page in Server Manager is open. The instructor clicks the flag button that
includes 'Configure the federation service on this server' hyperlink. The instructor clicks the
hyperlink and Active Directory Federation Services Configuration Wizard is displayed. The
wizard displays the Welcome page. The Welcome page includes two points that needs to be
followed before beginning configuration. The points are listed below. An Active Directory
domain administrator account. A publicity trusted certificate for SSL server authentication. The
page also includes two options: Create the first federation server in a federation server farm
and Add a federation server to a federation server farm. The option 'Create the first federation
server in a federation server farm' is selected. Then the instructor clicks the Next button and
Connect to Active Directory Domain Services page is displayed. The account
'HQ\administrator (Current user)' is been specified as an account having Active Directory
domain administrator permissions to perform federation service configuration. Then the
instructor clicks the Next button and Specify Service Properties page is displayed. The
instructor selects adfs.hq.ent.ad as the SSL Certificate. The Federation Service Name is
adfs.hq.ent.ad. Then the instructor adds 'Easy Nomad Travel' in the text field labeled as
'Federation Service Display Name.']

Now here is where I can actually define my service account. So in 2012...2012 R2 here, I can
actually have the Configuration Wizard generate the Managed Service Account. Now I have
done this ahead of time, so I already actually created the service account. So I can just simply
select the account here and I called it adfsgmsa, choose Check Names, there we go, found
it. Next question, and this is an important question to ask yourself and including your design
and that is – where do you want to store the configuration information? Are you going to use a
Windows Internal Database, or WID, or a SQL Server database? A general rule of thumb
is...the Windows Internal Database is useful and convenient, but it is going to limit your
scalability and your growth.

So for single server type of installations, the WID is fine. But for those situations where you
need to have that, kind of, additional scalability we want to consider an external
database...SQL Server database. So we are going to go with the WID for demonstration
purposes. Here it gives me a summary of my options and really it is, kind of, a checklist in
regards to my design. Click Next to this and everything looks good here. This will comment
here about the Managed Service Account being so new, and I need to consider a waiting a
while before I do this, so it can replicate. But I addressed that already and that really only have
one domain controller in this environment. So we will click Configure, and this will take a
moment. And once it is done, let's look at managing AD FS.

[The Active Directory Federation Services Configuration Wizard having Specify Service
Properties page is open. The instructor clicks the Next button and Specify Service Account
page is displayed. The page includes two options 'Create a Group Managed Service Account'
and 'Use an existing domain user account or group Managed Service Account.' Next the
instructor selects 'Use an existing domain user account or group Managed Service Account'
and then selects the user HQ\ADFSgmsa$. Then the instructor clicks the Next button and
Specify Database page is displayed. The page includes two options: Create a database on this
server using Windows Internal Database and Specify the location of a SQL Server database.
The option 'Create a database on this server using Windows Internal Database' is selected.
Then the instructor clicks the Next button and the Review Options page is displayed. The page
includes a summary of the options that were selected in the previous pages. Then the
instructor clicks the Next button and the Pre-requisite Checks page is displayed. The page
includes the results and then the instructor clicks the Configure button to start the installation.
The installation progress of Windows Internal Database is displayed.]
3. Demo: Configuring claims provider
Now the next thing I need to do is configure my claims-based application, my web site to be
able to use Federation Services as the issuer of trusted secure tokens. Now to do this, I'm
going to now my web server. So I have moved to my web server, I'm going to launch Internet
Information Services (IIS) Manager, and the first thing I need to do is I need to add an SSL
certificate to my web site. And this is a different certificate than what we issued to the
Federation server obviously. I'm going to go and choose Edit Bindings here in IIS Manager,
and we are going to add https and choose the certificate for my claims-based application, click
OK to that. Now the next thing I need to do is actually configure my application to trust my
Federation server. I'm going to use a utility called FedUtil. So it is a part of the Windows
Identity Foundation and the Software Development Kit, or SDK. So open this app, there is the
FedUtil and this is going to help make existing applications claims-aware and again register my
application, so that there is a trust between my web application and my Federation server. And
I'm doing this on the web application side.

[The Server Manager window is open and the Dashboard page is displayed. The navigation
pane includes the following links: Dashboard, Local Server, All Servers, File and Storage
Services, and IIS. The Dashboard link is selected by default, which displays the 'WELCOME
TO SERVER MANAGER' section in the view pane. This section includes two buttons QUICK
START and WHAT'S NEW. The QUICK START button is selected by default, which contains
the following links: Configure this local server, Add roles and features, Add other servers to
manage and Create a server group. The instructor clicks the Tools menu and selects the
Internet Information Services (IIS) Manager option from the drop-down list. As a result, Internet
Information Services (IIS) Manager window is displayed. In Internet Information Services (IIS)
Manager window, the navigation pane displays the root node with Start Page and sub-node
ENT-APP1 (HQ\administrator). The instructor selects the ENT-APP1 (HQ\administrator) sub-
node, and as a result a message box is displayed with the following message: Do you want to
get started with Microsoft Web Platform to stay connected with latest Web Platform
Components? The instructor clicks Cancel to close the message box. The ENT-APP 1
(HQ\administrator) root node includes Application Pools and Sites containers in the navigation
pane. The view pane displays the ENT-APP1 Home page, which includes ASP.NET section.
This section includes the following links: .NET Authorization..., .NET Compilation, .NET Error
Pages, .NET Globalization, .NET Trust Levels, Application Settings, Connection Strings,
Machine Key, Pages and Controls, Providers, Session State, and SMTP E-mail. Next the
instructor selects the Sites container, which includes the Default Web Site link as a sub-node.
Next the instructor selects the Default Web Site link, which includes aspnet client and
claimsapp sub-nodes. The instructor right clicks on Default Web Site sub-node and selects the
Edit Bindings option. As a result Site Bindings dialog box is displayed. This dialog box includes
a table with following columns: Type, Host Name, Port, IP Address, and Binding Information.
The first row contains http as the Type and 80 as Port. The instructor clicks on the Add button
and as a result 'Add Site Binding' dialog box is displayed. This dialog box contains https as a
Type, All Unassigned as an IP address, and 443 as a Port. The Host name input field is kept
blank. The instructor selects the claimsapp.hq.ent.ad option from the SSL certificate drop-
down and clicks OK. Then the instructor navigates to the Site Bindings, which includes https as
a Type and 443 as a Port. The instructor clicks Close and navigates to the Internet Information
Services (IIS) Manager window. The instructor clicks on the Windows Explorer folder and as a
result the folder is open. The navigation pane displays the root node with the following nodes:
Favorites, This PC, and Network. This PC section node includes the following containers:
Desktop, Documents, Downloads, Music, Pictures, Videos, Local Disk (C:), and DVD Drive (D:)
IR. The instructor clicks on the Local Disk (C:) container, which displays a table in the view
pane. The table contains three columns such as Name, Date modified, and Type. This table
contains the following folders: Files, inetpub, PerfLogs, Program Files, Program Files (x86),
Tools, Users, and Windows. The instructor clicks on the Program Files (x86) folder, which
includes the following folders: Common Files, Internet Explorer, Microsoft.NET, MSBuild,
Reference Assemblies, Windows Identity Foundation SDK, Windows Mail, Windows NT, and
WindowsPowerShell. Next the instructor clicks on the Windows Identity Foundation SDK
folder, which contains v3.5 folder. The instructor clicks on the v3.5 folder, and selects the
FedUtil application. As a result, the FedUtil wizard is displayed with the following input fields:
Application configuration location and Application URI.]

So I need to indicate the application configuration file and that is in the inetpub folder in a
folder called claimapp. This is the file location for my claim application. So I have got
web.config listed there, that is the file I'm going to use. Here is the URL for my application, if it
was not listed here I could type this in. So claimsapp.hq.ent.ad and notice its https, that is why
I had to add that SSL certificate. I'm going to Use an existing STS. Now STS stands for
security token service. It is just another name for Active Directory Federation Services. So
what I need to do now is I need to point my application to my Federation server using this URL
path down here. And so I don't have to type all of that, I'm going to cheat and Paste it in...there
we go. And this is pointing to my Federation server there, click Next to that, in a moment, and
we just finished here with this application. So I'm not going to, for demonstration purposes,
perform chain validation nor am I going to do encryption. So we will just say no to those and
we will turn on the scheduled task, and so we will click Finish. And that will complete the
application side.

[The FedUtil wizard is displayed with two input fields Application configuration location and
Application URI. The instructor clicks on the Browse button and as a result C:\inetpub\claimapp
folder is displayed. The instructor selects the web.config file and clicks Open. As a result the
'Application configuration location' input field includes the folder path as
C:\inetpub\claimapp\web.config. Next the 'Application URI' input field contains the URL as
https://claimsapp.hq.ent.ad/. The instructor clicks Next, and as a result the following two
parameters are enabled: No STSA and Use and existing STS. The instructor selects 'Use an
existing STS' parameter, which enables the ‘STS WS-Federation metadata document location’
input field. The instructor clicks the Untitled-Notepad window, which contains the file name as
hq.ent.ad/FederationMetadata/2007 - 06/FederationMetadata.xml. The instructor copy-paste
the entire xml file name in the STS WS-Federation metadata document location input field. The
instructor clicks Next and as a result two options are displayed as follows: Disable certificate
chain validation and Enable certificate chain validation. The first option 'Disable certificate
chain validation' is selected by default. The instructor clicks Next and as a result two options
are displayed as follows: No encryption and Enable encryption. The first option 'No encryption'
is already selected. The instructor clicks Next, which displays a table with two columns and
multiple rows. The first column is named as Claim Name and second column is named as
Claim Type. The table contains the details of role and name claims. Then the instructor clicks
Next, which displays the following sections: Application Information, Security Token Service
selection, and Trust management. The instructor selects the option 'Schedule a task to perform
daily WS-Federation metadata updates' under the Trust management section and then clicks
Finish. As a result, Success message box is displayed with the following message: You have
successfully configured your application. The instructor clicks OK.]
The next step is to configure the Federation server side. That is now that, my claims-aware
application is aware of the Federation server, I need to secure the application by configuring
the Federation server to be aware of the claims application. To do that, I want to point out that
in my application I have a configuration file called FederationMetadata. I need to exchange this
information with the Federation server and create what is called a Relying Party Trust. I'm
going to do that by going to the Federation server, launching the Federation Management
Console, selecting under Trust Relationships – Relying Party Trusts. And we will add one here,
start the wizard, and here is the path that the Federation server needs to that metadata – that
is on the claims-aware application. I'm going to cheat and put it in Notepad because it is a
lengthy path here. Notice it is https here, so we are using the URL, there we go...display name.
Now I have got a couple of questions here the wizard is going to ask me. This one here is in
regards to Multi-factor Authentication, we are not going to configure that now, we are going to
Permit all users to access this relying party. We have got a list of tabs here, which displays
the information that was in that metadata file. We will click Next to this and we are not going to
actually edit the claims at this time. But the claims rules are where I can actually extract
information from Active Directory, and present it to the application. And I can identify exactly
what I want to present.

[The v3.5 window is open, and the navigation pane includes the root node with the following
sub-nodes: Favorites, This PC, and Network. The instructor navigates to the Internet
Information Services (IIS) Manager window and selects the claimsapp from the Sites sub-
node. This includes two containers such as App_Code and FederationMetadata. Next the
instructor selects the FederationMetadata container, which includes the 2007-06 folder. Then
the instructor selects the 2007-06 folder and as result a table with two columns Name and
Type is displayed. The first row contains FederationMetadata.xml as a file name and XML
Document as a Type. The second row contains FederationMetadata.xml.backup.1 as a Name
and 1 File as a Type. The third row includes FederationMetadata.xml.backup.2 as a Name and
2 File as a Type. The instructor minimizes the window and navigates to the Hyper-V Manager
window. The navigation pane includes Hyper-V Manager root node with HV96 sub-node. The
view pane includes three sections as follows: Virtual Machines, Checkpoints, and ENT-APP1.
The Virtual Machines section includes a table with the following columns: Name, State, CPU
Usage, Assigned Member, Uptime and Status. The instructor selects the row, which contains
ENT-ADFS1 as a Name, Running as a State, 0% as a CPU Usage, 1970 MB as an Assigned
Member and 02:17:11 as an Uptime. The instructor navigates to the Server Manager - AD FS
page, and the navigation pane includes the following links: Dashboard, Local Server, All
Servers, and File and Storage Services. The view pane consists of Servers section with the
table, which includes four columns as follows: Server Name, IPv4 Address, Manageability and
Last Update. The first row contains ENT-ADFS1 as the Server Name, 10.0.10.5 as an IPv4
Address, Online - Performance counters not started as Manageability and 1/13/2014 10:13:59
AM as Last Update. The instructor clicks the Tools menu and selects the AD FS Management
option. As a result AD FA window is displayed and the navigation pane includes the AD FS root
node. This node contains Service, Trust Relationships and Authentication Policies folders. The
instructor selects the Trust Relationships folders, which includes the following sub-folders:
Claims Provider Trusts, Relying Party Trusts, and Attribute Stores. The instructor selects the
Relying Party Trusts folder and as a result Relying Party Trusts table is displayed with the four
columns and one row. The table includes the following columns: Display Name, Enabled, Type,
and Identifier. The first row contains Device Registration Service as a Display Name, Yes as
Enabled, WS-.. as Type, and urn:ms-drs:adfs.hq.ent.a. The Action pane in the right section
includes two sections as follows: Relying Party Trusts and Device Registration. The Relying
Party Trust section includes the following links: Add Relying Party, Add Non-Claim, View, New
Windows fr..., Refresh, and Help. The instructor clicks the Add Relying Party link and as a
result Add Relying Party Wizard is displayed. The instructor clicks Next and navigates to the
next page, which includes the following options: Import data about the relying party published
online or on a local network, Import data about the relying party from a file, Enter data about
the relying party manually. The first option Import data about the relying party published online
or on a local network is already selected, which contains 'Federation metadata address (host
name or URL)' input field. The instructor enters the URL
htttps://claimsapp.hq.ent.ad/claimsapp/FederationMetadat/2007-06/FederationMetadata.xml in
the Federation metadata address (host name or URL) input field and then clicks Next. The
next page includes a table with two columns and two options under it. The table includes the
columns Multi-factor Authentication and Global Settings. The options under the table are
displayed as follows: I do not want to configure multi-factor authentication settings for this
relying party trust at this time and Configure multi-factor authentication settings for this relying
party trust. The first option already selected. The instructor clicks Next and navigates to the
next page, which includes two options as follows: Permit all users to access this relying party
and Deny all users access to this relying party, and Deny all users access to this relying party.
The first option 'Permit all users to access this relying party' is selected by default. The
instructor clicks Next and navigates to the next page, which includes a table with following
tabs: Monitoring, Identifiers, Encryption, Signature, Accepted Claims, Organization, Endpoints,
Notes, and Advanced. The Monitoring tab is already selected. The instructor clicks Next and
navigates to the next page, which includes a single option such as 'Open the Edit Claim Rules
dialog for this relying party trust when the wizard closes. The instructor unchecks this option
and clicks Close.]

So this now has made the Federation server aware of that claims-aware application. So it can
provide the Federation Services, the identity services. So let's verify my configuration and test
and see if the web application is using Federation Services. So I'm going to open up my
browser, I'm going to Paste the URL to my actual web application and give it just a second
here, and notice that it is redirecting me to the Federation server. You can see this here, where
it says connecting to the ent-adfs1 when I'm actually navigating my browser to the web
application. Let's provide a login here. And in the sample application actually produces a web
page containing my claims. Now there is not a whole lot to present here because I have not
created much in the way of claims rules, and I'm not retrieving much in the way of Active
Directory attributes. But what I have demonstrated is at the Relying Party Trust and the web
application, configuration is working.

[The AD FA window is open, and the navigation includes the AD FS root node. The root node
contains the following folders: Service, Trust Relationships, and Authentication Policies. The
instructor clicks the Browser and enters the URL https://claimsapp.hq.ent.ad/claimapp/ in the
address bar and then presses Enter. As a result, Windows.Security dialog box is displayed with
Username and Password input fields. The instructor enters the username as hq\administrator
and then enters the password which is encrypted. The instructor clicks OK and as a result
Welcome page is displayed which includes a table with two columns as follows: Claim Type
and Claim Value. The first row includes
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod as a Claim
Type and http://schemas.microsoft.com/ws/2008/06/identity/claims/authentication as Claim
Value. The second row includes
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant as a Claim Type
and 2014-01-13T19:49:50.309Z as a Claim Value.]

All right, let's talk now about where we have been and what we have done. So looking here
again at the checklist, first thing that we did is we designed and configured our Active Directory
federation environment, and the actual design might vary depending on our need and what we
are creating Federation Services for. But the basic requirements included a service account,
an SSL certificate...make sure those were in place. We also validated name resolution, then
we went ahead and installed and configured Federation Services. Then the next thing we
needed to do is make this application here aware of the Federation server. So we configured it
to use Federation Services and we configured a relying party trust on the Federation server, so
it was aware of the application. So essentially it created two ends of the trust. Now when a
client sends a request to the web application, the web application knows who to redirect the
client to, and that means redirecting the client to this Federation server. A Federation server
would then do the authentication and retrieve any attributes that we define in our claims rules
that the client can then present back to the Web Server for authorized access.

[An ad FS diagram.vsdx - Viso Professional window is open, which includes the following
menus: FILE, HOME, INSERT, DESIGN, DATA, PROCESS, REVIEW, and VIEW. This page
displays the RESOURCE PARTNER diagram of different servers connected to each other. The
connection of servers is as follows: HQ.ENT.AD (ENT-DC1 Domain Controller DNS Server
Certificate Services) is connected to AD FS, CorpNet, and Web Server Claims-based App.
Lists of requirements are listed that are as follows: Design & configure pre-reqs
Install\Configure ADFS Configure applications Create trusts Configure account stores The
request from Internet cloud is passed through the Web Server Claims-based App and AD FS
server. Then the request is passed through HQ.ENT.AD server and then passed back to AD
FS server.]

Now this, of course, is all assuming that we are using this Active Directory link between the
Federation server and its home Active Directory as its claims provider. What if we have user
accounts that are in a partner's organization? In other words...that the claims are not sourced
inside this Active Directory environment but in another Active Directory environment. That
means extending our federation environment to use an additional account store, and that is
what I want to show you next. So what that means is we have got to create our trust now
between a resource partner and an account partner, extending Federation Services to trust
another Federation server like so. So this is what I want to show you. It is really pretty
straightforward and we are going to configure one end of the trust and then come back and
configure the other end of the trust. So to begin with we will start with the account partner and
this means creating what is called a Relying Party Trust. So we are going to add a Relying
Party Trust like we did before. This time we are not going to pull the metadata from the
application but from that other Federation server. Here the Federation server being the
Resource Federation server...so we will Paste that there. Of course, notice that this is https.
So we have to trust each other's certificates. I have to trust the certificate that was no...that
was issued to this Resource Federation server.

[An ad FS diagram.vsdx - Viso Professional window is open, which includes the following
menus: FILE, HOME, INSERT, DESIGN, DATA, PROCESS, REVIEW, and VIEW. This page
displays the RESOURCE PARTNER diagram of different servers connected to each other. The
connection of servers is as follows: HQ.ENT.AD (ENT-DC1 Domain Controller DNS Server
Certificate Services) is connected to AD FS, CorpNet, and Web Server Claims-based App.
Lists of requirements are listed that are as follows: Design & configure pre-reqs
Install\Configure ADFS Configure applications Create trusts The ACCOUNT PARTNER
diagram is displayed below the RESOURCE PARTNER diagram. This diagram includes the
connection of two servers as follows: AD FS and UG.UNITOGAMES.COM (UG-DG1 Domain
Controller DNS Server Certificate Certificates). The instructor minimizes the window and
navigates to the AD FA window. The instructor right clicks on the Relying Party Trusts container
from the navigation pane and selects the 'Add Relying Party Trust' option. As a result 'Add
Relying Party Trust' wizard is displayed. The instructor clicks Start and the first page is
displayed. This page includes the following options: Import data about the relying party
published online or on a local network, Import data about the relying party from a file, and
Enter data about the relying party manually. The first option 'Import data about relying party
published online or on a local network is selected by default, which includes an input field
'Federation metadata address (host name or URL)' to enter the host name. The instructor
enters the URL: https://adfs.hg.ent.ad/FederationMetadata/2007-06/federationmetadata.xml in
the 'Federation metadata address (host name or URL) input field.]

And the other important thing here is I have to be able to access this. So we need to have
name resolution configured as well and I have done both of those things earlier. So because
those are working this goes really, really smoothly. I'm just going to Next through these and not
make any changes, but you can see here I'm pulling additional information from that federation
metadata. And we are not going to change the claims right now, so there we go. We have got
one end of the trust in place. Let's jump to the other end now. Let's go to the Federation server
in the Resource domain, and we are going to a different node, this time we are going to Claims
Provider Trusts. So right now, you can see, by default, it is Active Directory, which is the same
Active Directory or claims source that this Federation server is a member of. We want to
extend this to the partner organization and it is very much the same process. Really, it is
adding that other Federation server's information. I'm just going to use its URL, I'm going to
retrieve that. Here is the information it pulls in, and now we have got an additional claims
provider.

[An Add Relying Party Trust wizard is displayed, which includes the following three options:
Import data about the relying party published online or on a local network, Import data about
the relying party from a file, and Enter data about the relying party manually. The first option
'Import data about relying party published online or on a local network is already selected,
which includes an input field 'Federation metadata address (host name or URL)' to enter the
host name. The input field already contains the following URL:
https://adfs.hg.ent.ad/FederationMetadata/2007-06/federationmetadata.xml. The instructor
clicks Next and navigates to the next page, which includes the following tabs: Monitoring,
Identifiers, Encryption, Signature, Accepted Claims, Organization, Endpoints, Notes, and
Advanced. The instructor clicks Next and navigates to the next page and then clicks Close.
The instructor navigates to the AD FS window, which includes the Relying Party Trusts' table in
the view pane. This table contains four columns Display Name, Enabled, Type and Identifier,
and two rows. The first row contains Device Registration Service as the Display Name, Yes as
Enabled, WS-.. as Type, and urn:ms-drs:fs.ug.unitga. The second row contains adfs.hq.ent.ad
as the Display Name, Yes as Enabled, and http://adfs.hq.ent.ad/adfs as an Identifier. Next the
instructor navigates to the Hyper-V Manager window which includes three sections as follows:
Virtual Machines, Checkpoints, and UG-CLIENT1. The Virtual Machines includes a table with
the following columns: Name, State, CPU Usage, Assigned Member, Uptime, and Status. This
table contains the list of virtual machines. The instructor selects ENT-ADFS1 server link and as
a result Claims Provider Trusts table is displayed. This table includes a column as Display
Name and a single row. The first row contains Active Directory as a Display Name. Next the
instructor selects the Add Claims Provider Trust link from the right pane, and as a result Add
Claims Provider Trust wizard is displayed. The instructor clicks Start and navigates to the next
page, which includes the following three options: Import data about the claims provider
published online or on a local network, Import data about the claims provider from a file, and
Enter claims provider trust data manually. The first option contains the input field such as
Federation metadata address (host name or URL). The instructor enters the URL
https://fs.ug.unitgames.com/FederationMetadata/2007-2006/FederationMetadata.xml URL in
the Federation metadata address (host name or URL) input field. Then the instructor clicks
Next and navigates to the next page, which includes a table with the following tabs: Monitoring,
Identifiers, Encryption, Signature, Accepted Claims, Organization, Endpoints, Notes, and
Advanced. Then the instructor clicks Next and navigates to the next page. The instructor
unchecks the checkbox 'Open the Edit Claim Rules dialog for this claims provider trust when
the wizard closes' from the next page and clicks Close. As a result, fs.ug.unitogames.com URL
is added in the Claims Provider Trusts table.]
Windows Server 2012 R2 AD FS
Authentication
Learning Objective
After completing this topic, you should be able to
◾ determine the appropriate AD FS authentication feature to use in a given scenario

1. AD FS authentication mechanisms
Now let's have a look at Federation Services authentication mechanisms. Now when we talk
about authentication, we are, of course, talking about users and computers presenting proof of
who they are. And there is a rich set of authentication methods that are supported in
Federation Services.

We have the device authentication methods – the what you have. For instance, we can require
that machine's present certificates or we can support one-time passwords with a smartphone.
We can support authentication based on where you are. This might have something to do with
where the users authenticating from, whether it is the Internet or the extranet and we can have
unique authentication experiences depending on where they are actually authenticating from.
The other thing that is great about Federation Services is when it comes to device
authentication, we are not limited to just membership in an Active Directory domain. We can
also authenticate devices that are like Internetwork Operating System, or IOS, devices and
Android devices because we can rely on certificates.

Now when it comes to user authentication, the authentication includes forms-based

authentication or traditional Windows authentication. And we can extend it to use other types of
authentication methods like biometrics, thumbprints, and so forth. Now all of these different
authentication methods could be configured as a primary authentication. But we can also
require that we will do more than just one authentication method but also require multifactor
authentication, or MFA. And this is useful if we have specific compliance requirements we need
to meet or we have additional security that we need to have.

2. Demo: Configuring AD FS authentication

In this demonstration, I want to show you how to configure multifactor access control or
authorization control. So to illustrate, let's begin by logging in to my claims-based application
as a user here. So I'm using an account called johnf and notice that as I go to the
application, I'm being redirected to Federation Services. So I'm going to login and there we go,
I get the default web page just as I would expect. Now what I want to do is enable multifactor
access control or authorization control using claims rules. So I'm going to do that by going
back to my Federation server, and under Trust Relationships I want to choose the claimapp
here, I want to edit the claim rules from under the Actions pane, and I need to navigate to the
Issuance Authorization Rules. And notice we have got a rule that says Permit Access to All
Users. I'm going to add a rule that is going to Permit or Deny Users Based on an Incoming
Claim. So now I'm able to use claims rules to control access to my application.
[The Windows desktop is open. The instructor clicks Internet Explorer and opens Windows
Security dialog box in the browser. The window displays "iexplore Connecting to ent-
adfs1.hq.ent.ad." section and the User name and Password fields in it. The instructor enters
"johnf@hq.ent.ad" as the User name and enters an encrypted password in the Password field,
and clicks OK. The "Windows Identity Foundati..." web page opens in the Internet Explorer and
comprises two sections - Values from IIdentity and Claims from IClaimsIdentity. Next the
instructor navigates to Desktop and selects ENT-ADFS1 on HV96 - Virtual Machine
Connection. This opens a window with the Relying Party Trusts folder selected in the left
navigation pane. The Relying Party Trusts page is open in it. It contains a table with columns -
"Display Name", Enabled", "Type" and "Identifier". The Display Name column contains
"claimapp" as the first name under it. In the right navigation pane the claimapp section includes
options - Update from Federation Met..., Edit Claim Rules, Disable, of which the instructor
selects Edit Claim Rules. This opens "Edit Claim Rules for claimapp" window which displays
"Issuance Transform Rules" tab, "Issuance Authorization Rules" tab and partially visible tab
"Delegatio...". The "Issuance Transform rules" tab is selected in the window. The instructor
then clicks "Issuance Authorization Rules" tab and the tabbed page contains table with
columns - "O..." which is partially visible, "Rule Name" and "Issued Claims". The instructor
selects a row in the table which contains the rule name "Permit Access to All Users" in the Rule
Name column and the value "Permit" under Issued Claims column. The instructor scrolls down
and the "Add Rule", "Edit Rule" and "Remove Rule" buttons are displayed. The instructor clicks
"Add Rule" and a page containing the field "Claim rule template:" opens. The text in the field is
"Permit or Deny Users Based on an Incoming Claim". The instructor clicks Next and this opens
another page with the fields - "Claim rule name", "Incoming claim value", the "Incoming claim
type" list box and the options "Permit access to users with this incoming claim" and "Deny
access to users with this incoming claim".]

And so just as an example here, I'm going to call this Sales Group Deny because johnf is a
member of the Sales group, and then I can choose the different types of claims here. You can
see there is quite a bit that I can elect to use; I'm going to use Group SID, finding the Sales
group and, of course, you can use any group here, and use additional claim types as well. I'm
going to set the permission to deny, click Finish and Apply. The other thing I want to do is
move this Sales Group Deny to the top of my list there. So it is processed first. All right, so
now let's go back to the client and let's attempt to access this application once again...same
user account and he is not able to access that. Once again, he is a member of the Sales
group. Let's try a user who is not a member of the Sales group. Let's try cordelial and she
is granted access because she does not actually meet the criteria for the first authorization
rule, but because at the other end of the list there at the bottom of my issuance authorization
rules, there is a rule to permit all users. And so that is what is creating her access. So you can
use multifactor access control that controls access to your applications, either permitting or
denying users based on claim types.

[In the Add Issuance Authorization Claim Rule Wizard, a page with the fields - "Claim rule
name", "Incoming claim value", the "Incoming claim type" list box and the options Permit
access to users with this incoming claim and Deny access to users with this incoming claim is
open. The instructor enters the text "Sales Group Deny" in the Claim rule name field. The
instructor clicks the Incoming claim type drop-down list box and selects "Group SID" from the
list. Next the instructor clicks the Browse button beside the Incoming claim value field. This
opens "Select User, Computer, or Group" window displaying fields "Select this object type",
"From this location", "Enter the object name to select" and the buttons - "Object Types",
"Locations", "Check Names" and "Advanced". The instructor enters "sales" in the "Enter the
object name to select" field. The instructor clicks OK and this opens the Configure Rule page in
the Add Issuance Authorization Claim Rule Wizard. The instructor selects Deny access to
users with this incoming claim, and clicks Finish. The "Edit Claim Rules for claimapp" page
opens, in which the Rule Name "Sales Group Deny" is selected. The instructor clicks Apply
and navigates to the Desktop. Next the instructor selects ENT-Client1 on HV96 - Virtual
Machine Connection from the list of options that appear. Next the instructor opens Internet
Explorer and enters the Username and Password in the Windows Security dialog box, and
clicks OK. This opens the Easy Nomad Travel page in the browser. The instructor clicks Home
in the browser and logs in again with a different user name. A web page opens in the browser,
containing sections "Values from IIdentity" and "Claims from IClaimsIdentity".]

Now let's talk about Authentication policies and configuring multi-factor authentication. So let's
begin with my test user. I'm going to access the claims application once again. This time I want
to point out that I'm being presented a security mechanism from the Windows. So this is the
Windows Security authentication method. So I'm going to supply the password and
authenticate an access to the claims-based application. But I can control the authentication
method I use based on criteria, both the Primary Authentication and I can require additional
authentication for those applications that need it...they add their additional security. So let's
have a look at Federation Services now and where I can do that. So in the Federation
Management tool there is node called Authentication Policies and there are a couple of
concepts here. First of all, we have the ability to control Primary Authentication and the ability
to control Multi-factor Authentication. I can control two basic factors. I can control the
authentication method and I can control the criteria or the, kind of, scope of authentication.

[The Windows desktop is open and the instructor opens Internet Explorer and once again logs
in to access the Claims Application, via Windows Security. A web page opens in the browser,
containing sections "Values from IIdentity" and "Claims from IClaimsIdentity". Next the
instructor selects ENT-ADFS1 on HV96 - Virtual Connection option. The Federation
Management tool opens with Authentication Policies node selected in the navigation pane. The
Authentication Policies Overview page is open in the view pane. It contains the sections -
Primary Authentication and Multi-factor Authentication. The Primary Policies section contains
the sub-sections - Global Settings and Custom Settings. The Global Settings sub-section gives
information regarding Authentication Methods and Device Authentication.]

So let me give you an example. I can go into the Global Primary Authentication Policy by
choosing the edit option there from the Actions pane. And here, there are the two criteria or
scopes. There is the Extranet or Intranet. And what this allows me to do is define different
authentication methods. So the assumption here is the Extranet is going to be less secure or
less compatible. So I want to consider other authentication methods for the Extranet compared
to the Intranet. With the Intranet, I can use something like Kerberos and I can use Windows
Authentication, so I'm going to elect to use that option. Extranet, I want to use forms-based
authentication or Certificate Authentication. Now I can change this, of course, I'm going to
come in and change Forms Authentication on the Intranet side. And so, this should be
reflected in my test account. So we will click OK to that, let's go back to my user, and the
reason for that is the user is on the Intranet. So when they go to access that claims-based
application, now you can see that they are being presented a forms-based authentication
screen. So there we go.
[The Federation Management tool is open and the Authentication Policies node is selected in
the navigation pane. The Authentication Policies Overview page is open in the view pane. It
contains the sections - Primary Authentication and Multi-factor Authentication. In the Actions
pane, Authentication Policies node is displayed, which consists of following options: Edit
Global Primary Authentication, Edit Global Multi-factor Authentication, View, New Window from
Here, Refresh, and Help. The instructor selects Edit Global Primary Authentication. The Edit
Global Authentication Policy window opens. The Multi-factor tab is selected and the tabbed
page is open in the window. It consists of sections - Extranet and Intranet - that contain the
checkboxes to select authentication methods. The checkboxes associated with Extranet are
Forms Authentication and Certificate Authentication. The checkboxes associated with Intranet
are Forms Authentication, Windows Authentication and Certificate Authentication. The Forms
Authentication checkbox in Extranet and the Windows Authentication checkbox in Intranet are
selected. The instructor selects Forms Authentication checkbox in Intranet, as a result of
which, the Windows Authentication checkbox is deselected. Next the instructor clicks OK. This
opens the Authentication Policies page and the Primary Policies section is displayed on the
page. It contains the sub-sections - Global Settings and Custom Settings. The Global Settings
sub-section gives information regarding Authentication Methods and Device Authentication.
The Authentication Method for Extranet is set to Forms Authentication; the Authentication
Method for Intranet is set to Forms Authentication as well. The Device Authentication is Not
Enabled. The instructor navigates back to desktop and selects ENT-Client1 on HV96 - Virtual
Machine Connection option. The instructor opens Internet Explorer and the Easy Nomad
Travel Sign in page is displayed.]

Now for additional security, I might want to enable Multi-factor Authentication, maybe I have a
compliance requirement. I can configure Multi-factor Authentication both globally for all the
applications in this Federation server or I can do it on a Per Relying Party or Per Application
basis. First of all, let's look at the global policies. So I'm going to edit the Global Multi-factor
Authentication Policy. And a couple of things I want to bring to your attention, just like we saw
with Primary Authentication, I have the ability to control Multi-factor Authentication based on
the location. So for those Extranet users, I might have a greater concern for security and I
might want to then require Multi-factor Authentication. Doing it here will enforce Multi-factor
Authentication on all the different applications because this is the global policy. What kind of
authentication method am I going to support? Well that is down here. I can choose Certificate
Authentication by default, third-party authentication methods, one time passwords, leveraging
Windows Azure authentication. Those are things that can appear in this list and I can actually
even control how they are presented. So I can extend the authentication method for Multi-
factor Authentication in this list below. By default, I just have Certificate Authentication.

[A web page is open in the browser and contains the sections "Values from IIdentity" and
"Claims from IClaimsIdentity". The instructor navigates back to the desktop and selects ENT-
ADFS1 on HV96 – Virtual Machine Connection. As a result, the Authentication Policies
Overview page opens which contains the sections – Primary Authentication and Multi-factor
Authentication. The Primary Authentication section on this page displays sub-sections Global
Settings and Custom Settings. In the Actions pane the instructor selects Edit Global Multi-
factor Authentication. Multi-factor tabbed page opens. It displays the sections – User/Groups,
Devices, and Locations. The Devices section contains options for devices that require Multi-
factor Authentication – Unregistered devices and Registered devices. The Locations section
contains the checkboxes Extranet and Intranet. The page also contains a section which
displays options to select additional authentication methods. It consists of the Certificate
Authentication checkbox.]

Now I'm going to turn this on, this is going to enable Multi-factor Authentication. I'm not going
to change the actual Multi-factor settings, however, and let me talk about these on another tab.
So I'm going to click OK to that and now what I want to do is go to the claims application itself.
So I can configure the multi-factor settings globally but I can also configure them on a very
specific application. So there might be multiple Relying Party Trusts, multiple applications, and
I only really need Multi-factor Authentication on one of them. So I can select that, then in the
Actions pane I can choose edit Multi-factor Authentication. Now this time, I don't have the
option to control the method that is done in the global policy and that is what this alert here
tells me. But I do have the same settings in regard to controlling the multi-factor scope.

[The Multi-factor tabbed page is open. It displays the sections – User/Groups, Devices, and
Locations. The Devices section contains options for devices that require Multi-factor
Authentication – Unregistered devices and Registered devices. The Locations section contains
the checkboxes Extranet and Intranet. The page also contains a section which displays options
to select additional authentication methods. It consists of the Certificate Authentication
checkbox. The instructor scrolls to the bottom of the page and clicks OK and selects the Per
Relying Party Trust sub node below Authentication Policies node. The Per Relying Party Trust
page opens. It displays the sections – “Relying Party trusts with global authentication settings
only” and “Relying Party trusts with custom authentication settings”. The “Relying Party trusts
with global authentication settings only” section contains claimapp option. The “Relying Party
trusts with custom authentication settings” section contains “Device Registration Service”
option. The instructor selects claimapp and navigates to the Actions pane. The instructor
selects Edit Custom Multi-factor Authentication option in claimapp. This opens Edit
Authentication Policy for claimapp dialog box and the Multi-factor tabbed page is open in the
window. The section which displayed the options to select additional authentication methods is
not displayed now.]

So again I have the Extranet or Intranet, I can also control Devices – registered or
unregistered, or I can control or define Users or Groups. And what I'm doing here is I'm
defining when do I need to apply or require a Multi-factor Authentication. Well I can say, for
instance, that I want to apply Multi-factor Authentication for users who are members of the
Sales group. What method? Well that was defined globally that would be Certificate-based
Authentication and then I have these other options. So let's check this out, click OK to that. Go
back now to my client, close this down. Now John is a member of this Sales group. I have
turned on Multi-factor Authentication, click this link. So here we have the Forest-based
Authentication for my earlier change. This is Primary Authentication. I will click Sign in and
now Secondary Authentication is presented. So now it is saying you need to provide a
certificate. So that is how you configure your Authentication Policies in Active Directory
Federation Services, or AD FS.

[The Edit Authentication Policy for claimapp dialog box is open. The instructor clicks Add
button adjacent to the Users/Groups section. This opens the Select Users or Groups window
and displays the fields “Select this object type”, “From this location”, and “Enter the object
names to select”. It also displays the buttons – “Object Types”, “Locations”, and “Advanced”.
The instructor enters the text sales in the Enter the object names to select field, and clicks OK.
The Multi-factor tabbed page is displayed again and the Users/groups field displays the text
HQ\Sales. The instructor clicks OK at the bottom of the page, navigates back to desktop, and
selects ENT-Client1 on HV96 – Virtual Machine Connection. Next the instructor opens the
Internet Explorer. Easy Nomad travel Sign in page is displayed. The instructor clicks Sign in
and Windows Security dialog box opens and a message asking to confirm the certificate is
displayed.]

3. Demo: Workplace join

The surge of consumer devices is really changing our world and the way that we use
technology, many of the traditional models – well they just do not apply anymore. Now what we
are seeing is more of open borders between different areas of our lives. Now one moment you
might be playing a game, in the next moment you are sending an important e-mail
communication to a business partner or to a customer. This work and home area is blurring
together because we are using our smartphones and our tablets for both, work devices and for
play. Now one of Microsoft's response to these changes comes in the form of workplace join.
With workplace join, users can enable their consumer devices to access corporate resources.

These devices use certificates as a means of additional authentication. In other words,

workplace join supports multifactor authentication while providing a Single Sign-On, or SSO,
solution even for non-Windows devices who are not joined to the domain. It is a bring your own
device, or BYOD, option that allows your employees to access those corporate applications
and that corporate data from anywhere and from any device.

[The Workplace page includes a textfield labeled as 'Enter your user ID to get workplace
access or turn on device management.' To join workplace network, the page includes a 'Join'
button. To turn on the option 'Allow apps and services from IT admin' the page includes a 'Turn
on' button.]

All right, time to configure workplace join. Let's begin here on the Federation server. So let's
open up the management console for Federation Services. First thing I want to look at is the
prerequisites. So if I go to Certificates, these are the three different certificates that Federation
Services relies on. This one here is the Secure Socket Layer, or SSL, certificate that I issued at
the time that I configured AD FS. And one of the important things here is that its Subject
Alternative Name includes an entry for device registration. Here you can see under DNS Name
it says enterpriseregistration.hq.ent.ad. So this actually needs to be part of the certificate in this
Subject Alternative Name, so that is done. The next thing I need to do is include a DNS
record for this name. So let's go to DNS, have not done that yet. So let's right-click New Alias
(CNAME), enterpriseregistration, and this needs to point to my AD FS server. So
we will select that here in the list, there we go.

[The Server Manager that includes the AD RMS page is open. In the navigation pane, AD FS
tab is selected. The view pane includes the server ENT-ADFS1 listed. The instructor clicks the
Tools menu and then selects the AD FS Management option. The AD FS Management window
is displayed. The AD FS node is expanded and it includes Service, Trust Relationships, and
Authentication Policies. The Service sub-node is expanded and it includes Endpoints,
Certificates, and Claim Descriptions. Next the instructor clicks the Certificates node and the
view pane displays three different certificates: CN-adfs.hq.ent.ad, CN-ADFS Encryption, and
CN-ADFS Signing - a... The instructor double clicks the CN-adfs.hq.ent.ad certificate and
Certificate dialog box that includes three tabs: General, Details, and Certification Path is
displayed. Then the instructor clicks the Details tab. Next the instructor selects one of the
entries, 'Subject Alternative Name' in the Details tabbed page. The DNS Name for this entry is
enterpriseregistration.hq.ent.ad. Then the instructor clicks OK and the Certificate dialog box is
closed. Next the instructor navigates to DNS, right-clicks the node 'hq.ent.ad' in the navigation
pane, and a shortcut menu is displayed. Then the instructor selects New Alias (CNAME) option
and New Resource Record dialog box is displayed. Next the instructor adds the Alias name as
enterpriseregistration, the fully qualified domain name (FQDN) as
enterpriseregistration.hq.ent.ad, and the target host for FQDN is set as 'ENT-
ADFS1.hq.ent.ad.' Next the instructor clicks OK and the DNS page having
enterpriseregistration is displayed.]

Next thing we need to do is run a couple of commands on the server. We do that in

PowerShell. So I have got this stage, first thing we are going to do is initialize the service. So I
need to include the service account here, we will enter that, Yes to All, and then we will enable
the setting. All right, so that has been properly executed. Now we need to configure an
authentication policy for device registration, our Device Authentication. Notice this is currently
not enabled, so the next thing we need to do is go to the Global Authentication Policy and
Enable device authentication. So those are some of the requirements that I need to meet
and some of the tasks I need to perform on the server.

[The DNS page that includes a list of resource records listed is open. The instructor navigates
to Administrator: Windows PowerShell ISE and runs the following line of code. Initialize-
ADDeviceRegistration Next in the result box the instructor adds the ServiceAccountName as
hq\adfsgmsa$ and clicks Enter. A pop-up message box that includes the message 'Do you
want to continue with this operation' is displayed. The instructor clicks the 'Yes to All' button
and then runs the following line of code. Enable-AdfsDeviceRegistration Next the instructor
navigates to the AD FS Management window. Then the instructor expands the Authentication
Policies node that includes Per Relying Party Trust sub-node. The view pane includes a
section of Primary Authentication that includes Global Settings and Custom Settings options. In
the Global Settings option, the Device Authentication option is displayed as 'Not enabled.'
Then the instructor clicks Edit Global Prim... in the Actions pane and a dialog box having two
sections: Extranet and Intranet is displayed. The Extranet section includes two authentications:
Forms Authentication and Certificate Authentication. The Intranet section includes three
authentications: Forms Authentication, Windows Authentication, and Certificate Authentication.
In both the sections, the Forms Authentication is selected. Below the two sections, the option
'Enable device authentication' is selected. The instructor closes the dialog box and the AD FS
Management window having Device Authentication - Enabled is displayed. Next the instructor
navigates to ENT-Client1 on hV96.EARTHFARM.LAB window.]

So let's have a look now at workplace join from the client side. So I'm going to log in with a
Microsoft account. Here is my test user and this is a Windows 8 machine that is not a member
of the domain. So let's go to the System here and you can see that it is Windows 8.1 and it is
a member of the WORKGROUP. So to use workplace join, well actually before I do that let me
visit the application and log in with my domain credentials now. So the credentials I'm providing
here are domain credentials. Oops, what is if I type in correct password, there we go. So I'm
accessing the federated web site well...I'm accessing the claims-based application, and
Federation Services is showing...providing the claim information.

[The ENT-Client1 on hV96.EARTHFARM.LAB window is open. The instructor log in the system
and Windows 8.1 Start screen is displayed. Then the instructor clicks the Desktop tile and
opens the System window. The window includes the basic information about the computer.
Next the instructor opens Internet Explorer and enters the Username and Password in the
Windows Security dialog box and clicks OK to login. This opens the Windows Identity
Foundation page that displays the information of claims.]

So if I do that again, notice it asks me to log in again. So what workplace join is going to allow
me to do is it will provide web Single Sign-On for a machine and accessing domain-based
resources even if I'm in a workgroup. So it is providing machine authentication. Let me share
how that works, I'm going to go into PC settings, we will go to Network, we will select
Workplace, here we will provide my domain identifier, click Join, and we shall see here it says
Easy Nomad Travel. So I'm actually connecting to the Device Registration service and it is
going to enroll me into the environment and I will become a registered device in Active
Directory. So I need to provide my domain password and there we go. So I'm now successfully
part of the domain in the sense that I'm known by the domain. It is not traditional domain
memberships, so I'm still in a workgroup. But now let's check to see if Single Sign-On is
working, there we go.

[The Windows 8.1 Desktop screen is open. The instructor opens the Internet Explorer and the
login dialog box is displayed. The instructor closes the Internet Explorer and then opens the
charms bar. Next the instructor selects the Settings option from the charms bar and lists of
options are displayed. Then the instructor clicks the Change PC settings option and the
Settings page is displayed. Next the instructor clicks the Network tab in the navigation pane,
and then selects the Workplace tab. Then the instructor in the view pane adds the user ID as
'cordelia@hq.ent.ad' in the text field. Next the instructor clicks the Join button and a page
displaying 'Connecting to Easy Nomad Travel' is displayed. The page also includes sign in
options. Then the instructor adds the credentials and signs in Easy Nomad Travel. Then the
Workplace page is displayed and it displays that the user has joined and the button 'Join'
modifies to 'Leave.' Next the instructor minimizes the screen and navigates to Windows 8.1
Start screen. Then the instructor clicks the Desktop tile and opens Internet Explorer. Next the
instructor enters the Username and Password in the Windows Security dialog box and clicks
OK to login. This opens the Windows Identity Foundation page that displays the information of
claims.]

And notice, now I have some additional information in my claim, identifying the device. And we
will try that again, and there we go. Notice, this is the second time I visited the web page. It did
not actually prompt me to log on because web Single Sign-On is in effect. So there is my
device identifier. Now the last thing I want to show you is what this looks like in Active
Directory. So let's balance to a machine that has got access to Active Directory, and I'm going
to go to View – Advanced Features, and here is something you probably have not seen
before, and that is RegisteredDevices. So here is this device in Active Directory and you
might...you can also see IOS devices. So this is not limited to Windows 8.1. We can also use
other devices, and they can also participate with workplace join.

[The Internet Explorer having the Windows Identity Foundation page is open. The instructor
closes the Internet Explorer and then again reopens the Internet Explorer. The Windows
Identity Foundation page having the Claims information is displayed. Next using the Hyper V
Manager, the instructor opens the client machine, 'ENT-Client1'. The Active Directory window is
displayed. The instructor clicks the View menu from the menu bar and then clicks the option
'Advanced Features'. Next the instructor clicks the node RegisteredDevices in the navigation
pane. The view pane includes the registered device '6126c3ef-ff66-455e-86b5-1c8aa7a3...'
listed.]
AD RMS and AD FS in Windows Server 2012
R2
Learning Objective
After completing this topic, you should be able to
◾ deploy AD FS and AD RMS

1. AD RMS
Now that you have learned about Active Directory Rights Management Services, or AD RMS,

and we took a look at Active Directory Federation Services, or AD FS, let's try an exercise to
practice what you have learned.

You are working in the IT department of EasyNomad travel.

One of your tasks today is to deploy Active Directory Rights Management Services, or AD
RMS, for rights management for security and regulatory reasons.

Question

An important part of administering Active Directory Federation Services, or AD RMS,

is to understand its uses and features. Which statements about AD RMS are true?

Options:

1. The main purpose of the AD RMS server is to license the content

2. Public Key Infrastructure, or PKI, and symmetric encryption are used in the
AD RMS process
3. AD RMS is less secure than access control lists, or ACLs
4. AD RMS cannot control a user's ability to edit or print documents

Answer

Option 1: Correct. AD RMS is an AD implementation of digital rights management, or

DRM. The purpose of DRM is to license the content, ensure only licensees can use it,
and only in the manner allowed by the license.

Option 2: Correct. AD RMS relies on digital certificates to ensure a user's identity.

Option 3: Incorrect. AD RMS is more secure than ACLs for two reasons: you can
protect information in more ways and that protection persists beyond your network.
 Option 4: Incorrect. AD RMS can control editing, printing, and many other activities in
a way that traditional ACLs cannot.

Correct answer(s):

1. The main purpose of the AD RMS server is to license the content

2. Public Key Infrastructure, or PKI, and symmetric encryption are used in the AD
RMS process

Question

You start to roll out Active Directory Federation Services, or AD RMS. You have
already set up a new organizational unit, or OU, a Super Users group, and added
users. Sequence the next steps you need to take to install AD RMS.

Options:

A. Determine the address of the server

B. Create a new host
C. Install the AD RMS role
D. Launch the AD RMS Configuration Wizard

Answer

Correct answer(s):

Determine the address of the server is ranked

The first step is to determine the IP address of the server. The server should have
a static IP address.
Create a new host is ranked
The second step is to create a new host. This machine will host the AD RMS
database.
Install the AD RMS role is ranked
The third step is to add the AD RMS role on the server. The AD RMS role is added
using Server Manager.
Launch the AD RMS Configuration Wizard is ranked
You then launch the configuration wizard to configure AD RMS. The wizard
registers the AD RMS Service Connection Point, or SCP.
2. AD FS
You also want to use Active Directory Federation Services, or AD FS, to establish federation
between EasyNomad and a supplier.

Question

Which of the following statements are true about identity federation?

Options:

1. Active Directory Federation Services, or AD FS, is more powerful than forest

trusts
2. Using AD FS, you can give users a Single Sign-On
3. AD FS uses role-based authentication
4. AD FS is less complex than forest trusts

Answer

Option 1: Correct. AD FS enables more control between federated organizations

than forest trusts. Forest trusts permit anyone from a remote forest to access
resources in your forest, whereas there are precise and specific controls you can
configure in an AD FS relationship.

Option 2: Correct. AD FS enables Single Sign-On between federated organizations.

So you only need to sign-on once to access local and remote resources.

Option 3: Incorrect. Role-based access control is a way of applying granular

permissions to enable particular job roles. AD FS uses Public Key Infrastructure, or
PKI, to enable Single Sign-On between federated organizations, but does not apply
permissions.

Option 4: Incorrect. AD FS requires a more complicated setup than forest trust, but is
more secure between non-trusted forests.

Correct answer(s):

1. Active Directory Federation Services, or AD FS, is more powerful than forest trusts
2. Using AD FS, you can give users a Single Sign-On

Question
 You start to establish the federation relationship between EasyNomad and your
supplier. What actions will you take to prepare for the Active Directory Federation
Services, or AD FS, installation?

Options:

1. Enroll an Secure Socket Layer, or SSL, certificate for the web server
2. Add a site binding for SSL
3. Install an SSL enterprise certificate
4. Prepare a Windows NT File System, or NTFS, partition on the DNS server

Answer

Option 1: Correct. Since the AD FS web server is the single point of sign-on for
remote users connecting using AD FS, it must have a valid certificate enrollment from
a trusted certificate authority, or CA.

Option 2: Correct. The AD FS site must be HTTPS compliant and have bindings for
SSL port 443.

Option 3: Incorrect. An enterprise certificate is not required, just a certificate for the
SSL web server.

Option 4: Incorrect. The DNS server must have a CNAME entry for the AD FS
server, but there is no requirement for an NTFS partition.

Correct answer(s):

1. Enroll an Secure Socket Layer, or SSL, certificate for the web server
2. Add a site binding for SSL

© 2018 Skillsoft Ireland Limited