install and configure adfs 2.0 on sharepoint 2013 cloudshare environment · pdf fileinstall...
Post on 26-Mar-2018
224 Views
Preview:
TRANSCRIPT
Nikhil Shankar Singh Prasad Tandel
Install and Configure ADFS 2.0 on SharePoint 2013 Cloudshare Environment
Date Description Owner
Jan 02,
2015
Initial version Nikhil Shankar Singh
Prasad Tandel
Contents Install and configure ADFS on Windows 2012 .......................................................................................... 2
Pre-requisites ........................................................................................................................................ 2
Add DNS A record for ADFS server domain .......................................................................................... 2
Install and Configure Certificate Authority – Enterprise ........................................................................... 3
Installing Certificate Authority .............................................................................................................. 3
Configure Certificate Authority ............................................................................................................. 8
Create SSL certificate template ............................................................................................................... 14
Enroll certificate ...................................................................................................................................... 22
Validate your certificate in IIS ................................................................................................................. 29
Install ADFS for Windows Server 2012 R2 .............................................................................................. 30
Configure ADFS ....................................................................................................................................... 30
Verifying AD FS installation ..................................................................................................................... 36
Configure ADFS Relying Party Trust ........................................................................................................ 36
Generate new Primary ADFS certificates (Token Signing and Token Decrypting) .................................. 47
Changing the Certificates Used by ADFS Server ..................................................................................... 56
Export ADFS Root and Token Signing certificate to SharePoint ............................................................. 60
Configure the Trusted Identity Provider in SharePoint .............................................................................. 64
ADFS User Creation in Active Directory and add Email address attribute .......................................... 66
Provide access to ADFS user on SharePoint Sites using email address .............................................. 66
Uninstall ADFS and Certification Authority Completely ......................................................................... 67
Conclusion ............................................................................................................................................... 71
Definition and Acronyms ........................................................................................................................ 71
Nikhil Shankar Singh Prasad Tandel
2
Install and configure ADFS on Windows 2012
Pre-requisites
Prepare windows 20012 R2 VM and join domain
Service account – domain\adfs_install, add this account as local admin on box
DNS A record – adfs.domain.local => ADFS server IP* e.g.: in cloud domain is DC07.com
Make sure all the AD user accounts/service accounts/admin accounts has Email property populated
Add DNS A record for ADFS server domain
Open DNS and add New Host-A entry in Forward lookup zone.
Nikhil Shankar Singh Prasad Tandel
3
Install and Configure Certificate Authority – Enterprise
Installing Certificate Authority
Nikhil Shankar Singh Prasad Tandel
14
Create SSL certificate template
Open the certification authority tool on your CA server
Right-click certificate templates and choose Manage
Nikhil Shankar Singh Prasad Tandel
15
Right click on the Web server template and choose Duplicate template
On the general tab, give the template a new name for example ADFS server
Nikhil Shankar Singh Prasad Tandel
16
On the request handling tab check Allow private key to be exported
Nikhil Shankar Singh Prasad Tandel
17
On the Cryptography tab check “Requests can use any provider available on the subject’s computer”
Nikhil Shankar Singh Prasad Tandel
18
As final step, your IIS server needs to have the proper permission to enroll this type of certificates. In my Active Directory domain (e.g. DC07.Loc) I have configured a group of all IIS servers (Web server) that may enroll certificates from my CA. Give the server where you will install ADFS on, enroll rights. Afterwards choose Apply and OK
Nikhil Shankar Singh Prasad Tandel
20
In-case of cloud server you should add the server name and give enroll & read permission.
Nikhil Shankar Singh Prasad Tandel
21
Go back to your certificate authority console and right-click certificate templates. Choose new certificate template to issue
Choose ADFS server and OK
Nikhil Shankar Singh Prasad Tandel
22
ADFS Server will be appear in “Certificate Templates” section
Enroll certificate
Open an MMC console on the server where you are planning to install ADFS upon
Nikhil Shankar Singh Prasad Tandel
23
Click on File and choose Add/Remove Snap-In
Choose certificates and click Add
Nikhil Shankar Singh Prasad Tandel
25
Right-click on Certificates-> Personal and choose All Tasks->Request new certificate
Next
Nikhil Shankar Singh Prasad Tandel
26
Next
Check ADFS server and click on more information is required to enroll for this certificate.
Enter as common name for the certificate the name you will use to access your ADFS. Also enter
1. Common Name of the certificate; (Note: common name should have at least one “.” dot)
Nikhil Shankar Singh Prasad Tandel
27
2. organization, 3. OU, 4. Locality, 5. Country.
Afterwards choose OK and apply
Click Enroll
Nikhil Shankar Singh Prasad Tandel
29
Validate your certificate in IIS
To check if the server certificate is properly installed, open IIS manager
Double click server certificates
If your certificate is enlisted here, it is properly installed
Nikhil Shankar Singh Prasad Tandel
30
Install ADFS for Windows Server 2012 R2
To configure AD FS as a stand-alone federation server for Microsoft Dynamics CRM Server claims authentication, do the following:
1. Open the Windows Server 2012 R2 Add Roles and Features Wizard and add the Active Directory Federation Services server role.
2. Proceed through the wizard. Click Configure the federation service on this server.
3. On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click next.
4. Proceed through the wizard. On the Specify Service Properties page, select your SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name.
Configure ADFS
Open ADFS management
Nikhil Shankar Singh Prasad Tandel
31
Start AD FS Federation server configuration wizard
Create a new federation service
Next
Nikhil Shankar Singh Prasad Tandel
36
Verifying AD FS installation
Use the following steps to verify the AD FS installation:
1. On the AD FS server, open Internet Explorer.
2. Browse to the URL of the federation metadata. For example, https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml http://c4968397007/federationmetadata/2007-06/federationmetadata.xml you may need to turn on Compatibility View in Internet Explorer.
3. Verify that no certificate-related warnings appear. If necessary, check your certificate and DNS settings.
Configure ADFS Relying Party Trust
Nikhil Shankar Singh Prasad Tandel
37
With the correct certificate in place, we can configure ADFS to trust SharePoint as a Relying
Party. This means that SharePoint will consume claims from ADFS – in other words, rely on it.
We do this in the ADFS Management Console on MASTERCONTROL.
Above are a couple places you can click to get started.
Step 1: Enter the RP information manually. SharePoint does not provide a
FederationMetadata.xml file. However, you could choose to create and maintain such a file
yourself - and publish it in a document library or by some other means.
Nikhil Shankar Singh Prasad Tandel
38
Step 2: Just a description that will help you remember what this RP is for will be fine.
Step 3: Choose the ADFS 2.0 profile.
Step 4: We're not setting up token signing and encryption at this time, but we can [and should] revisit this later.
Nikhil Shankar Singh Prasad Tandel
39
Step 5: The URL for the passive endpoint in SharePoint takes a standard format.
Step 6: It's okay to leave the default identifier in place, but later we'll configure a custom realm identifier in SharePoint. We add it here in anticipation of doing this soon.
Nikhil Shankar Singh Prasad Tandel
40
Step 7: In secure environments, you start by denying access to all then open it to some. I just want my demo to work; save security for another day.
Step 8: Confirm your settings.
Nikhil Shankar Singh Prasad Tandel
41
Step 9: The last screen will take you directly into the Rules manager.
We'll need to create one rule for AD, and three rules to support other claim providers.
Nikhil Shankar Singh Prasad Tandel
42
"Send LDAP Attributes as Claims" is used to pass through Active Directory claims.
Nikhil Shankar Singh Prasad Tandel
43
We need 3 attributes from AD: E-mail Addresses, Token Groups, and User Principal Name. I used the qualified token groups, because I want to be able to make a distinction between different domains on my network. UPN also makes a distinction between domains, so if you want to merge sub-domains under a single identity you could do that with a rule or by using unqualified account name instead.
One down, three to go.
Nikhil Shankar Singh Prasad Tandel
44
We need to pass through three claims. Each one must be done with a separate rule.
Passing through e-mail address is fairly straightforward.
If you want to add UPN and roles as
Now, we do the same for Role.
Nikhil Shankar Singh Prasad Tandel
45
And finally add UPN.
Some of my providers actually pass through even more claims than this. For the sake of the demo, I'll keep this simple for now. We can always add more later on if we want to.
Nikhil Shankar Singh Prasad Tandel
47
Generate new Primary ADFS certificates (Token Signing
and Token Decrypting)
Let's get started. The ADFS server installs with its own self-signed certificate. You can view these from the ADFS Management Console.
Viewing this certificate, you can clearly see that there is something wrong with it. The problem is that it's self-signed. We could add the certificate to Trusted Root Certificates store like they suggest in the warning, but we want to try to learn to do this the right way. So, let's create a certificate that has the correct chain of authority for our domain.
On the ADFS computer (DEMO\MasterControl), click on Start > Run and type "mmc". This will bring up the management console.
Nikhil Shankar Singh Prasad Tandel
48
In the management console, go to File > Add/Remove Snap In.
Click Certificates, then the Add button. A pop-up will appear.
Pick "Computer account" to show the machine certificate store.
Select for this Local computer, not another one.
Nikhil Shankar Singh Prasad Tandel
49
It'll look like this, so hit OK.
This brings us into the computer's certificate store. Leave this open as we'll get a lot of use out of this as we continue. Assuming all went well, we'll request a certificate to use for ADFS encryption and signing next.
A successfully created certificate manager snap-in will look like this.
Nikhil Shankar Singh Prasad Tandel
50
Let's do a File > Save As and store this MSC file someplace so we don't have to do all these steps again the next time we need it.
Steps again the next time we need it.
Request a certificate by expanding Personal > Certificates, then right-click and choose All Tasks > Request New Certificate.
Nikhil Shankar Singh Prasad Tandel
51
Request templates come from Active Directory. Sometimes an external partner may give you a URL that you can use to add additional Certificate Enrollment Policy servers to this list manually.
Check the box for "Legacy STS" then click the link to provide the additional information. (Yes, the screen shot is wrong. See the section in Part 2 on setting up the certificate template to find out why.)
A Note from Captain Hindsight: When I tried this, I found first that it took a while for my certificate template to replicate into my DEMO domain - I had some health issues in both domain replication and the enterprise CA, and secondly that the rights I had given for the template weren't enough to request the certificate in this way. In this walkthrough, I've gone back in time and retroactively corrected my instructions.
Nikhil Shankar Singh Prasad Tandel
52
Provide just the information that follows. I have seen that providing too much information may cause ADFS to reject the certificate later.
CN= mastercontrol.demo.colossusconsulting.com
O=Colossus Consulting LLC
OU=Liquid Mercury Solutions
L=Baltimore
S=Maryland
C=US
Alternative name – DNS: adfs.demo.colossusconsulting.com
The last item is optional. I wanted to try an experiment using SANs (Subject Alternative Names). (Again, the screenshots are wrong; I reversed SAN and CN and used a different DNS in my SAN.)
Nikhil Shankar Singh Prasad Tandel
53
It should look like this when you're done. (Again, SAN and CN reversed.)
Verify we meet the requirements for what we're trying to do 2048 bits and exportable keys.
Captain Hindsight: Now would be a good time to add permissions to the DEMO\adfs.service account too! More on this step later.
Nikhil Shankar Singh Prasad Tandel
54
Note that each box you check here will ultimately have to be added to a list of trusted authorities we'll provide to the SharePoint STS.
Provide everything it wants and the link should disappear. (Again, we're using "Legacy STS" template not "Secure Token Server".)
Nikhil Shankar Singh Prasad Tandel
55
Click Enroll to send the request to the CA. Assuming you have permission to enroll on the CA, this should succeed. If not, you can manually Issue the certificate at using the CA's MMC snap-in.
Nikhil Shankar Singh Prasad Tandel
56
Changing the Certificates Used by ADFS Server
So, let's take the new certificate we created and set up ADFS to work with it instead.
Here's a little PowerShell script that we use to do just that.
Set-ADFSProperties -AutoCertificateRollover $false
But there are certainly more secure ways to get your scripts to work, like actually signing them. When you're done, you can run the same script with $true to restore the lock. It will throw an error, but you can safely ignore it. Here's the screenshot:
Going back to the ADFS console, when you click Add Token Signing Certificate and Add Token decryption Certificate, you'll be prompted with a menu like this one.
Nikhil Shankar Singh Prasad Tandel
57
Choose your desired certificate and click OK.
For both new certificate entries, right-click and choose "Set as Primary".
You might be given a warning like this one. We haven't created any Relying Party trusts yet though, so don't worry about it.
You'll be greeted with this reminder.
This is a really important step, and if DEMO\adfs-service can't access the private keys, you'll get error 133 in the event logs. This particular event happens for lots of reasons, so troubleshooting it is a pain. Best not to omit this step, as its one more thing you'll have to troubleshoot later. Assuming you didn't add these rights when you created the certificate in the first place, let's take care of this now before we forget. Back to Certificate Manager!
Nikhil Shankar Singh Prasad Tandel
58
Give Read access to both NETWORK SERVICE and DEMO\adfs-service accounts.
Test your changes by restarting the ADFS service after you've added new certificates, to make sure they are compatible before your move forward.
After you successfully restart the ADFS service without any 133 events, you can safely delete the two self-signed certificates that ADFS included when it installed.
Nikhil Shankar Singh Prasad Tandel
59
When you've finished, it should look like this. And, we got no warnings about the key strength of the certificates we chose.
You can view the certificate and see there are no warnings or errors
Nikhil Shankar Singh Prasad Tandel
60
Export ADFS Root and Token Signing certificate to
SharePoint
Now, we need to tell SharePoint to trust the certificate that we're using in ADFS. Additionally, SharePoint will need to trust every certificate in its chain of authority, so any subordinate CA or root CA in the chain will need to be added as well. We can easily get to the certificate chain from the ADFS console.
View the certificate to see its chain of authority.
Starting with the certificate itself, under Details, you can Copy to File in order to export the certificate.
Nikhil Shankar Singh Prasad Tandel
61
Note that you *do not must be exportable)* need to put the private key on SharePoint. This is an important aspect to federated security. While your ADFS server needs access to its own private keys (they must be exportable), you should not need to give your private key to any federating partner – even one inside your own organization.
Note: for SharePoint to encrypt tokens, it will need its own certificate with a private key. To show that we don't need (or want) to share private keys, we'll issue a separate certificate for the SharePoint server, and then bring the public key back to ADFS and configure it. This will be done a little later.
Nikhil Shankar Singh Prasad Tandel
62
Any format that can be read by SharePoint and PowerShell should be fine.
Save the file to a location we can access from SMARTYPANTS.
Nikhil Shankar Singh Prasad Tandel
63
Once we've exported the certificate, we can use the Certification Path to view each certificate in the chain of authority. For each one, export it in the same way as was just done above.
For the certificate authority's certificate, obviously we give it a different file name.
Nikhil Shankar Singh Prasad Tandel
64
Configure the Trusted Identity Provider in
SharePoint
So, you can see now we have all the certificates we'll need to use in SharePoint STS.
$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS_Certificates\new1\root.cer")
New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS_Certificates\new1\singing.cer")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$realm = "urn:sharepoint:c4968397007"
$signInURL = "https://adfs.SSO.local.DC07.Loc/adfs/ls"
$ap = New-SPTrustedIdentityTokenIssuer -Name <ProviderName> -Description <ProviderDescription> -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap, -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType
Configuring the SharePoint Web Applications to Use the Trusted Provider
Now, we should be able to configure the web applications to accept claims from ADFS.
Nikhil Shankar Singh Prasad Tandel
65
Go to Central Administration > Application Management > Manage Web Applications.
Click the web application, and then hit Authentication Providers in the Ribbon.
Nikhil Shankar Singh Prasad Tandel
66
Click each of the three links in turn, and do the following for each Zone.
Enable the "ADFS 2.0" provider by checking the boxes, then hit Save.
Browse your site
ADFS User Creation in Active Directory and add Email address attribute
Make sure all the users who are accessing site via ADFS must have email id set in AD. This is mandatory because we are passing email id as claims.
Provide access to ADFS user on SharePoint Sites using email address
To access site user email must be added to Site setting site permission
Nikhil Shankar Singh Prasad Tandel
67
Note: Type full email id while adding permission.
Uninstall ADFS and Certification Authority Completely
Nikhil Shankar Singh Prasad Tandel
68
After uninstallation of role you need to manually remove ADFS virtual directory from IIS
ADFS is created in Default Web site.
Explore the ADFS virtual directory.
Nikhil Shankar Singh Prasad Tandel
69
Remove the ADFS folder from drive
Go to below URL on ADFS server C:\Windows\System32\inetsrv\config and search for “applicationHost.config”. Make a copy of it and edit it. Search ADFS site name and remove related entries
Nikhil Shankar Singh Prasad Tandel
70
ADFS is completely removed from server.
Issues:
After removing all references of ADFS still IIS was referring to ADFS site
Solution:
There was stale entry in “applicationhost.config” file located at “C:\Windows\System32\inetsrv\config”, I have removed it to.
After this we removed and added server role, re-run configuration wizard and created relay with claim rules successfully.
top related