Step 5: Install and Configure IIS, Certificates, and Group Policy
Applies To: Active Directory Federation Services (AD FS) 2.0
Use the following procedure to install the IIS (Web Server) role on FABRIKAMSRV01, CONTOSOSRV01 and CONTOSOSRV02.
To install IIS
Click Start, and then click Server Manager.
Right-click Roles menu, click Add Roles.
On the Add Roles Wizard, click Next.
On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next twice.
On the Select Role Services page, select ASP.NET and then click Next.
On the Add role services required for ASP.NET? dialog box, click Add Required Role Services.
On the same page, select the Windows Authentication and IIS 6 Metabase Compatibility check box.
Click Next to go to the Confirm Installation Options page.
Click Install to begin installing IIS with the options that appear on the page.
When the set up process is completed on all servers in the lab, proceed to the next step.
Disable Internet Explorer Enhanced Security Configuration
For SharePoint and AD FS login pages to work correctly, Internet Explorer Enhanced Security Configuration (ESC) must be disabled on all VMs. To disable ESC, complete the following steps on all four VMs (ContosoSrv01, ContosoSrv02, FabrikamSrv01, and FabrikamSrv02).
To disable ESC
Login into the computer using the domain Administrator account.
Click Start, and then click Server Manager.
In the console tree, select the top-level (Server Manager) node, and then in the details pane click Configure IE ESC.
In the Configure IE ESC dialog box, click Off for both administrators and users, and then click OK.
Configure Group Policy
Use the following procedures to configure Group Policy to push important browser-specific settings to client computers. This section includes procedures for pushing Internet Explorer settings to the computers in the Contoso and Fabrikam domains.
Push Internet Explorer settings to servers in the Contoso domain
Use the following procedure to configure Group Policy on the contososrv01 VM computer.
To push Internet Explorer settings in the Contoso domain
Log on to contososrv01 with the Domain Administrator account.
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-In, and then click Add. The Add or Remove Snap-Ins dialog box opens.
In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK.
The Group Policy Wizard opens.
In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
Click Finish, and then click OK.
In the Default Domain Policy console tree, expand the following path: User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection.
Double-click Automatic Browser Configuration, clear the Automatically detect configuration settings, check box, and then click OK.
In the Default Domain Policy console tree, expand the following path: User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Security.
Double-click Security Zones and Content Ratings, click Import the current security zones and privacy settings, click Continue when prompted, and then click Modify Settings.
In the Internet Properties dialog box, click the Security tab, click Local intranet icon, and then click Sites.
In the Local Internet dialog box, in Add this website to the zone type *.contoso.com, click Add, select the Require server verification (https) for all sites in this zone, click Close, and then click OK
Push Internet Explorer settings to servers in the Fabrikam domain
Use the following procedure to configure Group Policy on the fabrikamsrv01 VM computer.
To push Internet Explorer settings in the Fabrikam domain
Log on to fabrikamsrv01 with the Domain Administrator account.
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-In, and then click Add. The Add or Remove Snap-Ins dialog box opens.
In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK.
The Group Policy Wizard opens.
In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
Click Finish, and then click OK.
In the Default Domain Policy console tree, expand the following path: User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection.
Double-click Automatic Browser Configuration, clear the Automatically detect configuration settings checkbox, and then click OK.
In the Default Domain Policy console tree, expand the following path: User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Security.
Double-click Security Zones and Content Ratings, click Import the current security zones and privacy settings, click Continue when prompted, and then click Modify Settings.
In the Internet Properties dialog box, click the Local intranet icon, and then click Sites.
In the Local Intranet dialog box, in Add this website to the zone type *.fabrikam.com, click Add, select the Require server verification (https) for all sites in this zone, and then click Close.
Refresh Group Policy
To refresh Group Policy, complete the following procedure on each of the four VM computers (contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02).
To refresh Group Policy
Click Start, click Run, type cmd and then press ENTER.
To open a Command Prompt window opens.
At the command prompt, type gpupdate /force, and then press ENTER.
Configure certificates
Now that you have configured Group Policy to distribute certificates for the users in the contoso.com and fabrikam.com domains, use the following procedures to create the user and computer certificate templates.
This section includes the following procedures:
Install AD CS
Disable CRL extension
Configure certificate templates
Configure the Default Web Site on FabrikamSrv01
Install AD CS
Use the following procedure to install Active Directory Certificate Services (AD CS) on the contososrv01 and fabrikamsrv01 VM computers.
To install AD CS
Log on to contososrv01 and fabrikamsrv01 with the domain administrator account.
Click Start, point to Administrative Tools, and then click Server Manager.
In the Roles Summary section, click Add roles.
On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
On the Select Role Services page, select the Certification Authority and the Certification Authority Web Enrollment check boxes.
In the Add role services required for Certification Authority Web Enrollment dialog box, click Add Required Role Services, and then click Next.
On the Specify Setup Type page, click Enterprise, and then click Next.
On the Specify CA Type page, click Root CA, and then click Next.
On the Set Up Private Key page, choose Create a new private key, and then click Next.
On the Configure Cryptography for CA page, click Next to accept the default settings.
On the Configure CA Name page, click Next to accept the default settings.
On the Set Validity Period page, accept the default validity period, and then click Next.
On the Configure Certificate Database page, accept the default values, and then click Next.
On the Web Server (IIS) page, click Next.
On the Select Role Services page, select the CGI, Client Certificate Mapping Authentication, IIS Client Certificate Mapping Authentication and URL Authorization check boxes, and then click Next.
After verifying the information on the Confirmation page, click Install.
Review the information on the confirmation screen to verify that the installation was successful.
Disable CRL Extension
For the purpose of this lab demonstration, we are going to not publish the certificate revocation list (CRL) endpoint in the certificates. To disable the CRL extension in the issued certificates, complete the following procedure for both contososrv01 and fabrikamsrv01.
To disable CRL extension
Logon to the contososrv01 and fabrikamsrv01 with domain administrator credentials.
Click Start, point to Administrative Tools, and then click Certificate Authority.
In the window Certsrv, right-click the computer name (either contoso-CONTOSOSRV01-CA or fabrikam-FABRIKAMSRV01-CA), and then click Properties.
In the dialog box that appears, click the Extensions tab.
Delete all entries in the CRL Distribution Point list by selecting each item in the field and clicking Remove.
After all entries are deleted, click OK to exit the dialog box.
Click Yes in the next dialog box that appears.
Configure certificate templates
Use the following procedure to configure the domain user certificates in AD CS on the contososrv01 and fabrikamsrv01 VM computers.
To configure certificate templates
Log on to contososrv01 and fabrikamsrv01 using the domain administrator account.
Click Start, type mmc, and then click OK. In the empty console, click File, and then click Add/Remove Snap-in.
In Available snap-ins, double-click Certificate Templates, and then click OK.
In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane.
In the details pane, right-click the Web Server template, and then click Properties.
If the Security tab does not appear (you will need it in the next step), you might have to reopen this properties page by clicking the Manage link in the Actions pane on the right side of the console.
On the Security tab, click Add, in the Enter the object names to select text box type Domain Computers, and then click OK.
In Permissions for Domain Computers, under Allow, select the Read and Enroll check boxes, and then click OK.
On the Security tab, click Add, in the Enter object names to select text box type Domain Controllers, and then click OK.
In Permissions for Domain Controllers, under Allow, select the Read and Enroll check boxes, and then click OK.
Close the console, and open the command prompt window (click Start, click Run, type cmd, and then click OK), and type the following two commands to restart AD CS:
net stop "Active Directory Certificate Services" net start "Active Directory Certificate Services"
Create a shared certificate for AD RMS and AD FS 2.0 on Contoso.com
To create the certificate for AD RMS and AD FS 2.0 to use
Log on to contososrv01 as the CONTOSO\Administrator account with "demo!23" as the password.
Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click CONTOSOSRV01.
In Features View pane, double-click Server Certificates.
In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard opens.
On the Distinguished Name Properties page of the wizard, enter the settings from the following table, and then click Next.
Field Value Common name
*.contoso.com
Organization
Contoso Pharmaceutical
Organizational unit
IT
City/Locality
Redmond
State/Province
WA
Country/Region
US
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain.
Note
The Select button will be enabled only if a CA is correctly configured and exists on the domain.
- In Friendly name, type *.contoso.com Certificate, and then click Finish.
Note
You must provide a friendly name for the certificate.
Create a certificate for AD FS 2.0 on Fabrikam.com
To create the certificate for AD RMS and AD FS 2.0 to use
Log on to fabrikamsrv01 as the FABRIKAM\Administrator account with "demo!23" as the password.
Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click FABRIKAMSRV01.
In Features View pane, double-click Server Certificates.
In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard opens.
On the Distinguished Name Properties page of the wizard, enter the settings from the following table, and then click Next.
Field Value Common name
sts2.fabrikam.com
Organization
Fabrikam Research
Organizational unit
IT
City/Locality
Redmond
State/Province
WA
Country/Region
US
On the Online Certification Authority page, in Specify Online Certification Authority, click Select to search for a certification authority (CA) server in the domain.
Note
The Select button will be enabled only if a CA is correctly configured and exists on the domain.
- In Friendly name, type Sts2.fabrikam.com Certificate, and then click Finish.
Note
You must provide a friendly name for the certificate.
Configure the Default Web Site on FabrikamSrv01 with the new server authentication certificate
Each federation server requires a server authentication certificate (also known as a Secure Sockets Layer (SSL) certificate) to be bound to the Default Web Site before you can use AD FS 2.0. The Web server also requires this certificate.
To configure the Default Web Site on FabrikamSrv01 with the new server authentication certificate
Log on to FabriakmSrv01 with the Domain Administrator account.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, double-click FABRIKAMSRV01, double-click Sites, click Default Web Site, and then in Actions pane, click Bindings.
On the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, under Type, click https, under SSL Certificate, select sts2.fabrikam.com in the list, click OK, and then click Close.
In the details pane, double-click SSL Settings. Under Client certificates, verify that the Ignore option is selected, and then click Apply.
Export and import Root CA certificates
This section includes the following procedures:
Export both Root CA certificates
Import both Root CA certificates
Export both Root CA certificates
Use the following procedure to export the Root CA certificates from both the contososrv01 and the fabrikamsrv01 VM computers.
To export both Root CA certificates
Log on to contososrv01 with the domain administrator account (CONTOSO\Administrator).
Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available snap-ins, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console tree, expand Certificates (Local Computer), and then double-click Personal.
Click Certificates; in the details pane, right-click Contoso-CONTOSOSRV01-CA; point to All Tasks, and then click Export.
On the Welcome to the Certificate Export Wizard page, click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console tree, expand Certificates (Local Computer), and then double-click Personal.
Click Certificates; in the details pane, right-click Contoso-CONTOSOSRV01-CA; point to All Tasks, and then click Export.
On the Welcome to the Certificate Export Wizard page, click Next.
On the Export Private Key page, click No, do not export the private key, and then click Next.
On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.
On the File to Export page, type c:\users\public\ContosoCA.cer, and then click Next.
On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
Leave the Certificates snap-in open.
Repeat steps 1 through 14 on the fabrikamsrv01 VM computer using FABRIKAM\Administrator for the login. In step 8, the certificate that you select will be named Fabrikam-FABRIKAMSRV01-CA. In step 12, type c:\users\public\FabrikamCA.cer as the File to Export value.
Import both Root CA certificates
Use the following procedure to import the Root CA certificates to both the contososrv01 and the fabrikamsrv01 VM computers and then share it with all the client computers using Group Policy.
To import both Root CA certificates
Log on to contososrv01 with the CONTOSO\Administrator account.
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-In, and then click Add.
The Add or Remove Snap-Ins dialog box opens.
In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK.
The Group Policy Wizard opens.
In Select Group Policy Object, click Browse.
The Browse for a Group Policy Object dialog box opens.
In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
Click Finish, and then click OK.
Double-click Default Domain Policy. In the console tree, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities.
Right-click Trusted Root Certification Authorities, and select Import.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, type \\fabrikamsrv01\c$\users\public\FabrikamCA.cer, and then click Next.
On the Certificate Store page, select Place all certificates in the following store and verify that it is pointed to the Trusted Root Certification Authorities store, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish, and then click OK.
Repeat steps 2 through 13 on the fabrikamsrv01 VM computer using FABRIKAM\Administrator as the login. In step 11, type \\contososrv01\c$\users\public\ContosoCA.cer as the File to Import value.
Refresh Group Policy
To refresh Group Policy, complete the following procedure on each of the four VM computers (contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02).
To refresh Group Policy
Click Start click Run, type cmd and then press ENTER.
To open a Command Prompt window opens.
At the command prompt, type gpupdate /force, and then press ENTER.
Install and configure AD RMS as a root cluster
Use the Add Roles Wizard to create a new Active Directory Rights Management Services (AD RMS) cluster on the contososrv1 VM.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.
Note
AD RMS creates new groups in AD DS. Therefore, you should install AD RMS after the AD DS role is fully installed and configured. Also, select the Add Required Role Services option during role installation.
Complete the Add AD RMS Role wizard using the information in the following table.
| Wizard page | Settings to use | ||
|---|---|---|---|
Select Role Services |
Select Active Directory Rights Management Server. Do not select Identity Federation Support. |
||
Create or Join an AD RMS Cluster |
Select Create a new AD RMS cluster. |
||
Select Configuration Database |
Select Use Windows Internal Database on this server. |
||
Specify Service Account |
In Domain User Account, click Specify, and select the CONTOSO\adrmssrvc account.
|
||
Configure AD RMS Cluster Key Storage |
Select Use AD RMS centrally managed key storage. |
||
Specify AD RMS Cluster Key Password |
Enter "p@ssw0rd" as the password. |
||
Select AD RMS Cluster Web Site |
Select Default Web Site. |
||
Specify Cluster Address |
Select the Use an SSL-encrypted connection option. In Internal Address, in Fully-Qualified Domain Name, type adrms.contoso.com; in Port, use 443; and then click Validate. When the URL validates, you can click Next. |
||
Choose a Server Authentication Certificate for SSL Encryption |
Select the Choose an existing certificate for SSL encryption option. Select the certificate that you created previously in "Create a shared certificate for AD RMS and AD FS 2.0". |
||
Name the Server Licensor Certificate |
In Name, use CONTOSOSRV01. |
||
Register AD RMS Service Connection Point |
Select Register the AD RMS service connection point now. |
||
Web Server (IIS) |
Accept the default options for the role, and then click Next. |
.gif)
NoteNote
Once the AD RMS role is added, you need to log off and log on again before you can administer the AD RMS role.
Install SQL Server 2008 Standard SP1
We will be using Microsoft SQL ServerĀ® 2008 Standard Service Pack 1 (SP1) to show how AD FS 2.0 connects to another data store and issue tokens containing value from that data store.
To install Microsoft SQL Server 2008 Standard SP1
Log on to the contososrv01 computer with the Domain Administrator account.
Locate the Setup.exe installer that you downloaded to the contososrv01 computer, and then double-click it.
On the SQL Server Installation Center wizard page, click Installation.
On the Installation page, click New SQL Server stand-alone installation or add features to an existing installation.
Continue the installation. Accept the defaults for all installation options.
When you install SQL Server 2008 Standard SP1, in the SQL Server 2008 Setup Wizard use default choices, except for the following specific configuration changes to support the AD FS 2.0 virtual lab environment:
On the Feature Selection page, select the Database Engine Services and Management Tools - Basic check boxes as your installed feature options.
On the Server Configuration page, on the Service Account tab, for Account name, select NTAUTHORITY\SYSTEM, as the account to be used.
On the Database Engine Configuration page, on the Account Provisioning tab, where it lists Specify SQL Server Administrators, click Add Current User, click Add, and then browse and add the user account (adfssrv) that you created.
Create the HOL Doctors Role database on ContosoSrv01
After you install and configure SQL Server on ContosoSrv01, you then create the hands-on lab Doctors Role database.
To create the hands-on lab (HOL) Role database on CONTOSOSRV01
Log on to the contososrv01 computer with the Domain Administrator account.
To start the SQL Server Management studio, click Start, point to All Programs, point to Microsoft SQL Server 2008, and then click SQL Server Management Studio.
In the dialog box that appears, type ContosoSrv01 for the server name.
Use the SQL script (HOL_Doctors_DB.sql) included with the support files for this lab setup.
Open it using the Microsoft SQL Server Management Studio by clicking File, then Open, and then selecting File.
Note
This document is part of the support files download for this lab setup. For more information see the table in Step 2: Download and Install Prerequisite Software.
Select the file HOL_Doctors_DB.sql in the directory where it is saved.
To run the script, click Execute. This should create the necessary database and associated tables.