Professional Documents
Culture Documents
M I C R O S O F T
L E A R N I N G
P R O D U C T
6426C
Lab Instructions and Lab Answer Key: Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2011 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Module 1
Lab Instructions: Exploring Identity and Access Solutions
Contents:
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions
4
Objectives
After completing the lab, you will be able to: Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Scenario
You are working as a systems administrator for Contoso Pharmaceuticals. As part of your job role, you need to understand how Active Directory is used to secure IT infrastructures. Management wants to ensure that the Contosos IT infrastructure can be protected by using multi-factor authentication. Management has also asked to protect Microsoft Office documents from being read by unauthorized people. Recently, some confidential Microsoft Word documents were emailed to an unauthorized person. Management wants to ensure that such documents are not readable even if the documents are obtained by unauthorized people. Contoso recently partnered with Tailspin Toys. Tailspin Toys needs access to Contosos claims-based web application but wants to ensure that users can continue to use their current Tailspin Toys Active Directory user accounts. Management has expressed concern for developer efficiency. Developers currently utilize a development instance of Active Directory Domain Services (AD DS). They have noted that developers are often waiting for IT and instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them separate identity logic from their applications. Human Resources (HR) maintain their own HR database that contains much of the same information that exists in Active Directory. However, some of the information in the HR database conflicts with the information in the Active Directory database. The databases should be synchronized so that the information in the databases is consistent.
Management has requested that you determine the Windows 2008 R2 server roles and IDA solutions available to address the organizations current issues.
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions
In this exercise, you will identify the server roles needed to satisfy the objectives for Contoso Pharmaceuticals. The main tasks for this exercise are as follows: 1. 2. Identify business requirements. Determine server roles and solutions required to meet the business requirements.
Task 2: Determine server roles and solutions required to meet the business requirements
Questions: 1. 2. 3. 4. 5. 6. Which server role is required for certificate authentication? Which server role is required for protecting confidential Microsoft Office documents? Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Which server role can be used to give developers more efficient directory services capabilities? Which solution would you use to synchronize the HR database with the Active Directory database? Which technology would allow developers to externalize identity logic from their applications?
Results: After this exercise, you have identified the business requirements and the server roles required to meet the business requirements.
Module 2
Lab Instructions: Deploying and Configuring Active Directory Certificate Services
Contents:
Exercise 1: Deploying a Standalone Root CA Exercise 2: Deploying an Enterprise Subordinate CA 3 4
Objectives
After completing the lab, you will be able to: Install the AD CS server role and deploy a Standalone Root CA. Install the AD CS server role, deploy an Enterprise Subordinate CA, issue and install the subordinate certificate.
Scenario
Building upon the blueprint created in the previous lab, you have been asked to implement AD CS within the Contoso Pharmaceuticals infrastructure. Since this is the first AD CS role installed, you have been asked to perform the following tasks: Install the AD CS server role, deploy a standalone Root CA, and configure the Root CA to issue subordinate certificates. Install the AD CS server role and deploy an Enterprise Subordinate CA.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1 and 6426C-NYC-SVR1 virtual machines. Start the 6426C-NYC-DC1 and the 6426C-NYC-SVR1 virtual machines.
Task: Install the AD CS server role and configure it as a stand-alone root Certificate
Authority (CA)
On the 6426C-NYC-DC1 virtual machine, install and configure AD CS by selecting the appropriate options in the Add Roles Wizard within Server Manager. Select the following options during the installation: Specify Setup Type: Standalone Specify CA Type: Root CA Set Up Private Key: Create a new private key Configure Cryptography for CA: default settings for all configurations except for key character length, which you should set to 4096. Common Name for this CA: ContosoCA Validity Period: default Configure Certificate Database: default
Results: After this exercise, you have installed the AD CS server role and deployed a standalone Root CA.
Results: After this exercise, you have installed the AD CS server role, deployed an Enterprise Subordinate CA, configured the Root CA to issue Subordinate certificates, and installed the subordinate certificate on the Subordinate CA. Questions: 1. 2. 3. 4. 5. Which CA sits at the top of the PKI hierarchy? What is the benefit of selecting a certificate key length of 4096? Which server issued the certificate to the Subordinate CA? Can a Subordinate CA issue a certificate to another Subordinate CA? What option is available if your company and another company are merging but both organizations have existing PKI?
Module 3
Lab Instructions: Deploying and Configuring Certificates
Contents:
Exercise 1: Configuring Certificate Templates Exercise 2: Configuring Autoenrollment Exercise 3: Managing Certificate Revocation Exercise 4: Configuring Key Recovery 3 5 6 8
Objectives
After completing the lab, you will be able to: Configure certificate templates. Deploy and enroll certificates. Manage certificate revocation. Configure key recovery.
Scenario
Now that you have deployed an AD CS infrastructure, your IT Director wants to extend the functionality of the environment by providing a mechanism for users to automatically utilize the certificates. You have decided to implement certificate templates and make use of automatic enrollment mechanisms provided by AD CS. You must install and configure Windows Server 2008 R2 computers to support certificate services in the organization. To do so, you must perform the following consolidation activities: Configure certificate templates. Configure autoenrollment features in Group Policy for Certificate Services. Configure certificate revocation and the Online Responder functionality of Certificate Services. Implement custom certificate templates and a key archival and key recovery solution.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines.
Task 4: Create, duplicate, and supersede the Local User template by using a new
template that includes smart card logon
1. 2. 3. In the Certification Authority console, right-click Certificate Templates, and then click Manage. Duplicate the User certificate template as a version 3 template. Name the new template Contoso Smart Card User.
4. 5. 6. 7.
On the Subject Name tab, clear the Include email name in subject name and the Email name check boxes. On the Extensions tab, edit Application Policies to include smart card logon. On the Superseded Templates tab, add the Local User template. On the Security tab, ensure that Authenticated Users has Read, Enroll, and Autoenroll permissions.
Results: After this exercise, you have duplicated, installed, and manually enrolled a certificate, configured the certificate to be issued by the CA, verified that the certificate was updated, created and duplicated the template with a superseded template, and configured the CA to issue the superseded template.
Task 1: Configure the Contoso Smart Card User certificate template for autoenrollment
1. 2. 3. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and then select Certification Authority. In the Certification Authority console, right-click Certificate Templates, and then click Manage. Verify the Contoso Smart Card User certificate template by configuring it to be published in Active Directory.
Results: After this exercise, you have configured the default domain policy for autoenrollment, configured a certificate template for autoenrollment, and verified autoenrollment functionality.
Task 1: Examine the default CRL distribution points (CDPs) and configure the CRL
publication interval
1. 2. 3. 4. 5. On 6426-NYC-SVR1-B, in the Certification Authority console, open the ContosoCA Properties dialog box. On the Extensions tab, examine the CDPs, and then close the ContosoCA Properties dialog box. Open the Revoked Certificates folder properties dialog box. Set the CRL Publication interval to 1 Month. Set the Publish Delta CRLs interval to 3 Days.
4. 5. 6.
Browse to and select the ContosoCA certificate. After you run the wizard, the revocation configuration status is set to Working. Close the Online Responder console.
Task 8: Ensure that the CRL is downloaded onto the client computer
1. 2. 3. On 6426C-NYC-SVR1-B, create a Certificates MMC console for the user account. Under the Certificates Current User node, expand the Intermediate Certification Authorities node, and then click Certificate Revocation List. Notice the CRL from ContosoCA. Open the Properties dialog box for one of the ContosoCA lists, and then click the Revocation List tab. Notice that the certificate that was previously revoked is listed.
Results: After this exercise, you have installed and configured the Online Responder, revoked a certificate, published the CRL, and validated that the CRL was downloaded onto a computer.
Task 1: Remove the requirement for CA Manager approval and verify who can enroll the
Key Recovery Agent (KRA) certificate
1. 2. 3. 4. On the 6426C-NYC-SVR1-B virtual machine, in the Certification Authority console, right-click the Certificates Templates folder, and then click Manage. In the Certificates Templates console, open the Key Recovery Agent certificate properties dialog box. On the Issuance Requirements tab, clear the CA certificate manager approval check box. On the Security tab, notice that only Domain Administrator and Enterprise Administrator groups have the Enroll permission.
3.
10
3. 4. 5.
On the Request Handling tab, set the option for the Archive subjects encryption private key. By using the archive key option, the KRA can obtain the private key from the certificate store. Add the Archive User template as a new certificate template to issue. Log off from the 6426C-NYC-SVR1-B virtual machine.
Note: Replace serial number with the serial number that you wrote down earlier.
8. 9.
To convert the outputblob file into an importable .pfx file, on the 6426C-NYC-SVR1-B virtual machine, at the command prompt, type Certutil -recoverkey outputblob tony.pfx. Verify the creation of the recovered key in the C:\Users\Administrator directory.
Results: After this exercise, you have configured a KRA, configured the CA to allow for key recovery, configured a key archival template, and verified key archival functionality.
Module 4
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Contents:
Exercise 1: Configuring AD LDS Instances and Partitions Exercise 2: Configuring AD LDS Replication Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps 4 5 6
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Objectives
After completing this lab, you will be able to: Configure AD LDS instances and partitions. Configure AD LDS replication. Identify AD LDS solution tools and troubleshooting steps.
Scenario
Contoso Pharmaceuticals is in the process of standardizing all applications that are used by internal intranet users. Each application will be customizable by users and the application personalization data be stored in a centralized directory service. Each application will make use of a single security profile. The application architecture team has decided that AD LDS meets the requirements outlined and will be deploying a test application to ensure that the AD LDS infrastructure can be supported. Your IT Director has asked you to configure an AD LDS environment that can store the application personalization information and that leverages multiple instances for disaster recovery and performance. You must perform the following activities to consolidate a solution: Provide support for the AD LDS user class and related classes. Users must be able to connect to the AD LDS instance by using LDAP port 6636 and LDAPS port 6389. To run the AD LDS instance, you need to configure the AD LDS instance by using the NT AUTHORITY\Network Service account. You also need to set up the CONTOSO\Administrator account to administer AD LDS. Create a second replica of the ContosoApp1 instance and configure AD LDS replication to avoid a single point of failure.
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1-B and 6426C-NYC-SVR1-B virtual machines. Start the 6426C-NYC-DC1-B and the 6426C-NYC-SVR1-B virtual machines.
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Results: After this exercise, you have added the AD LDS server role to two virtual machines and created an AD LDS instance on one of the virtual machines.
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Task 2: Connect to the application partition and verify initial replication by using ADSI
Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, launch ADSI Edit. Connect to an instance and name it ContosoApplication. Under Connection Point, type OU=App1,dc=CONTOSO,dc=local. Under Computer, type NYC-SVR1:6389. In the console tree, click ContosoApplication [NYC-SVR1:6389], and then expand ContosoApplication [NYC-SVR1:6389] and OU=App1,dc=CONTOSO,dc=local. Verify that the local replica exists by opening the instance.
Results: After this exercise, you have added AD LDS to a virtual machine, configured it as a replicate and validated the replication.
Lab Instructions: Deploying and Configuring Active Directory Lightweight Directory Services
Results: After this exercise, you have identified the AD LDS solution tools and troubleshooting steps needed to troubleshoot a recently reported AD LDS issue.
Module 5
Lab Instructions: Deploying and Configuring Active Directory Federation Services
Contents:
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0 Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0 Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application 4 6 8 12
Objectives
After completing this lab, you will be able to: Install the PKI Infrastructure and prepare for federated collaboration with ADFS 2.0. Install and configure Active Directory Federation Services (ADFS) 2.0. Configure AD FS 2.0 for internal users to access an internal claim aware application. Configure AD FS 2.0 for internal users to access a partners claim aware application.
Scenario
Now that you have your development team working efficiently with AD LDS, your IT Director wants to extend the functionality of a partners main claims-aware web application so that your users can access the application with their own credentials. To do this, you first need to familiarize yourself with the various components. You decide to set up the pre-requisite PKI infrastructure, configure AD FS, identify a sample claims aware web application to use, configure the relevant certificates and associated rules and claims. Familiarizing yourself with these components helps to make sure you understand the concepts and processes involved before documenting your requirements, defining the project needs, and providing access to a broader test audience. You have decided to implement Active Directory Federation Services 2.0 in a single organization scenario, and then test it before you provide further access or collaboration with an external organization. The sample application you have decided to use is sourced from the Windows Identity Foundation (WIF) Software Development Kit (SDK) and will allow a proof of concept before using the partners application and involving more people at this early stage. You will install and configure the various components required to test Federated Service.
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the Starting Image snapshot for the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and the 6426C-MIA-DC1 virtual machines.
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Scenario
You need to prepare your environment for AD FS and you have determined that you will require a PKI infrastructure. You then set about preparing a PKI Infrastructure for use with ADFS. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Install Active Directory Certificate Services in the Contoso Domain. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA). Configure the Web Server certificate template to allow domain controllers and domain computers permission to access the certificate. Create a certificate in Internet Information Services (IIS). Bind the certificate to a claims aware application for use with SSL. Export the Contoso root certificate for importing into the WoodgroveBank domain. Import the Certificates from the WoodgroveBank domain into the local Trusted Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy.
Note: Before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA) extension locations listed below: 2. 3. Ldap://CN File://<serverDNSName>...
Choose to include the CDP and AIA extensions in issued certificates. Review the existing certificates that have been issued, refresh the list of certificates using certutil.exe and delete any legacy certificates containing these just deleted extensions.
Task 3: Configure the Web Server certificate template to allow domain controllers and
domain computers permission to access the certificate
1. 2. Edit the Web Server certificate template properties to allow Domain Computers, Domain Controllers, Network Service and IIS_USRS, Read and Enroll rights. Stop and restart the ADCS services using net stop and net start.
Task 5: Bind the certificate to a claims aware application for use with SSL
Bind the certificate that you just created to the default web site for use under https connections using port 443.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank
domain
1. 2. On the 6426-NYC-DC1 virtual machine, export the Contoso root certificate for later use in the WoodgroveBank domain. Choose not to export the private key and choose the File format of DER encoded binary X.509 (.CER) to C:\Export\Certs.
Task 7: Import the Certificates from the WoodgroveBank domain into the local Trusted
1.
Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
On the 6426-NYC-DC1 virtual machine, import the WoodgroveBank root certificate from \\MIA-DC1\C$\Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. On the 6426-MIA-DC1 virtual machine, import the Contoso root certificate from \\NYC-DC1\C$ \Export\Certs\ and place it into the Trusted Root Certificate Authority using the Group Policy Management Editor Management Editor snap-in to make it accessible in the domain as part of the Default Domain Policy. Refresh the group policy in both domains via the command line.
2.
3.
Results: After this exercise, you installed Active directory Certificate Services. Created, modified and managed certificates for use in a federated environment. Bound certificates to an SSL connection, exported and imported certificates across two separate domains. These are all preliminary tasks required for a successful ADFS implementation.
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Scenario
Now that you have installed the PKI Infrastructure, you decide to proceed with the installation and configuration of your ADFS environment. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install AD FS 2.0 on the Contoso domain. Create a stand-alone Federation Server using the AD FS 2.0 Federation Server Configuration wizard. Verify the Federation PowerShell Modules have been installed correctly and are available for use. Verify the FederationMetaData.xml is present and contains valid data. Create a new claim type and verify it has been successfully added to the claims list.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server
Configuration wizard
Run the AD FS 2.0 Federation Server Configuration Wizard from the AD FS 2.0 Management console specifying the following settings: Specifying a New Federation Service In a Stand-Alone environment Using the certificate NYC-DC1.Contoso.com for SSL connectivity with port number 443 (ensure this is the certificate you recently created by checking the certificate properties)
Note As at the start of exercise 1 before continuing with the lab you should ensure that some core services required in the lab are running successfully at this point, such as the Active Directory Web Services and the AD FS 2.0 Windows Service.
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are
available for use
1. 2. Open the Windows PowerShell Modules windows and review the ADFS properties by using the get-ADFSProperties PowerShell command. View all ADFS PowerShell cmdlets using the get-command *-ADFS* command.
Task 5: Create a new claim type and verify it has been successfully added to the claims
list
1. In the AD FS 2.0 Management Console, create a new Claim Description with the below details and publish the claim description in the Federation Metadata as a claim type that the Federation Server can both accept and send: 2. 3. Display Name: Favorite Color Claim Identifier: http://www.favoritecolor.com/claim/colordescriptions
Open the Federation MetaData in Internet Explorer: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml Scroll to the end of the page after it renders and verify the claim type has been added to the list.
Results: After this exercise, you installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You also successfully added a new Claim type to the Claim descriptions.
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Scenario
Now that AD FS 2.0 is installed and the initial configuration is complete, you must test the environment in an internal stand-alone scenario. To test this, you have decided to use a sample application that you have obtained from the Windows Identity Foundation (WIF) SDK. You must now configure your AD FS environment to work with this sample application. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Configure a Token Signing Certificate for NYC-DC1.Contoso.com. Configure a claims provider trust for NYC-DC1.Contoso.com. Configure the claims application to trust incoming claims by running the WIF Federation Utility. Configure a relying party trust to the claim aware application. Configure claim rules for the relying party trust. Test the access to the claims aware application. Configure claim rules for the claim provider trust and the relying party trust to allow access only for a certain group. Verify restrictions and accessibility to the claims aware application.
4.
In the Mapping of LDAP attributes to outgoing claim types select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. 2. Launch the Windows Identity Foundation Federation Utility from Administrative Tools. Complete the wizard with the following settings: Point to the web.config file of the WIF sample application by pointing to C:\Inetpub\wwwroot\ContosoClaimApp\web.config. Specify an Application URI box by typing https://nyc-dc1.contoso.com/contosoclaimapp/. Select to Use an existing STS, and enter a path https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml. If prompted, select to Disable certificate chain validation. Select No encryption.
10
Task 7: Configure claim rules for the claim provider trust and the relying party trust to
allow access only for a certain group
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the AD FS 2.0 console. Edit claims rule for the Active Directory claims provider trust. Choose to Add Rule on the Acceptance Transform Rules tab. Complete the Add Transform Claim Rule Wizard with the following settings: 5. 6. 7. 8. Select Send Group Membership as a Claim in the Claim rule template. Name the claim rule Send IT Admin Group Rule. Specify the ITAdmins_ContosoGG group. Select Group in the Outgoing claim type. Type ITADMIN for the Outgoing claim value.
Return to the AD FS 2.0 console and open the WIF Sample Claim App properties dialog box. In the Edit Claim Rules for WIF Sample Claims App properties dialog, remove the existing rule on the Issuance Authorization Rules tab. Choose to Add a Rule on the Issuance Authorization Rules tab. Complete the Add Issuance Authorization Claim Rule Wizard with the following settings: Select Permit or Deny Users Based on an Incoming Claim in the Claim rule template. Name the claim rule Permit IT Admin Group Rule. Select Group in the Incoming claim type. Type ITADMIN for the Incoming claim value and select the option to Permit access to users with this incoming claim.
11
12
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
Scenario
You now have tested a single organization implementation of ADFS, but you are looking to extend that to a business to business scenario. Your organization is looking to access an application in the WoodgroveBank domain and you need to ensure that both organizations are configured to allow access. The main tasks for this exercise are as follows: 1. 2. 3. Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1. Configure a relying party trust on 6426C-NYC-DC1 to Woodgrove Banks claim aware application. Verify access to the Woodgrove Banks claim aware application by Contoso users.
In the Edit Claim Rules for the nyc-dc1.contoso.com properties dialog, use the following values: Add a Rule to the Acceptance Transform Rules. Choose Pass Through or Filter an Incoming claim in the Claim rule template list. Use Pass through Windows account name rule as the claim rule name. Choose Windows account name as the incoming claim type and then choose to Pass through all claim values. Complete the rule.
5.
On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
13
In the Edit Claim Rules for Woodgrove Bank Claim App B2B properties dialog box, on the Issuance Transform Rules tab, click to add a rule with the following settings: Choose Pass Through or Filter an Incoming claim in claim rule template list. In the Claim rule name box, type Pass through Windows account name rule. Choose Windows account name in Incoming claim type. Choose to Pass through all claim values. Complete the wizard.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. 3. 4. 5. On the 6426C-NYC-CL1 virtual machine, log on with username CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer and in the browser address bar type: https://mia-dc1.woodgrovebank.com/woodgrovebankclaimsapp Choose NYC-DC1.Contoso.com on the home realm discovery page. Use the credentials CONTOSO\Betsy with password Pa$$w0rd to view the page. Close Internet Explorer and re-connect to the application using the same credentials as in the previous step. What is different this time? 6. 7. Delete all cookies in the Internet Options General tab. Connect to the application again using the same credentials as before and verify that you are able to access the application.
Results: After this exercise, you configured a claims provider trust for Contoso on Woodgrove Bank and a relying party trust for Woodgrove Bank on Contoso. Finally, you verified access to the Woodgrove Bank claim aware application.
Module 6
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Contents:
Exercise 1: Installing and Configuring AD RMS Exercise 2: Configuring AD RMS Templates Exercise 3: Configuring AD RMS Trust Policies Exercise 4: Testing AD RMS Functionality Exercise 5: Generating AD RMS Reports 3 4 6 7 9
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Objectives
After completing this lab, you will be able to: Install and configure AD RMS. Configure AD RMS templates. Configure AD RMS trust policies. Validate AD RMS functionality. Generate AD RMS Reports.
Scenario
The Contoso management team wants to enable collaboration between Contoso and partners. Because the content that Contoso shares with partners is of a proprietary nature, management wants to ensure that only authorized individuals can access the content, even if it was obtained through unauthorized means. The infrastructure security team has decided that Active Directory Rights Management Services will be used to protect content. You have been directed to install and configure AD RMS in the Contoso environment to protect the content. In addition, users have requested a method to streamline the process of protecting content with AD RMS. When the AD RMS deployment is complete, you need to test basic functionality to ensure that the AD RMS configuration is functional. In this lab, you use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-NYC-DC1, 6426C-NYC-SVR1, and 6426C-NYC-CL1 virtual machines.
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
After the installation, log off from the 6426C-NYC-SVR1 virtual machine.
Results: After this exercise, you have installed the AD RMS server role and created a new AD RMS cluster.
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Set the policy to expire after 14 days and finish the creation wizard.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client
computers
1. 2. 3. 4. Log on to the 6426C-NYC-CL1 virtual machine by using the user name CONTOSO\Betsy, and the password Pa$$w0rd. Start the Computer Management console as the Administrator with the password of Pa$$w0rd. Expand Task Scheduler and then browse to Active Directory Rights Management Services Client. Enable the AD RMS Rights Policy Template Management (Automated) task and then Run the task. Note If you are prompted for credentials, use the credentials that you are logged on with; user name CONTOSO\Betsy and password Pa$$w0rd. 5. 6. 7. 8. Start Microsoft Word 2010, complete any startup wizards that appear and then close the application. Start the Registry Editor by using regedit.exe. In the Registry Editor, expand the HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common key. Create a new registry key under Common called DRM (if DRM already exists, proceed to the next step). Under DRM, create a new expandable string value and name it AdminTemplatePath.
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
9.
Specify the value data for the AdminTemplatePath key as %LocalAppData%\Microsoft\DRM \Templates. If there are problems locating this path on the virtual machine, an alternate value for the key is \\NYC-DC1\Templates.
10. Close the Registry Editor, and then log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy
template to Windows XP client computers
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, open the Group Policy Management console. Edit the Default Domain Policy Group Policy Object. Add the \\NYC-DC1\Templates\office14.adm template to the Administrative Templates node. In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Enable the Specify Permission Policy Path option. In the Enter path to policy templates for content permission box, type \\NYC-DC1\Templates and then click OK.
5. 6.
Results: After this exercise, you have configured an AD RMS template and set up template distribution for Windows 7 and Windows XP.
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted User Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. Configure the Display name as WoodgroveBank Domain.
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. 2. 3. On the 6426C-NYC-SVR1 virtual machine, use the Active Directory Rights Management Services console to import the WoodgroveBank Trusted Publishing Domain. Import the file from \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.xml. In the Display name field, type WoodgroveBank RMS and then type Pa$$w0rd as the password.
Results: After this exercise, you have exported the Contoso TUD and TPD and imported the Woodgrove Bank TUD and TPD.
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
Results: After this exercise, you have successfully tested functionality of AD RMS from a client computer.
10
Lab Instructions: Deploying and Configuring Active Directory Rights Management Services
On the 6426C-NYC-SVR1 virtual machine, browse to \\NYC-DC1\x$\Labfiles\Mod06\ and then double-click ReportViewer.exe to install Microsoft Report Viewer. Complete the installation wizard using the default options.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Statistics Reports. View the statistics in the main window. Close the AD RMS console window.
2. 3.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view System Health report. In the Actions pane, click View Report. Specify the query start and end dates when prompted, and then click Finish.
On the 6426C-NYC-SVR1 virtual machine, use the AD RMS console window to view Troubleshooting report. In the Actions pane, click View Report. Specify the query start and end dates when prompted, enter CONTOSO\Aaron for User Name, and then click Finish. In addition, view the Troubleshooting report for CONTOSO\Betsy and CONTOSO\Axel.
Results: After this exercise, you have installed the Microsoft Report Viewer and viewed the Statistics report, System Health report and the AD RMS Troubleshooting report.
Module 7
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Contents:
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance Exercise 4: Configuring AD RMS Logging 3 4 5 6
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Objectives
After completing the lab, you will be able to: Configure CA event auditing. Back up Active Directory Certificate Services. Back up and restore Active Directory Lightweight Directory Services Instance. Configure AD RMS logging.
Scenario
You have completed the deployment and configuration of the additional Identity and Access Solutions at Woodgrove Bank. As part of the ongoing maintenance of these services, you need to monitor, back up, and restore AD CS, AD LDS, and AD RMS. You need to configure CA event auditing and schedule an ongoing backup of the AD CS component. You also need to test your AD LDS backup and restore procedures. In addition, Management has asked you to generate some AD RMS reports on a regular basis. You need to prepare the environment for reporting and view some built-in AD RMS reports. Finally, complete the AD RMS maintenance task by enabling AD RMS logging. In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine. Start the 6426C-MIA-DC1 virtual machine, and log on using the user name WOODGROVEBANK\Administrator, and the password Pa$$w0rd.
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Results: After this exercise, you have enabled auditing of object access and enabled CA auditing.
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Trigger: Daily (set the time to run within five minutes from now) Action: Program/script: certutil Add arguments (optional): -backup -p Pa$$w0rd C:\CAbackup
2. 3.
Wait for the task to start, and then complete the backup. Confirm that the backup has completed successfully by viewing the content of the C:\CAbackup folder, and checking the task status.
Results: After this exercise, you have scheduled a task to perform an AD DS daily backup.
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance
During this exercise, you test your AD LDS backup and restore procedures. The main tasks for this exercise are as follows: 1. 2. Backup the AD LDS instance. Restore the AD LDS instance from backup.
Results: After this exercise, you have performed a backup of the AD LDS test1 instance and performed a restore of the AD LDS test1 instance using the backup file.
Lab Instructions: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
On the 6426C-MIA-DC1 virtual machine, use the AD RMS console window to enable logging.
Module 1
Lab Answer Key: Exploring Identity and Access Solutions
Contents:
Exercise 1: Exploring How Active Directory Server Roles Provide IDA Management Solutions 2
Task 2: Determine server roles and solutions required to meet the business requirements
Question 1: Which server role is required for certificate authentication? Answer 1: Active Directory Certificate Services (AD CS) provides the PKI infrastructure which enables certificate distribution and is the foundation for certificate authentication. AD CS requires AD DS as a foundation. Question 2: Which server role is required for protecting confidential Microsoft Office documents? Answer 2: Active Directory Rights Management Services (AD RMS) protects Microsoft Office documents and email messages using templates and policies. AD RMS requires the use of a digital certificate and would typically use AD CS or a trusted third-party certificate provider for the AD RMS certificate. Question 3: Which server role is required to allow Tailspin Toys access to Contosos claims-aware web application? Answer 3: Active Directory Federation Services (AD FS) will allow Tailspin Toys access to the claimsaware web application. An alternative method, although not discussed in the module, is an AD DS forest trust. AD FS is the preferred choice when plausible as an AD DS forest trust requires more administrative overhead and has additional security implications. Question 4: Which server role can be used to give developers more efficient directory services capabilities? Answer 4: Active Directory Lightweight Directory Services (AD LDS) allows developers to run directory services on their development workstations or servers without the overhead of AD DS. AD LDS is quick and simple to deploy and can run multiple instances on a single computer. Question 5: Which solution would you use to synchronize the HR database with the Active Directory database?
Answer 5: Forefront Identity Manager (FIM) 2010 offers directory synchronization as one of its many IDA functions. The synchronization is typically scheduled on a repetitive basis (once an hour or once a day are common configurations). Question 6: Which technology would allow developers to externalize identity logic from their applications? Answer 6: Windows Identity Foundationexternalizing identity logic is the place where everybody is trying to go. Imagine the internet that uses a standard, single form of authentication (smartcard or user/pass) to get to any site. For example, sites that accept Windows Live authentication.
Module 2
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
Contents:
Exercise 1: Deploying a Standalone Root CA Exercise 2: Deploying an Enterprise Subordinate CA
2 4
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
10. On the Specify CA Type page, ensure that Root CA is selected, and then click Next. 11. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. 12. On the Configure Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key character length to 4096. Click Next to continue. 13. On the Configure CA Name page, in the Common name for this CA box, type ContosoCA, and then click Next. 14. On the Set Validity Period page, click Next.
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
15. On the Configure Certificate Database page, click Next. 16. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 17. On the Installation Results page, click Close. 18. Close the Server Manager console.
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
7. 8. 9.
10. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. 11. On the Configure Cryptography For CA page, keep the default selections for CSP and Hash Algorithm. Keep the Key character length to 2048, and then click Next. 12. On the Configure CA Name page, in the Common name for this CA box, type ContosoIssuingCA, and then click Next. 13. On the Request Certificate from a Parent CA page, keep the default selection Send a certificate request to a parent CA selected, and then click Browse. The Select Certification Authority dialog box appears. 14. In the Select Certification Authority dialog box, click ContosoCA, and then click OK. When the Request Certificate From a Parent CA page is available again, click Next. 15. On the Configure Certificate Database page, click Next. 16. On the Web Server (IIS) page, click Next. 17. On the Select Role Services page, click Next. 18. On the Confirm Installation Selections page, click Install. The Installation Progress page appears. 19. On the Installation Results page, click Close. You will receive a warning message indicating that the AD CS installation is incomplete. In Task 2, the step to complete the AD CS installation will be performed. 20. Close the Server Manager console.
Lab Answer Key: Deploying and Configuring Active Directory Certificate Services
5. 6. 7. 8.
9.
10. In the Certification Authority (Local) pane, right-click ContosoIssuingCA, and then click Properties. The ContosoIssuingCA Properties dialog box appears. 11. In the ContosoIssuingCA Properties dialog box, on the General tab, click View Certificate. The Certificate dialog box appears. 12. In the Certificate dialog box, notice that ContosoCA issued the certificate to ContosoIssuingCA. Click OK twice. 13. Close the certsrv - [Certificate Authority (Local)] console.
Module 3
Lab Answer Key: Deploying and Configuring Certificates
Contents:
Exercise 1: Configuring Certificate Templates Exercise 2: Configure Autoenrollment Exercise 3: Managing Certificate Revocation Exercise 4: Configuring Key Recovery 2 4 6 9
5. 6. 7. 8. 9.
Expand the Certificates - Current User node, and right-click Personal. Point to All Tasks, and then click Request New Certificate. This launches the Certificate Enrollment Wizard. On the Before You Begin page, click Next. On the Certificate Enrollment page, click Next. On the Request Certificates page, select the Local User check box. Click Enroll, and then click Finish.
10. Right-click Certificates Current User, and click Refresh. View the Local User certificate in the personal store.
Task 4: Create, duplicate, and supersede the Local User template with a new template
that includes smart card logon
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, expand the ContosoCA node, right-click Certificate Templates, and then click Manage. In the Details pane, right-click the User certificate template, and then click Duplicate Template. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise, and then click OK. In the Properties of New Template dialog box, type Contoso Smart Card User in the Template display name box. On the Subject Name tab, clear the Include e-mail name in subject name and the E-mail name check boxes. On the Extensions tab, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click Add. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
10. Click the Superseded Templates tab, and click Add. 11. Click the Local User template, and click OK. 12. On the Security tab, click Authenticated Users. Under Permissions for Authenticated Users, select Allow for the Read, Enroll and Autoenroll check box, and then click OK. 13. Close the Certificate Templates console.
10. Click OK to close the properties window. 11. In the right pane, double-click the Certificate Services Client Certificate Enrollment Policy object. 12. In the Enrollment Policy tab, set the Configuration Model to Enabled and ensure that the certificate enrollment policy list shows the Active Directory Enrollment Policy (it should have a checkmark next to it and a status of Enabled). 13. Click OK to close the window, and then close the Group Policy Management Editor and the Group Policy Management snap-in.
Task 3: Configure the CA to include the Online Responder location in the Authority
Information Access (AIA)
1. 2. 3. 4. Restore the Certification Authority console. Right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box, on the Extensions tab, in the Select extension list, select Authority Information Access (AIA), and then click Add. In the Add Location dialog box, in the Location box, type http://NYC-SVR1/ocsp, and click OK.
5. 6. 7.
Select the Include in the AIA extension of issued certificates check box. Select the Include in the online certificate status protocol (OCSP) extension check box, and then click OK. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes.
4. 5. 6.
10
9.
On the Request Certificates page, select the Key Recovery Agent check box. Click Enroll, and then click Finish. properties and verify that the Certificate Template Key Recovery Agent is present.
10. Refresh the console, and view the KRA in the personal store; that is, scroll across the certificate
Click Start, point to Administrative Tools, and click Certification Authority. In the Certification Authority console, right-click ContosoCA, and then click Properties. Click the Recovery Agents tab, and then select Archive the key. Under Key recovery agent certificates, click Add. In the Key Recovery Agent Selection dialog box, click the certificate that is displayed, and then click OK twice. When prompted to restart the CA, click Yes.
11
6. 7. 8.
In the Tony Wang Properties dialog box, on the General tab, in the E-mail box, type tony@Contoso.com, and then click OK. Close the Active Directory Users and Computers dialog box. Log off from the 6426C-NYC-DC1-B virtual machine.
10. On the Request Certificates page, select the Archive User check box. Click Enroll, and then click Finish. 11. It may take a minute for the information to become available. If you receive an error, log off and then log back on again as CONTOSO\Tony. 12. Refresh the console, and view the Archive User certificate in the personal store; that is, scroll down to the end of the templates listed and see the Archive User Template listed. 13. Double-click the certificate based off the Archive User template, click the Details tab, and write down the serial number. You will use this serial number for recovery purposes. 14. Log off from the 6426C-NYC-SVR1-B virtual machine. 15. Log on to 6426C-NYC-SVR1-B as CONTOSO\Administrator, and type in Pa$$w0rd as the password. 16. Click Start. Click Run, type CMD, and then click OK. 17. In the Command window that appears, type certutil getkey serial number outputblob, that is, certutil getkey AA BB CC DD EE FF GG HH II JJ outputblob. Note Type serial number with the serial number that you wrote down. The Certutil tool queries the CA and provides the certificate information in the command window. Notice the User Principal Name (UPN) and Template sections. 18. To convert the outputblob file into a .pfx file, in the Command window, type Certutil recoverkey outputblob tony.pfx.
12
Note
The user who needs to recover the key can import the .pfx file.
19. When prompted, type in Pa$$w0rd as the new password, and then confirm the password. 20. After the command is executed, close the command window. 21. Browse to C:\Users\Administrator.CONTOSO, and then verify that tony.pfxthe recovered keyis created.
Module 4
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
Contents:
Exercise 1: Configuring AD LDS Instances and Partitions Exercise 2: Configuring AD LDS Replication Exercise 3: Identify AD LDS Solution Tools and Troubleshooting Steps 2 4 5
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, click Close. 12. Repeat steps 3 and 10 to install AD LDS on the 6426C-NYC-SVR1-B virtual machine.
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
8. 9.
On the Service Account Selection page, ensure that Network service account option is selected, and click Next. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\administrator option is selected, and click Next.
10. On the Importing LDIF Files page, select MS-User.LDF, and click Next. 11. On the Ready to Install page, click Next. 12. When the installation is complete, a message indicating a successful installation will be displayed. Click Finish.
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
10. On the Service Account Selection, ensure that the Network service account option is selected, and click Next. 11. On the AD LDS Administrators page, ensure that the Currently logged on user: CONTOSO\Administrator option is selected, and click Next. 12. On the Ready to Install page, click Next. 13. When the installation completes, click Finish.
Task 2: Connect to the application partition and verify initial replication by using ADSI
Edit
1. 2. 3. 4. 5. 6. On the 6426C-NYC-SVR1-B virtual machine, click Start, point to Administrative Tools, and click ADSI Edit. In the ADSI Edit console, right-click ADSI Edit in the left pane, and then click Connect to. The Connection Settings dialog box appears. In the Connection Settings dialog box, in the Name box, type ContosoApplication. Under Connection Point, in the Select or type a Distinguished Name or Naming Context box, type ou=app1,dc=contoso,dc=local. Under Computer, in the Select or type a domain or server box:(Server | Domain [:port]) box, type NYC-SVR1:6389, and then click OK. A successful connection indicates that 6426C-NYC-SVR1-B has a replica instance. Close ADSI Edit.
Lab Answer Key: Deploying and Configuring Active Directory Lightweight Directory Services
4. 5. 6. 7.
Module 5
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
Contents:
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0 Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0 Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application 2 8 11 17
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
Exercise 1: Installing the PKI Infrastructure and Preparing for Federated Collaboration with AD FS 2.0
Task 1: Install Active Directory Certificate Services in the Contoso domain
1. 2. Start the 6426C-NYC-DC1, 6426C-NYC-CL1, and 6426C-MIA-DC1 virtual machines. Log on to the 6426C-NYC-DC1 virtual machine as CONTOSO\Administrator, and type in Pa$$w0rd as the password. Note Before starting the lab in depth you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. b. Go to Start > Administrative Tools > Services. In the Services management console in the Services (Local) pane in the Extended tab locate the Active Directory Web Services service and ensure that the Status is set to Started and Startup Type is set to Automatic. If neither of these values are set as above set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the Active Directory Domain Services.
c. d. 3. 4. 5. 6. 7. 8. 9.
Click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager window, click Roles. Click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select the Active Directory Certificate Services check box and then click Next. On the Introduction to Active Directory Certificate Services page, click Next. On the Select Role Services page, ensure Certification Authority and Certification Authority Web Enrollment are both selected.
10. Click Add Required Role Services on the Add Roles Wizard dialog when it appears, and then click Next. 11. On the Specify Setup Type page, select Enterprise, and then click Next. 12. On the Specify CA Type page, select Root CA, and then click Next.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
13. On the Setup Private Key page, select Create a new private key, and then click Next. 14. On the Configure Cryptography for CA page, accept the defaults, and then click Next. 15. On the Configure CA Name page, in the Common Name for this CA box, type ContosoCA, and then click Next. 16. On the Set Validity Period page, accept the defaults, and then click Next. 17. On the Configure Certificate Database page, accept the defaults, and then click Next. 18. On the Web Server (IIS) page, click Next. 19. On the Select Role Services page, accept the defaults, and then click Next. 20. On the Confirm Installation Selections page, click Install. 21. On the Installation Results page, click Close.
Task 2: Turn off the CRL Distribution Point (CDP) and Authority Information Access (AIA)
1. 2. 3. 4. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Certification Authority. In the Certsrv - [Certification Authority (Local)] console, right-click ContosoCA, and then click Properties. In the ContosoCA Properties dialog box that appears, click the Extensions tab. In the Select extensions drop-down list, select CRL Distribution Point (CDP) and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 5. 6. Highlight the http:// entry and then select Include in the CDP extension of issued certificates. In the Select extension list, select Authority Information Access (AIA), and delete the following items by highlighting them and then clicking Remove: ldap:///CN file://<ServerDNSName>
Confirm the removal by clicking Yes. 7. 8. 9. Highlight the http:// entry and then select Include in the AIA extension of issued certificates. Click OK to exit the dialog box. On the Certification Authority dialog box, click Yes to restart the Active Directory Certificate Services.
10. Click Start. In the Search box, type MMC, and then press ENTER. 11. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. 12. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. 13. In the Certificate snap-in dialog box, select Computer account, and then click Next.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
14. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 15. In the Add or Remove Snap-ins dialog box, click OK. 16. In the console tree, expand Certificates (Local Computer), and then expand Personal. 17. Under Personal folder, click Certificates and press F5. Note the certificates that are present and their details such as Issued To, Expiration Date, Intended Purposes, Friendly Name and Certificate Template. 18. Click Start, click All Programs, click Accessories, right-click Command Prompt and then click Run as Administrator. 19. In the Command Prompt window, type certutil pulse, and then press ENTER. 20. Return to the Certificates console, and then press F5 to refresh. 21. A new certificate should now be issued to NYC-DC1.contoso.com, issued by ContosoCA, with an intended purpose of Client Authentication, Server Authentication and based on the certificate template of Domain Controller. 22. Right-click this certificate and then click Delete. Click Yes to confirm the deletion. Note This certificate contains legacy LDAP CRL URLs which we cannot use in our federated environment so we need to purge this certificate now to avoid potential configuration trouble later.
Task 3: Configure the Web Server certificate template to allow domain controllers and
domain computers permission to access the certificate
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In Available snap-ins, double-click Certificate Templates, and then click OK. In the console tree, click Certificate Templates. All the certificate templates appear in the details pane. In the details pane, right-click the Web Server template, and then click Properties. On the Security tab, click Add. In Enter the object name to select box, type Domain Computers, and then click OK. While Domain Computers is selected in the Group or user names, in the Permission list, under Allow, select the Read and Enroll check boxes. Repeat steps 6 to 8 for Domain Controllers, Network Service and IIS_IUSRS.
10. Click OK to close the Web Server Properties dialog box, and then close the console. Click No when asked to save the console settings. 11. Click Start, click All Programs, click Accessories, right-click Command Prompt, and click Run as Administrator. 12. In the Command Prompt window, type the following command to stop AD CS, and then press ENTER.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
13. In the Command Prompt window, type the following command to start AD CS, and then press ENTER.
net start "Active Directory Certificate Services"
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain. Note The Select button is only enabled when a CA is correctly configured and exists on the domain.
7. 8.
Select ContosoCA, and then click OK. In Friendly name, type NYC-DC1.Contoso.com, and then click Finish. Note You must provide a friendly name for the certificate.
Task 5: Bind the certificate to a claim aware application for use with SSL
1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the console tree, expand NYC-DC1 (CONTOSO\Administrator), expand Sites, click Default Web Site, and then in the Actions pane, click Bindings. In the Site Bindings dialog box, click Add. In the Add Site Binding dialog box, under Type select https, and under Port enter 443. Expand the SSL Certificate drop-down list.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
6. 7. 8.
If there is more than one certificate with name NYC-DC1.Contoso.com, you need to determine which one is the certificate you just created and the one you want to use. Select the NYC-DC1.Contoso.com certificate from the list, and then click View. In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list, and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog box. If the field is not present or the friendly name listed is different, click OK to close the Certificate dialog box and repeat steps 6 to 8 until you determine the correct certificate.
9.
10. Now that you have identified the correct certificate, select that certificate, click OK, and then click Close.
Task 6: Export the Contoso root certificate for importing into the WoodgroveBank
domain
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the console tree, expand Certificates (Local Computer), and then expand Personal. Under Personal folder, click Certificates. In the details pane, right-click ContosoCA certificate, point to All Tasks, and then click Export. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, select No, do not export the private key, and then click Next. 11. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next. 12. On the File to Export page, type C:\Export\Certs\ContosoCA.cer, and then click Next. 13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
Task 7: Import the certificates from the WoodgroveBank domain into the local Trusted
Root Certificate Authority store and make that certificate accessible to all computers in the domain using Group Policy
1. 2. 3. On the 6426C-NYC-DC1 virtual machine, click Start. In the Search box, type MMC, and then press ENTER. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Group Policy Wizard opens.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
4. 5. 6. 7.
In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens. In Domains, OUs, and linked Group Policy Objects, select Default Domain Policy, and then click OK. Click Finish and then click OK. Double-click Default Domain Policy. In the console tree, expand the following path: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities. Right-click Trusted Root Certification Authorities, and then click Import. On the Welcome to the Certificate Import Wizard page, click Next.
8. 9.
10. On the File to Import page, click Browse. 11. In the Open window, in the File name box, type \\MIA-DC1\C$\Export\Certs \WoodgroveBankCA.cer, click Open, and then click Next. 12. On the Certificate Store page, select Place all certificates in the following store, verify that it is pointed to the Trusted Root Certification Authorities store, and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish. 14. You should receive a message saying The import was successful. Click OK. 15. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. 16. In the Command Prompt window, type gpupdate /force, and then press ENTER. 17. Log on to the 6426C-MIA-DC1 virtual machine as WOODGROVEBANK\Administrator, and type in Pa$$w0rd as the password. 18. Repeat steps 1 to 14 on the 6426C-MIA-DC1 virtual machine using \\NYC-DC1\C$\Export\Certs \ContosoCA.cer as the certificate to import. 19. On the 6426C-MIA-DC1 virtual machine, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as Administrator. 20. In the Command Prompt window, type gpupdate /force and then press ENTER.
Results: At the end of this exercise, you have installed Active Directory Certificate Services (ADCS) created, modified and managed certificates for use in a Federated environment. Bound Certificates to an SSL connection and exported and imported certificates across different organizations. These are all preliminary tasks required for a successful ADFS implementation.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
Exercise 2: Installing and Configuring Active Directory Federation Services (AD FS) 2.0
Task 1: Install AD FS 2.0 in the Contoso domain
1. 2. 3. 4. 5. 6. 7. On the 6426C-NYC-DC1 virtual machine, right-click Start, and then click Open Windows Explorer. In Windows Explorer, go to the X:\Labfiles\Mod05\AdfsSetup folder, right-click the file AdfsSetup.exe, and then click Run as administrator. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next. On the End-User License Agreement page, select the I accept the terms in the License Agreement check box, and then click Next. On the Server Role page, ensure that Federation server is selected, and then click Next. In the Install Prerequisite Software window, click Next to begin the installation. In the Completed the AD FS 2.0 Setup Wizard window, ensure that the Start the AD FS 2.0 Management snap-in when this wizard closes option is selected, and then click Finish. The AD FS 2.0 console opens.
Task 2: Create a stand-alone Federation Server using the AD FS 2.0 Federation Server
Configuration Wizard
1. 2. 3. 4. 5. 6. On the 6426C-NYC-DC1 virtual machine, in the AD FS 2.0 console, in the middle pane, click the AD FS 2.0 Federation Server Configuration Wizard link. On the Welcome page, ensure that Create a new Federation Service is selected, and then click Next. On the Select Stand-Alone or Farm Deployment page, select the Stand-alone federation server option, and then click Next. On the Specify the Federation Service Name page, ensure that the SSL certificate selected is NYCDC1.Contoso.com, the Port is 443, and the Federation Service name is NYC-DC1.Contoso.com. Click View. In the Certificate dialog, click the Details tab, select <All> in the Show drop-down list and scroll down through the list of items until you see the Friendly name field. If it is listed as NYCDC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate dialog. Click Next. On the Ready to Apply Settings page, verify that the correct configuration settings are listed, and then click Next. The wizard should display the results for each component with the status being Configuration finished. Click Close. Note As was reccommended at the start of Exercise 1, you should ensure that some core services that are required are running prior to continuing to help prevent any issues later in the lab. To do this you should do the following: a. Go to Start > Administrative Tools > Services.
7. 8. 9.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
b.
In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic. If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service.
c. d.
Task 3: Verify the Federation PowerShell Modules have been installed correctly and are
available for use
1. 2. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. The PowerShell modules will load once the PowerShell window is opened. At the prompt, type the following command, and then press ENTER.
get-ADFSProperties
3.
Examine the output and determine what the fields and values mean. Note some of the more notable values such as AutoCertificateRollover, ClientCertRevocationCheck, DisplayName, HostName, the HTTP port values, Identifier and FederationPassiveAddress. Type the following PowerShell cmdlet and then press ENTER.
get-command *-ADFS*
4.
5.
Task 5: Create a new claim type and verify it has been successfully added to the
claims list
1. 2. 3. 4. 5. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Service, and then click Claim Descriptions. Right-click Claim Descriptions, and then click Add Claim Description. In Display Name, type Favorite Color. In the Claim Identifier box type http://www.favoritecolor.com/claim/colordescriptions. Note You do not have to use a URL or even a valid URL; however, this is one method of providing information about what a particular claim type is and what it has been used in relation to and who was what format the information should take on.
10
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
6. 7. 8. 9.
Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can accept. Select the Publish this claim description in the federation metadata as a claim type that this Federation Service can send. Click OK. Click Start, click All Programs, and then click Internet Explorer.
10. Type the following address into the address bar: https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml 11. Scroll to the end and locate the entry that you have just created.
Results: At the end of this exercise, you have installed and configured ADFS and verified a successful installation by viewing the PowerShell modules as well as directly looking at the Federation Meta Data .xml. You have also successfully added a new Claim type to the Claim descriptions.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
11
Exercise 3: Configuring AD FS 2.0 for Internal Users to Access an Internal Claim Aware Application
Task 1: Configure a Token Signing Certificate for NYC-DC1.Contoso.com
Note Certificates cannot be modified within ADFS while the ADFS automatic rollover feature is enabled. This feature determines whether or not ADFS will manage certificate expiration and their replacement with new certificates. As such, before we can modify certificates within ADFS this feature needs to be turned off. 1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. At the prompt, type set-ADFSProperties AutoCertificateRollover $False, and then press ENTER. Type get-ADFSProperties, and then press ENTER. Verify that the value for AutoCertificateRollover is now False. Click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, in the left pane, expand Service, and then click Certificates. Right-click Certificates, and then click Add Token-Signing Certificate. In the select a token signing certificate dialog box, notice the certificates listed, and then select NYC-DC1.Contoso.com certificate. Click the Click here to view certificate properties link to open the Certificate Details window.
10. In the Certificate Details window, click the Details tab, select <All> in the Show drop-down list and then scroll down through the list of items until you see the Friendly name field. If it is listed as NYC-DC1.Contoso.com, this is the correct certificate. Click OK to close the Certificate Details window. 11. If the certificate properties dialog does not contain a Friendly name field, continue to the next certificate and repeat steps 8 to 10. 12. When you have found the correct certificate, click OK to close the Certificate Details window. Select the correct certificate, and then click OK. 13. If you are prompted with a dialog window on the certificate key length, click Yes, and then click OK. 14. Right-click the newly added certificate and then click Set as Primary. Take note of the warning message, understand the consequences would be in a production environment, and then click Yes. 15. Select the certificate that has just been superseded, right-click the certificate, and then click Delete. Click Yes to confirm the deletion.
12
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
4. 5. 6. 7. 8. 9.
In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard appears. On the Select Rule Template page, under Claim rule template, select Send LDAP Attributes as Claims, and then click Next. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes Rule. In the Attribute store drop-down list, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, select the following values: LDAP Attribute E-Mail-Addresses User-Principal-Name Display-Name Outgoing Claim Type E-Mail Address UPN Name
Task 3: Configure the claims application to trust incoming claims by running the WIF
Federation Utility
1. 2. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows Identity Foundation Federation Utility. On the Welcome to the Federation Utility wizard page, in the Application configuration location, enter C:\inetpub\wwwroot\ContosoClaimApp\web.config for the location of the web.config file of the WIF sample application. In the Application URI box, type https://nyc-dc1.contoso.com/ContosoClaimApp/ to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next to continue. On the Security Token Service page, select Use an existing STS, type https://nyc-dc1.contoso.com/federationmetadata/2007-06/federationmetadata.xml for the STS WS-Federation metadata document location, and then click Next to continue. Note If you are using a certificate that has not been issued by a Certificate Authority, you will receive a wizard page concerning the certificate validation. If you have selected the certificates as outlined in the exercises in this lab, you will not encounter this page. However, if you choose a non-CA issued certificate, you will need to complete step 5. If you have used a CA issued certificate, you can proceed directly to step 6.
3.
4.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
13
5.
On the STS signing certificate chain validation error page, click Disable certificate chain validation, and then click Next. Note Selecting this option is not recommended in a production environment. The Disable certificate validation option is used in this test lab environment only to simplify the scenario.
6. 7.
On the Security token encryption page, select No encryption, and then click Next. On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. Note If you scroll to the end of the claims, you should see the claim you added in Exercise 2.
8.
On the Summary page, review the changes that will be made to the sample application by the Federation Utility wizard, scroll through the items to understand what each item is doing, and then click Finish. Click OK.
9.
14
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
Note This action passes an incoming claim through to the user by means of Windows Integrated Authentication. 3. On the Configure Rule page, in Claim rule name, type Pass through Windows Account name rule. In the Incoming claim type drop-down list, select Windows account name, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through E-mail Address rule. In the Incoming claim type drop-down list, select E-mail Address, and then click Finish. Click Add Rule. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Pass through UPN rule. In the Incoming claim type drop-down list, select UPN, and then click Finish.
4. 5. 6. 7. 8. 9.
10. Click Add Rule. 11. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim, and then click Next. 12. On the Configure Rule page, in Claim rule name, type Pass through Name rule. In the Incoming claim type drop-down list, select Name, and then click Finish. 13. Click Apply, and then click OK.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
15
Note If you receive an error saying the page could not be accessed, as a first step in torubleshooting you should ensure that some core services that are required are running successfully then retry accessing the application as outliend above.To do this you should do the following a. b. c. Log on to 6426C-NYC-DC1 with user name Contoso\Administrator and password pa$$word. Go to Start > Administrative Tools > Services. In the Services management console in the Services (Local) pane in the Extended tab, locate the Active Directory Web Services service and ensure that the Status is set to Started, and Startup Type is set to Automatic. If neither of these values are set as above, set the Startup Type to Automatic and re-start the service to change the Status to Started. Repeat steps a through c above for the AD FS 2.0 Windows Service. Retry steps 1 to 3 above.
d. e. f. 4.
Task 7: Configure claim rules for the claim provider trust and the relying party trust to
allow access only for a certain group
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claim Provider Trusts. Select the Active Directory, and in the Actions pane on the right side, click Edit Claim Rules. On the Acceptance Transform Rules tab, click the Add Rule button to start the Add Transform Claim Rule Wizard. On the Select Rule Template page, under Claim rule template, select Send Group Membership as a Claim, and then click Next. On the Configure Rule page, in Claim rule name, type Send IT Admin Group Rule, and click Browse. In Enter the object name to select box, type ITAdmins_ContosoGG, and then click OK. In Outgoing claim type, select Group, in Outgoing claim value, type ITADMIN, and then click Finish. Click OK to close the property page and save the changes to the claim provider trust.
10. In the AD FS 2.0 console, expand Trust Relationships, and then click Relying Party Trusts. 11. Select the WIF Sample Claims App, and in the Actions pane on the right side, click Edit Claim Rules. 12. On the Edit Claim Rules for WIF Sample Claims App window, click the Issuance Authorization Rules tab. 13. On the Issuance Authorization Rules tab, select the rule named Permit Access to All Users, and click Remove Rule. Click Yes to confirm. With no rules, no users are permitted access. 14. On the Issuance Authorization Rules tab, click the Add Rule button to start the Add Issuance Authorization Claim Rule Wizard.
16
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
15. On the Select Rule Template page, under Claim rule template, select Permit or Deny Users Based on an Incoming Claim, and then click Next. 16. On the Configure Rule page, in Claim rule name type Permit IT Admin Group Rule, in the Incoming claim type drop-down list, select Group. In Incoming claim value, type ITADMIN, select the option to Permit access to users with this incoming claim, and then click Finish. 17. Click OK to close the property page and save the changes to the relying party trust.
Results: At the end of this exercise, you have configured a stand-alone AD FS 2.0 federation server and verified the Federation PowerShell Modules installed successfully and are available.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
17
Exercise 4: Configuring AD FS 2.0 for Internal Users to Access a Partners Claim Aware Application
Task 1: Add a claims provider trust for the NYC-DC1.Contoso.com on 6426C-MIA-DC1
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click AD FS 2.0 Management. In the AD FS 2.0 console, expand Trust Relationships, and then click Claims Provider Trusts. In the Actions pane, click Add Claims Provider Trust. On the Welcome page, click Start. On the Select Data Source page, select Import data about the claims provider published online or on a local network, type https://nyc-dc1.contoso.com, and then click Next. On the Specify Display Name page, click Next. On the Ready to Add Trust page, review the claims provider trust settings, and then click Next to save the configuration. On the Finish page, click Close to close the wizard. The Edit Claim Rules for nyc-dc1.contoso.com window appears. On the Acceptance Transform Rules tab, click Add Rule.
10. In the Claim rule template list, select Pass Through or Filter an Incoming Claim, and then click Next. 11. In the Claim rule name box, type Pass through Windows account name rule. 12. In the Incoming claim type drop-down list, select Windows account name. 13. Select Pass through all claim values, and then click Finish. Note Read, understand and acknowledge the warning message that appears by clicking Yes. 14. Click OK and then close the AD FS 2.0 console. 15. On the 6426C-MIA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Windows PowerShell Modules. 16. At the prompt, type the following command, and then press ENTER.
Set-ADFSClaimsProviderTrust TargetName nyc-dc1.contoso.com SigningCertificateRevocationCheck None
17. Close the PowerShell window. Note We have not made any modification to the application itself.
18
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
10. On the Issuance Transform Rules tab, click Add Rule. 11. In the Claim rule template list, select Pass Through or Filter an Incoming claim, and then click Next. 12. In the Claim rule name box, type Pass through Windows account name rule. 13. In the Incoming Claim type drop-down list, select Windows account name. 14. Select Pass through all claim values, and then click Finish. 15. Click OK and then close the AD FS 2.0 console.
Task 3: Verify access to the Woodgrove Banks claim aware application by Contoso users
1. 2. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy using password Pa$$w0rd. Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note The logon process has changed and you now need to select an authority which can authorize and validate the access request. The Home Realm Discovery page (the Sign In page) appears and you need to select an authority. 3. 4. 5. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application. Close Internet Explorer.
Lab Answer Key: Deploying and Configuring Active Directory Federation Services
19
6.
Launch Internet Explorer, and in the address bar type the following address: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. Note You are not prompted for a home realm again. Once users have selected a home realm and been authenticated by a realm authority, they are issued with an _LSRealm cookie by the relying party Federation Server. The default lifetime for the cookie is 30 days. Therefore, in order for us to log on multiple times, we should delete that cookie after each logon attempt to return to a clean state.
7. 8. 9.
Click Cancel. In the Internet Explorer, click Tools, and then click Internet Options. On the General tab, in the Browsing History section, click Delete.
10. Select all the check boxes and then click Delete. 11. Click OK and close Internet Explorer. 12. Launch Internet Explorer again and in the browser address bar type: https://mia-dc1.woodgrovebank.com/WoodgroveBankClaimApp. 13. Select nyc-dc1.contoso.com on the Home Realm Discovery page and then click Continue to Sign in. 14. When prompted for credentials, type CONTOSO\Betsy with password Pa$$w0rd, and then press ENTER. You should be able to access the application.
Module 6
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
Contents:
Exercise 1: Installing and Configuring AD RMS Exercise 2: Configuring AD RMS Templates Exercise 3: Configuring AD RMS Trust Policies Exercise 4: Testing AD RMS Functionality Exercise 5: Generating AD RMS Reports 2 4 6 8 10
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
10. On the Specify Service Account page, click Specify, type CONTOSO\adrms-svc, type Pa$$w0rd for the password, click OK to provide a domain user account for the AD RMS service account, and then click Next. 11. On the Configure AD RMS Cluster Key Storage page, select Use AD RMS centrally managed key storage, and then click Next.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
12. On the Specify AD RMS Cluster Key Password page, type Pa$$w0rd as the AD RMS cluster key password, and then click Next. 13. On the Select AD RMS Cluster Web Site page, ensure that Default Web Site is selected, and then click Next. 14. On the Specify Cluster Address page, in the Internal Address box, type rms.contoso.com, select Use an unencrypted connection (http://), click Validate, and then click Next. 15. On the Name the Server Licensor Certificate page, in the Name box, type Contoso Pharmaceuticals RMS, and then click Next. 16. On the Register AD RMS Service Connection Point page, ensure that Register the AD RMS service connection point now is selected, and then click Next three times. 17. On the Confirm Installation Selections page, view the informational messages, and then click Install to complete the installation. 18. After the installation is complete, click Close, and then log off from the 6426C-NYC-SVR1 virtual machine.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
8. 9.
10. Click Add, select Anyone, and then click OK. 11. Under Rights for ANYONE, select the View check box, and then click Next. 12. On the Specify Expiration Policy page, select the Expires after the following duration (days) option to specify content expiration, and type 14 as the value. 13. Click Finish, close the Active Directory Rights Management Services console, and then log off from the 6426C-NYC-SVR1 virtual machine.
Task 2: Configure AD RMS rights policy template distribution for Windows 7 client
computers
1. 2. 3. 4. Log on to the 6426C-NYC-CL1 virtual machine as CONTOSO\Betsy with the password Pa$$w0rd. On the 6426C-NYC-CL1 virtual machine, click Start, right-click Computer, and then click Manage. In the User Account Control dialog box, type Administrator as the user name, and Pa$$w0rd as the password, and then click Yes. In the Computer Management console, expand Task Scheduler, expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
5. 6.
Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable. Right-click AD RMS Rights Policy Template Management (Automated), click Run, and then close Computer Management. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Betsy and password Pa$$w0rd.
7. 8. 9.
Click Start, type regedit.exe in the Search box, and then press ENTER. Browse to HKEY_CURRENT_USER, expand Software, expand Microsoft, expand Office, expand 14.0, and then click Common. Right-click Common, point to New, and then click Key.
10. Name the new key DRM. This key is only available if the user has previously launched any Microsoft Office program and used rights management. If DRM was not already created, you must create it manually. This is also true for the Office > 14.0 key. 11. Right-click DRM, point to New, and then click Expandable String Value. 12. In the New Value #1 box, type AdminTemplatePath, and then press ENTER. 13. Double-click the AdminTemplatePath registry value. In the Value data box, type %LocalAppData%\Microsoft\DRM\Templates, and then click OK. 14. Close the Registry Editor, and log off from the 6426C-NYC-CL1 virtual machine.
Task 3: Use Group Policy Management console to distribute the AD RMS rights policy
template to Windows XP client computers
1. 2. 3. 4. 5. 6. 7. 8. On the 6426C-NYC-DC1 virtual machine, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, and then expand Contoso.com. Under Contoso.com, right-click the Default Domain Policy shortcut, and then click Edit. In the Group Policy Management Editor, browse to User Configuration, and then expand Policies. Right-click Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, and then click Add/Remove Templates. Click Add, and in the File name box, type \\NYC-DC1\templates, and then click Open. In the Policy Templates dialog box, select office14.adm, click Open, and then click Close. In the Group Policy Management Editor, browse to User Configuration\Policies\Administrative Templates: Policy definitions (ADMX files) retrieved from local machine\Classic Administrative templates (ADM)\Microsoft Office 2010\Manage Restricted Permissions. Double-click Specify Permission Policy Path, and then select Enabled.
9.
10. In the Enter path to policy templates for content permission box, type the complete path to the permission policy templates, \\NYC-DC1\templates, and then click OK. 11. Close the Group Policy Management Editor, and then close the Group Policy Management console.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
2. 3. 4. 5. 6. 7.
Task 3: Import the Trusted User Domains policy from the WoodgroveBank domain
1. 2. 3. 4. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted User Domains. Right-click Trusted User Domains, and click Import Trusted User Domain. In the Trusted user domain file box, type \\NYC-DC1\x$\Labfiles\Mod06\WoodgroveBank.bin. In the Display name box, type WoodgroveBank Domain, and then click Finish. The WoodgroveBank Domain Trusted User domain information is displayed in the Details pane of the AD RMS console.
Task 4: Import the Trusted Publishing Domains policy from the WoodgroveBank domain
1. On the 6426C-NYC-SVR1 virtual machine, in the Active Directory Rights Management Services console, expand NYC-SVR1 (Local), expand Trust Policies, and then click Trusted Publishing Domains Right-click Trusted Publishing Domains, and click Import Trusted Publishing Domain. In the Trusted publishing domain file box, type \\NYC-DC1\x$\Labfiles\Mod06 \WoodgroveBank.xml. Type Pa$$w0rd as password.
2. 3. 4.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
5. 6.
In the Display name box, type WoodgroveBank RMS, and then click Finish. The WoodgroveBank RMS TPD information is displayed in the Details pane of the AD RMS console. Close the Active Directory Rights Management Services console.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
2. 3. 4.
7.
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
3. 4.
Click the File menu, and then click Open. In the File name box, type \\NYC-DC1\templates\Protected.docx, and then click Open. Note If you are prompted for credentials, you should use the credentials that you are logged on with, which is CONTOSO\Axel and password Pa$$w0rd.
5. 6. 7. 8. 9.
In the message box indicating that permission to the document is restricted, click OK. The document opens. In the Confidential Projects bar, click View Permission. Notice that Axel has Editing permissions because he is a member of the IT Admins group, and then click OK. Type Edited successfully by Axel in a new line. Click the File menu, and then click Save. Close Microsoft Office Word, and log off from the 6426C-NYC-CL1 virtual machine.
10
Lab Answer Key: Deploying and Configuring Active Directory Rights Management Services
Module 7
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Contents:
Exercise 1: Configuring CA Event Auditing Exercise 2: Backing Up Active Directory Certificate Services Exercise 3: Backing Up and Restoring an Active Directory Lightweight Directory Services Instance Exercise 4: Configuring AD RMS Logging 2 4 5 6
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lab: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Lab Setup
In this lab, you will use the available virtual machine environment. Before you begin the lab, you must: Apply the StartingImage snapshot for the 6426C-MIA-DC1 virtual machine.
10. Close the Group Policy Management Editor and the Group Policy Management console. 11. Click Start, click All Programs, click Accessories, and then click Command Prompt. 12. In the Command Prompt window, type gpupdate /force, and then press ENTER. 13. Close the Command Prompt window.
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
7.
On the Action menu, point to All Tasks, and then click Start Service to start the service.
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
10. On the Actions tab, click New. 11. In the Program/script box, type certutil. 12. In the Add arguments (optional): box, enter -backup -p Pa$$w0rd C:\CAbackup, and then click OK. 13. In the Create Task box, click OK. When you are prompted for the credentials, enter Woodgrovebank\Backup and the password, Pa$$w0rd, and then click OK. 14. Click the Task Scheduler Library node. Wait for the task to start, and complete the backup. 15. Confirm that the backup has completed successfully by viewing the contents of the C:\CAbackup folder and checking the task status. To view the task status, you will have to refresh the Task Scheduler console view. 16. Close Task Scheduler and log off from the 6426C-MIA-DC1 virtual machine.
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions
Exercise 3: Backing up and Restoring an Active Directory Lightweight Directory Services Instance
Task 1: Use dsdbutil to back up the test1 AD LDS instance
1. 2. 3. 4. 5. 6. 7. 8. 9. On the 6426C-MIA-DC1 virtual machine, click Start, and then click Computer. Double-click the C: drive and then create a new folder in the root of C:\ named backup. Click Start, click All Programs, click Accessories, and then right-click Command Prompt and select Run as administrator. At the command prompt, type dsdbutil and then press ENTER. At the dsdbutil prompt, type activate instance test1 and then press ENTER. At the dsdbutil prompt, type ifm and then press ENTER. At the ifm prompt, type create full c:\backup\test1 and then press ENTER. The backup will proceed. When complete, it will display the message IFM media created successfully in c:\backup\test1. Type quit at the ifm prompt, and then press ENTER. Type quit at the dsdbutil prompt, and then press ENTER.
10. Type exit, and then press ENTER to close the command prompt.
7. 8. 9.
Lab Answer Key: Maintaining Windows Server 2008 Active Directory Identity and Access Solutions