Step 3: Installing and Configuring AD FS

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Now that you have configured the computers that will be used as federation servers, you are ready to install Active Directory Federation Services (AD FS) components on each of the computers. This section includes the following procedures:

  • Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT

  • Configure ADFS-ACCOUNT to work with AD RMS

  • Configure ADFS-RESOURCE to Work with AD RMS

Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT

Use one of the following sections to install the Federation Service component of AD FS on the ADFS-RESOURCE computer and the ADFS-ACCOUNT computer depending on the requirements in your organization. After the Federation Service is installed on a computer, that computer becomes a federation server.

  • Install Federation Service on a Windows Server 2003 R2 Enterprise Edition–based server

  • Install Federation Service role service on a Windows Server 2008 Enterprise–based server

Install Federation Service on a Windows Server 2003 R2 Enterprise Edition–based server

If you are running Windows Server 2003 R2 Enterprise Edition on ADFS-RESOURCE and ADFS-ACCOUNT, use the following procedure to add the federation service. You must have a Secure Sockets Layer (SSL) certificate installed on the computer before adding the federation service.

To install the Federation Service on a Windows Server 2003 R2 Enterprise Edition–based computer

  1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN account.

  2. Click Start, point to Control Panel, and then click Add or Remove Programs.

  3. In Add or Remove Programs, click Add/Remove Windows Components.

  4. In the Windows Components Wizard, click Active Directory Services, and then click Details.

  5. In the Active Directory Services dialog box, click Active Directory Federation Services (ADFS), and then click Details.

  6. In the Active Directory Federation Services (ADFS) dialog box, select the Federation Service check box, and then click OK. If Microsoft ASP.NET 2.0 was not previously enabled, click Yes to enable it, and then click OK.

  7. In the Active Directory Services dialog box, click OK.

  8. In the Windows Components Wizard, click Next.

  9. On the Federation Service page, click the Select token certificate option, and select the certificate that should be used as the token signing certificate.

  10. Under Trust policy, click Create a new trust policy, and then click Next.

  11. If you are prompted for the location of the installation files, insert the Windows Server 2003 R2 Enterprise Edition product disc, and then click OK.

  12. On the Completing the Windows Components Wizard page, click Finish.

  13. Log on to ADFS-ACCOUNT as TREYRESEARCH\ADFSADMIN.

  14. Repeat steps 2–12 for the ADFS-ACCOUNT computer using the TREYRESEARCH\ADFSADMIN user account.

Install Federation Service role service on a Windows Server 2008 Enterprise–based server

If you are running Windows Server 2008 Enterprise on ADFS-RESOURCE and ADFS-ACCOUNT, use the following procedure to add the Federation Service role service by using Server Manager:

To add the Federation Service role service on a Windows Server 2008 Enterprise–based computer

  1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Click Add Roles.

  5. On the Before You Begin page, click Next.

  6. On the Select Server Roles page, click Active Directory Federation Services.

  7. Click Next.

  8. On the Introduction to AD FS page, click Next.

  9. On the Select Role Services page, select the Federation Service check box. If you are prompted to install additional role services, click Add Required Role Services, and then click Next.

  10. Select the Choose an existing certificate for SSL encryption option, click the appropriate certificate, and then click Next.

  11. On the Choose a Token-Signing Certificate page, select the Choose an existing token-signing certificate option, click the appropriate certificate, and then click Next.

  12. Select the Create a new trust policy option, and then click Next.

  13. Read the Introduction to Web Server (IIS) page, and then click Next.

  14. Keep the Web server default check box selections, and then click Next

  15. Click Install.

  16. When the installation has completed, click Close.

  17. Log on to ADFS-ACCOUNT as TREYRESEARCH\ADFSADMIN.

  18. Repeat steps 2–16 for the ADFS-ACCOUNT computer using the TREYRESEARCH\ADFSADMIN user account.

Configure ADFS-ACCOUNT to work with AD RMS

The ADFS-ACCOUNT computer is a member of the TREYRESEARCH domain and forwards AD RMS requests to the CPANDL domain. In this section, you configure the AD FS trust policy, create a custom claim for the ProxyAddresses Active Directory attribute, add an Active Directory Account Store, and add and configure a resource partner.

First, configure the ADFS-ACCOUNT computer trust policy for the federation service in the TREYRESEARCH domain.

To configure the trust policy on the AD FS account partner (ADFS-ACCOUNT)

  1. Log on to ADFS-ACCOUNT with the TREYRESEARCH\adfsadmin account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  3. Expand Federation Service, right-click Trust Policy, and then click Properties.

  4. In the Federation Service URI box, type urn:federation:treyresearch.net.

Note

The Federation Service URI value is case sensitive.

  1. In the Federation Service endpoint URL box, confirm that https://ADFS-ACCOUNT.treyresearch.net/adfs/ls/ is shown.

  2. On the Display Name tab, in Display name for this trust policy, type Trey Research, and then click OK.

Next, create a custom claim that will be used with AD RMS.

To create a custom claim

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Claim name box, type ProxyAddresses.

Note

The claim name value is case-sensitive.

  1. Select the Custom claim option, and then click OK.

Important

Great care should be taken when allowing proxy addresses through a federated trust. If proxy addresses through federation are allowed, it is possible for a malicious user to spoof an authorized user's credentials and access the user's rights-protected content. If proxy addresses through federation is a requirement of your organization, you should implement a claims transformation module that will examine a proxy address from a federated user and make sure that it matches the forest in which the request originated. The option to allow a proxy address from a federated user is turned off by default in the Active Directory Rights Management Services console.

Next, add an Active Directory account store to the Federation Service for the TREYRESEARCH domain.

To add an Active Directory account store to ADFS-ACCOUNT

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, click the Active Directory Domain Services option, and then click Next.

Note

On Windows Server 2003 R2 Enterprise Edition this option is called Active Directory.

  1. On the Enable this Account Store page, select the Enable this account store check box, and then click Next.

  2. On the Completing the Add Account Store Wizard page, click Finish.

  3. Double-click the E-mail organization claim, select the Enabled check box, type mail in the LDAP attribute box, and then click OK.

  4. Right-click the Active Directory account store, point to New, and then click Custom claim extraction.

  5. In the Attribute box, type ProxyAddresses, and then click OK.

Finally, add a resource partner to the Federation Service in the TREYRESEARCH domain.

To add a resource partner to the TREYRESEARCH domain

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand Partner Organizations.

  2. Right-click Resource Partners, point to New, and then click Resource Partner.

  3. On the Welcome to the Add Resource Partner Wizard page, click Next.

  4. Select the No option on the Import Policy File page, and then click Next.

  5. On the Resource Partner Details page, in the Display name box, type CP&L Enterprises.

  6. In the Federation Service URI box, type urn:federation:cpandl.com.

Note

The Federation Service URL value is case sensitive.

  1. In the Federation Service endpoint URL box, type https://adfs-resource.cpandl.com/adfs/ls/, and then click Next.

  2. On the Federation Scenario page, click the Federated Web SSO option, and then click Next.

  3. Select the UPN Claim and E-mail Claim check boxes, and then click Next.

  4. Click the Pass all UPN suffixes through unchanged option, and then click Next.

  5. Click the Pass all E-mail suffixes through unchanged option, and then click Next.

  6. Ensure that the Enable this resource partner check box is checked, and then click Next.

  7. Click Finish.

  8. Right-click the new CP&L Enterprises resource partner, point to New, and then click Outgoing Custom Claim Mapping.

  9. In the Outgoing custom claim name box, type ProxyAddresses, and then click OK.

  10. Close the Active Directory Federation Services console.

Configure ADFS-RESOURCE to Work with AD RMS

The ADFS-RESOURCE computer is a member of the CPANDL domain and receives AD RMS requests from the TREYRESEARCH domain. In this section, you configure the AD FS trust policy, create a custom claim for the ProxyAddresses Active Directory attribute, add an Active Directory Account Store, add AD RMS as a Claims-aware application, and configure a resource partner.

First, configure the ADFS-RESOURCE computer trust policy for the federation service in the CPANDL domain.

To configure the trust policy on the AD FS resource partner (ADFS-RESOURCE)

  1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  3. Expand Federation Service, right-click Trust Policy, and then click Properties.

  4. In the Federation Service URI box, type urn:federation:cpandl.com.

Note

The Federation Service URI value is case sensitive.

  1. In the Federation Service endpoint URL box, confirm that https://ADFS-RESOURCE.cpandl.com/adfs/ls/ is shown.

  2. On the Display Name tab, in Display name for this trust policy, type CP&L Enterprises, and then click OK.

Next, create a custom claim that will be used with AD RMS.

To create a custom claim

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Organization Claims, point to New, and then click Organization Claim.

  3. In the Claim name box, type ProxyAddresses.

Note

The claim name value is case-sensitive.

  1. Click the Custom claim option, and then click OK.

Next, add an Active Directory account store to the Federation Service for the CPANDL domain.

To add an Active Directory account store to ADFS-RESOURCE

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, select the Active Directory Domain Services option, and then click Next.

Note

On Windows Server 2003 R2 Enterprise Edition, this option is called Active Directory.

  1. On the Enable this Account Store page, select the Enable this account store check box, and then click Next.

  2. On the Completing the Add Account Store Wizard page, click Finish.

  3. Double-click the E-mail organization claim, select the Enabled check box, type mail in the LDAP attribute box, and then click OK.

  4. Right-click the Active Directory account store, point to New, and then click Custom claim extraction.

  5. In the Attribute box, type ProxyAddresses, and then click OK.

Next, add the AD RMS certification pipeline as a claims-aware application.

To add the AD RMS certification pipeline as a claims-aware application

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Applications, point to New, and then click Application.

  3. On the Welcome to the Add Application Wizard page, click Next.

  4. On the Application Type page, select the Claims-aware application option, and then click Next.

  5. In the Application display name box, type AD RMS Certification.

  6. In the Application URL box, type https://adrms-srv.cpandl.com/\_wmcs/certificationexternal/, and then click Next.

Note

The application URL is case sensitive and the name of the AD RMS extranet cluster should match the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality will not work.

  1. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail check boxes, and then click Next.

  2. On the Enable this Application page, select the Enable this application check box, and then click Next.

  3. On the Completing the Add Application Wizard page, click Finish.

  4. In the task pane, double-click ProxyAddresses, select the Enabled check box, and then click OK.

Use the following procedure to add the AD RMS licensing pipeline as a claims-aware application.

To add AD RMS licensing as a claims-aware application

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand My Organization.

  2. Right-click Applications, point to New, and then click Application.

  3. On the Welcome to the Add Application Wizard page, click Next.

  4. On the Application Type page, select the Claims-aware application option, and then click Next.

  5. In the Application display name box, type AD RMS Licensing.

  6. In the Application URL box, type https://adrms-srv.cpandl.com/\_wmcs/licensingexternal/, and then click Next.

Note

The application URL is case sensitive and the computer name in the URL should match the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality will not work.

  1. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail check boxes, and then click Next.

  2. On the Enable this Application page, click the Enable this application check box, and then click Next.

  3. On the Completing the Add Application Wizard page, click Finish.

  4. In the task pane, double-click ProxyAddresses, click the Enabled check box, and then click OK.

Next, add an account partner to ADFS-RESOURCE. This account partner receives requests from the ADFS-ACCOUNT computer in the TREYRESEARCH domain.

To add an account partner to ADFS-RESOURCE

  1. In the Active Directory Federation Services console, expand Federation Service, expand Trust Policy, and then expand Partner Organizations.

  2. Right-click Account Partners, point to New, and then click Account Partner.

  3. On the Welcome to the Add Account Partner Wizard page, click Next.

  4. On the Import Policy File page, click the No option, and then click Next.

  5. On the Resource Partner Details page , in the Display name box, type Trey Research.

  6. In the Federation Service URI box, type urn:federation:treyresearch.net.

  7. In the Federation Service endpoint URL box, type https://adfs-account.treyresearch.net/adfs/ls/, and then click Next.

  8. On the Account Partner Verification page, type the path where the token signing certificate is stored, and then click Next.

  9. Select the Federated Web SSO option, and then click Next.

  10. Select the UPN Claim and E-mail Claim check boxes, and then click Next.

  11. On the Accepted UPN Suffixes page, type treyresearch.net, click Add, and then click Next.

  12. On the Accept E-mail Suffixes page, type treyresearch.net, click Add, and then click Next.

  13. Verify that the Enable this account partner check box is selected, and then click Next.

  14. Click Finish.

  15. Right-click the Trey Research account partner, point to New, and then click Incoming Custom Claim Mapping.

  16. In the Incoming custom claim name box, type ProxyAddresses, and then click OK.

  17. Close the Active Directory Federation Services console.