Deploy Claims Across Forests (Demonstration Steps)

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

In this topic, we'll cover a basic scenario that explains how to configure claims transformations between trusting and trusted forests. You will learn how claims transformation policy objects can be created and linked to the trust on the trusting forest and the trusted forest. You will then validate the scenario.

Scenario overview

Adatum Corporation provides financial services to Contoso, Ltd. Each quarter, Adatum accountants copy their account spreadsheets to a folder on a file server located at Contoso, Ltd. There is a two-way trust set up from Contoso to Adatum. Contoso, Ltd. wants to protect the share so that only Adatum employees can access the remote share.

In this scenario:

  1. Set up the prerequisites and the test environment

  2. Set up claims transformation on trusted forest (Adatum)

  3. Set up claims transformation in the trusting forest (Contoso)

  4. Validate the scenario

Set up the prerequisites and the test environment

The test configuration involves setting up two forests: Adatum Corporation and Contoso, Ltd, and having a two-way trust between Contoso and Adatum. "adatum.com" is the trusted forest and "contoso.com" is the trusting forest.

The claims transformation scenario demonstrates transformation of a claim in the trusted forest to a claim in the trusting forest. To do this, you need to set up a new forest called adatum.com and populate the forest with a test user with a company value of 'Adatum'. You then have to set up a two-way trust between contoso.com and adatum.com.

Important

When setting up the Contoso and Adatum forests, you must ensure that both the root domains are at the Windows Server 2012 Domain Functional Level for claims transformation to work.

You need to set up the following for the lab. These procedures are explained in detail in Appendix B: Setting Up the Test Environment

You need to implement the following procedures to set up the lab for this scenario:

  1. Set Adatum as trusted forest to Contoso

  2. Create the 'Company' claim type on Contoso

  3. Enable the 'Company' resource property on Contoso

  4. Create the central access rule

  5. Create the central access policy

  6. Publish the new policy through Group Policy

  7. Create the Earnings folder on the file server

  8. Set classification and apply the central access policy on the new folder

Use the following information to complete this scenario:

Objects Details
Users Jeff Low, Contoso
User claims on Adatum and Contoso ID: ad://ext/Company:ContosoAdatum,

Source attribute: company

Suggested values: Contoso, Adatum Important: You must set the ID on the 'Company' claim type on both Contoso and Adatum to be the same for the claims transformation to work.

Central access rule on Contoso AdatumEmployeeAccessRule
Central access policy on Contoso Adatum Only Access Policy
Claims Transformation policies on Adatum and Contoso DenyAllExcept Company
File folder on Contoso D:\EARNINGS

Set up claims transformation on trusted forest (Adatum)

In this step you create a transformation policy in Adatum to deny all claims except 'Company' to pass to Contoso.

The Active Directory module for Windows PowerShell provides the DenyAllExcept argument, which drops everything except the specified claims in the transformation policy.

To set up a claims transformation, you need to create a claims transformation policy and link it between the trusted and trusting forests.

Create a claims transformation policy in Adatum

To create a transformation policy Adatum to deny all claims except 'Company'
  1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell, and type the following:

    New-ADClaimTransformPolicy `
    -Description:"Claims transformation policy to deny all claims except Company"`
    -Name:"DenyAllClaimsExceptCompanyPolicy" `
    -DenyAllExcept:company `
    -Server:"adatum.com" `
    
    

Set a claims transformation link on Adatum's trust domain object

In this step, you apply the newly created claims transformation policy on Adatum's trust domain object for Contoso.

To apply the claims transformation policy
  1. Sign in to the domain controller, adatum.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell, and type the following:

    
      Set-ADClaimTransformLink `
    -Identity:"contoso.com" `
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `
    '"TrustRole:Trusted `
    
    

Set up claims transformation in the trusting forest (Contoso)

In this step you create a claims transformation policy in Contoso (the trusting forest) to deny all claims except 'Company.' You need to create a claims transformation policy and link it to the forest trust.

Create a claims transformation policy in Contoso

To create a transformation policy Adatum to deny all except 'Company'
  1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell and type the following:

    New-ADClaimTransformPolicy `
    -Description:"Claims transformation policy to deny all claims except company" `
    -Name:"DenyAllClaimsExceptCompanyPolicy" `
    -DenyAllExcept:company `
    -Server:"contoso.com" `
    
    

Set a claims transformation link on Contoso's trust domain object

In this step, you apply the newly created claims transformation policy on the contoso.com trust domain object for Adatum to allow "Company" be passed through to contoso.com. The trust domain object is named adatum.com.

To set the claims transformation policy
  1. Sign in to the domain controller, contoso.com as Administrator with the password pass@word1.

  2. Open an elevated command prompt in Windows PowerShell and type the following:

    
      Set-ADClaimTransformLink
    -Identity:"adatum.com" `
    -Policy:"DenyAllClaimsExceptCompanyPolicy" `
    -TrustRole:Trusting `
    
    

Validate the scenario

In this step you try to access the D:\EARNINGS folder that was set up on the file server FILE1 to validate that the user has access to the shared folder.

To ensure that the Adatum user can access the shared folder

  1. Sign in to the Client machine, CLIENT1 as Jeff Low with the password pass@word1.

  2. Browse to the folder \\FILE1.contoso.com\Earnings.

  3. Jeff Low should be able to access the folder.

Additional scenarios for claims transformation policies

Following is a list of additional common cases in claims transformation.

Scenario Policy
Allow all claims that come from Adatum to go through to Contoso Adatum Code -
New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to allow all claims" `
-Name:"AllowAllClaimsPolicy" `
-AllowAll `
-Server:"contoso.com" `
Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"AllowAllClaimsPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com" `
Deny all claims that come from Adatum to go through to Contoso Adatum Code -
New-ADClaimTransformPolicy `
-Description:"Claims transformation policy to deny all claims" `
-Name:"DenyAllClaimsPolicy" `
-DenyAll `
-Server:"contoso.com" `
Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"DenyAllClaimsPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com"`
Allow all claims that come from Adatum except "Company" and "Department" to go through to Contoso Adatum Code
- New-ADClaimTransformationPolicy `
-Description:"Claims transformation policy to allow all claims except company and department" `
-Name:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" `
-AllowAllExcept:company,department `
-Server:"contoso.com" `
Set-ADClaimTransformLink `
-Identity:"adatum.com" `
-Policy:"AllowAllClaimsExceptCompanyAndDepartmentPolicy" `
-TrustRole:Trusting `
-Server:"contoso.com" `