Overview

Introduction

Welcome to the Implementing AD Federation Services Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Prepare System Requirements for ADFS Resource Partner
  • Prepare System Requirements for ADFS Accounts Partner
  • Enable Name Resolution for Resource and Account Domains
  • Prepare Requirements for AD FS Server Resource Partner
  • Install and Configure AD Federation Services
  • Create AD Federation Services Trusts

After completing this lab, you will be able to:

  • Add and install AD Certificate Services
  • Export root CA certificate to a file
  • Configure custom certificate template on CA server
  • Allow issuance of the new template
  • Request web certificate for ADFS server
  • Install a new AD DS forest
  • Install and configure AD Certificate Services
  • Export root CA certificate
  • Configure custom certificate template on CA server
  • Allow issuance of the new template
  • Request web certificate for ADFS server
  • Create GPO for trusted root CA in PRACTICELABS.COM and PRACTICEIT.CO.UK domains
  • Configure alternate DNS and DNS forwarding
  • Install IIS on PLABDM01
  • Request computer certificate for IIS
  • Configure SSL bindings
  • Download a sample claims application
  • Add web application
  • Install IIS on PLABDC01 and PLABSA01 that will run AD FS
  • Add ADFS feature in the resource partner
  • Configure a standalone federation server
  • Verify the availability of federation metadata on AD FS Server
  • Install AD FS in accounts partner domain
  • Configure a standalone federation server in accounts partner organization
  • Verify the availability of federation metadata on AD FS Server on accounts partner
  • Enable claims provider trust
  • Configure the Windows Identity Foundation Federation Utility
  • Configure a relying party trust for the claims web application
  • Configure claim rules for the relying party trust
  • Create a claims provider trust for the claims web application
  • Configure claim rules for the claims provider trust

Exam Objectives

The following exam objectives are covered in this lab:

  • CAS-003 4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.

Lab Duration

It will take approximately 2 hours to complete this lab.

Exercise 1 - Prepare System Requirements for ADFS Resource Partner

The administration of network resources such as files, folders, printers or network applications can be managed by setting up access control lists (ACLs) to users, groups in Active Directory Domain Services or AD DS. When a user logs in to the domain by presenting their credential or identity and is successfully signed-in, they are granted access to corporate assets based on their role in the network.

When two distinct organizations, such as business affiliates, need to share network resources, a federation can be established between the companies. A federation is a collection of realms or security domains with established relationships for sharing corporate assets.

Active Directory Federation Services or AD FS is a Microsoft technology that provides identity federation that uses claims-based authentication. A claim is a statement regarding a user such as a user’s name, e-mail address among other user attributes that identify the user to the application or resource that they had requested.

When setting up AD FS, it typically involves two security domains: The Resource Partner and the Accounts Partner.

The Resource Partner is the domain where the network resource is located. This resource is typically a web application or other type of asset that is shared with an external organization.

The Account Partner is the domain that holds the accounts, such as users, who will access the corporate assets located in the Resource Partner.

In this lab, the domain called PRACTICELABS.COM is the resource domain where a sample claims-aware application will be created.

Learning Outcomes

After completing this exercise, you will be able to:

  • Add and install AD Certificate Services
  • Export root CA certificate to a file
  • Configure custom certificate template on CA server
  • Allow issuance of the new template
  • Request web certificate for ADFS server

Exercise 2 - Prepare System Requirements for ADFS Accounts Partner

A claim is a statement about a user account that is used for authorizing access to an application residing in the Resource Partner domain. ADFS Accounts Partner domain contains the user accounts that will connect to the network assets found in the Resource Partner domain.

The Account Partner is the domain that holds the accounts, such as users, who will access the corporate assets located in the Resource Partner.

In this lab, a new domain called PRACTICEIT.CO.UK will be created. PRACTICEIT.CO.UK will be the accounts domain where users accounts will be accessing network assets found in the PRACTICELABS.COM resource domain.

Learning Outcomes

After completing this exercise, you will be able to:

  • Install a new AD DS forest
  • Install and configure AD Certificate Services
  • Export root CA certificate
  • Configure custom certificate template on CA server
  • Allow issuance of the new template
  • Request web certificate for ADFS server
  • Create GPO for trusted root CA in PRACTICELABS.COM and PRACTICEIT.CO.UK domains
  • Configure alternate DNS and DNS forwarding

Exercise 3 - Enable Name Resolution for Resource and Account Domains

Name resolution must be properly configured between two organizations that are joined together with an AD Federation Services trust. In this exercise, you will enable the domain controllers of each domain to have an alternate DNS server that points to the external organization. For example, PRACTICELABS.COM domain controller called PLABDC01 with an IP address 192.168.0.1 will have an alternate DNS server that points to 192.168.0.4 which is PLABSA01 and vice-versa.

Learning Outcomes

After completing this exercise, you will be able to:

  • Configure alternate DNS and DNS forwarding

Exercise 4 - Prepare Requirements for AD FS Server Resource Partner

The Resource Partner domain in an Active Directory Federation Services infrastructure is the organization that owns the corporate network resource such as web application that is accessed by users from the Account Partner organization.

Learning Outcomes

After completing this exercise, you will be able to:

  • Install IIS on PLABDM01
  • Request computer certificate for IIS
  • Configure SSL bindings
  • Download a sample claims application
  • Add web application

Exercise 5 - Install and Configure AD Federation Services

After successfully setting the up the requirements for the resource and account partner side of the AD FS, you will now install the Active Directory Federation Services on each organization domain

Learning Outcomes

After completing this exercise, you will be able to:

  • Install IIS on PLABDC01 and PLABSA01 that will run AD FS
  • Add ADFS feature in the resource partner
  • Configure a standalone federation server
  • Verify the availability of federation metadata on AD FS Server
  • Install AD FS in accounts partner domain
  • Configure a standalone federation server in accounts partner organization
  • Verify the availability of federation metadata on AD FS Server on accounts partner

Exercise 6 - Create AD Federation Services Trusts

In Active Directory Domain Services or AD DS, a trust relationship is created between two Active Directory Domains that span two domain forests or two external domains to allow the sharing of network assets or centralize administration of users or groups between domains. The trust relationship is a logical link between two domains relies on a verifiable and permanent network connection to authenticate all identities who access resources in the AD domains.

In Active Directory Federation Services or AD FS, a federation trust must be established between the account partner and resource partner domains. The resource partner hosts the application that will be accessed by the account partner organization.

Learning Outcomes

After completing this exercise, you will be able to:

  • Enable claims provider trust
  • Configure the Windows Identity Foundation Federation Utility
  • Configure a relying party trust for the claims web application
  • Configure claim rules for the relying party trust
  • Create a claims provider trust for the claims web application
  • Configure claim rules for the claims provider trust

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.