(0) exportieren Drucken
Alle erweitern

Deploy Claims Across Forests (Demonstration Steps)

Veröffentlicht: Februar 2012

Letzte Aktualisierung: März 2012

Betrifft: Windows Server 2012

In this topic, we’ll cover a basic scenario that explains how to configure claim transformations between trusting and trusted forests. You will learn how claim transformation policy objects can be created and linked to the trust on the trusting forest and the trusted forest. You will then validate the scenario.

Adatum Corporation provides financial services to Contoso, Ltd. Each quarter, Adatum accountants copy their account spreadsheets to a folder on a file server located at Contoso, Ltd. There is a two-way trust set up from Contoso to Adatum. Contoso, Ltd. wants to protect the share so that only Adatum employees can access the remote share.

In this scenario:

  1. Set up the prerequisites and the test environment

  2. Set up claim transformation on trusted forest (Adatum)

  3. Set up claim transformation in the trusting forest (Contoso)

  4. Validate the scenario

The test configuration involves setting up two forests: Adatum Corporation and Contoso, Ltd, and having a two-way trust between Contoso and Adatum. "adatum.com" is the trusted forest and "contoso.com" is the trusting forest.

The claim transformation scenario demonstrates transformation of a claim in the trusted forest to a claim in the trusting forest. To do this, you need to set up a new forest called adatum.com and populate the forest with a test user with a company value of “Adatum”. You then have to set up a two-way trust between contoso.com and adatum.com.

ImportantWichtig
When setting up the Contoso and Adatum forests, you must ensure that both the root domains are at the Windows Server 2012 Domain Functional Level for claims transformation to work.

You need to set up the following for the lab. These procedures are explained in detail in Appendix B: Setting Up the Test Environment

You need to implement the following procedures to set up the lab for this scenario:

  1. Set Adatum as trusted forest to Contoso

  2. Create the “Company” claim type on Contoso

  3. Enable the “Company” resource property on Contoso

  4. Create the central access rule

  5. Create the central access policy

  6. Publish the new policy through Group Policy

  7. Create the Earnings folder on the file server

  8. Set classification and apply the central access policy on the new folder

Use the following information to complete this scenario:

 

Objects Details

Users

Jeff Low, Contoso

User claims on Adatum and Contoso

ID: ad://Company:ContosoAdatum,

Source attribute: company

Suggested values: Contoso, Adatum

ImportantWichtig
You must set the ID on the “Company” claim type on both Contoso and Adatum to be the same for the claims transformation to work.

Central access rule on Contoso

AdatumEmployeeAccessRule

Central access policy on Contoso

Adatum Only Access Policy

Claim Transformation policies on Adatum and Contoso

DenyAllExcept Company

File folder on Contoso

D:\EARNINGS

In this step you create a transformation policy in Adatum to deny all claims except “Company” to pass to Contoso.

The Active Directory module for Windows PowerShell provides the DenyAllExcept argument, which drops everything except the specified claims in the transformation policy.

To set up a claim transformation, you need to create a claim transformation policy and link it between the trusted and trusting forests.

  1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell, and type the following:

    New-ADClaimTransformPolicy `
    -Description:"Claims transformation policy to deny all claims except Company"`
    -Name:"DenyAllClaimsExceptCompanyPolicy" `
    -DenyAllExcept:company `
    -Server:"adatum.com" `
    
    

In this step, you apply the newly created claim transformation policy on Adatum’s trust domain object for Contoso.

  1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell, and type the following:

    Set-ADClaimTransformLink `
    -Identity:"contoso.com" `
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `
    –TrustRole:Trusted `
    
    

In this step you create a claim transformation policy in Contoso (the trusting forest) to deny all claims except “Company.” You need to create a claim transformation policy and link it to the forest trust.

  1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell and type the following:

    New-ADClaimTransformPolicy `
    -Description:"Claims transformation policy to deny all claims except company" `
    -Name:"DenyAllClaimsExceptCompanyPolicy" `
    -DenyAllExcept:company `
    -Server:"contoso.com" `
    
    
    

In this step, you apply the newly created claim transformation policy on the contoso.com trust domain object for Adatum to allow “Company” be passed through to contoso.com. The trust domain object is named adatum.com.

  1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell and type the following:

    Set-ADClaimTransformLink -Identity:"adatum.com" `
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `
    –TrustRole:Trusting `
    
    
    

In this step you try to access the D:\EARNINGS folder that was set up on the file server FILE1 to validate that the user has access to the shared folder.

  1. Sign in to the Client machine, CLIENT1 as Jeff Low with the password pass@word1.

  2. Browse to the folder \\FILE1.contoso.com\Earnings.

  3. Jeff Low should be able to access the folder.

Following is a list of additional common cases in claims transformation.

 

Scenario Policy

Allow all claims that come from Adatum to go through to Contoso Adatum

New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to allow all claims" `
-Name:"AllowAllClaimsPolicy" `
-AllowAll `
-Server:"contoso.com" `

Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"AllowAllClaimsPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com" `

Deny all claims that come from Adatum to go through to Contoso Adatum

New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to deny all claims" `
-Name:"DenyAllClaimsPolicy" `
-DenyAll `
-Server:"contoso.com" `

Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"DenyAllClaimsPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com"`

Allow all claims that come from Adatum except “Company” and “Department” to go through to Contoso Adatum

New-ADClaimTransformationPolicy `
-Description:"Claim transformation policy to allow all claims except company and department" `
-Name:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" `
-AllowAllExcept:company,department `
-Server:"contoso.com" `

Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com" `


Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Anzeigen:
© 2014 Microsoft