Overview

Introduction

The Implementing AD Federation Services module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:

  • Prepare System Requirements for ADFS Resource Partner
  • Prepare System Requirements for ADFS Accounts Partner
  • Enable Name Resolution for Resource and Account Domains
  • Prepare Requirements for AD FS Server Resource Partner
  • Install and Configure AD Federation Services
  • Create AD Federation Services Trusts

Lab time: It will take approximately 2 hours to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

  • SY0-501 4.1: Compare and contrast identity and access management concepts

Exercise 1 - Prepare System Requirements for ADFS Resource Partner

The administration of network resources such as files, folders, printers or network applications can be managed by setting up access control lists (ACLs) to users, groups in Active Directory Domain Services or AD DS. When user logs in to the domain by presenting his credential or identity and is successfully signed-in, he’s granted access to corporate assets based on his role in the network.

When two distinct organizations such as business affiliates need to share network resources, a federation can be established between the companies. A federation is a collection of realms or security domains with established relationships for sharing corporate assets.

Active Directory Federation Services or AD FS is a Microsoft technology that provides identity federation that uses claims-based authentication. A claim is a statement regarding a user such as the user’s name, e-mail address among other user attributes that identify the user to the application or resource that he had requested.

When setting up AD FS, it typically involves two security domains: The Resource Partner and the Accounts Partner.

The Resource Partner is the domain where the network resource is located. This resource is typically a web application or other type of asset that it shared with an external organization.

The Account Partner is the domain where the accounts such as users that will access the corporate assets located in the Resource Partner.

In this lab, the domain called PRACTICELABS.COM is the resource domain where a sample claims-aware application will be created.

Exercise 2 - Prepare System Requirements for ADFS Accounts Partner

A claim is a statement about a user account that is used for authorizing access to an application residing in the Resource partner domain. ADFS Accounts Partner domain contain the user accounts that will connect to the network assets found in the Resource Partner domain.

The Account Partner is the domain where the accounts such as users that will access the corporate assets located in the Resource Partner.

In this lab, a new domain called PRACTICEIT.CO.UK will be created. PRACTICEIT.CO.UK will be the accounts domain where users accounts will be accessing network assets found in the PRACTICELABS.COM resource domain.

Exercise 3 - Enable Name Resolution for Resource and Account Domains

Name resolution must be properly configured between two organizations that are joined together with an AD Federation Services trust. In this exercise, you will enable the domain controllers of each domain to have an alternate DNS server that points to the external organization. For example, PRACTICELABS.COM domain controller called PLABDC01 with an IP address 192.168.0.1 will have an alternate DNS server that points to 192.168.0.4 which is PLABSA01 and vice-versa.

Exercise 4 - Prepare Requirements for AD FS Server Resource Partner

The Resource Partner domain in an Active Directory Federation Services infrastructure is the organization that owns the corporate network resource such as web application that is accessed by users from the Account Partner organization.

Exercise 5 - Install and Configure AD Federation Services

After successfully setting the up the requirements for the resource and account partner side of the AD FS, you will now install the Active Directory Federation Services on each organization domain.

Exercise 6 - Create AD Federation Services Trusts

In Active Directory Domain Services or AD DS, a trust relationship is created between two Active Directory Domains that span two domain forests or two external domains to allow the sharing of network assets or centralize administration of users or groups between domains. The trust relationship is a logical link between two domains relies on a verifiable and permanent network connection to authenticate all identities who access resources in the AD domains.

In Active Directory Federation Services or AD FS, a federation trust must be established between the account partner and resource partner domains. The resource partner hosts the application that will be accessed by the account partner organization.

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.