install and configure adfs 2.0 on sharepoint 2013 cloudshare environment · pdf fileinstall...

Nikhil Shankar Singh Prasad Tandel

Install and Configure ADFS 2.0 on SharePoint 2013 Cloudshare Environment

Date Description Owner

Jan 02,

2015

Initial version Nikhil Shankar Singh

Prasad Tandel

Contents Install and configure ADFS on Windows 2012 .......................................................................................... 2

Pre-requisites ........................................................................................................................................ 2

Add DNS A record for ADFS server domain .......................................................................................... 2

Install and Configure Certificate Authority – Enterprise ........................................................................... 3

Installing Certificate Authority .............................................................................................................. 3

Configure Certificate Authority ............................................................................................................. 8

Create SSL certificate template ............................................................................................................... 14

Enroll certificate ...................................................................................................................................... 22

Validate your certificate in IIS ................................................................................................................. 29

Install ADFS for Windows Server 2012 R2 .............................................................................................. 30

Configure ADFS ....................................................................................................................................... 30

Verifying AD FS installation ..................................................................................................................... 36

Configure ADFS Relying Party Trust ........................................................................................................ 36

Generate new Primary ADFS certificates (Token Signing and Token Decrypting) .................................. 47

Changing the Certificates Used by ADFS Server ..................................................................................... 56

Export ADFS Root and Token Signing certificate to SharePoint ............................................................. 60

Configure the Trusted Identity Provider in SharePoint .............................................................................. 64

ADFS User Creation in Active Directory and add Email address attribute .......................................... 66

Provide access to ADFS user on SharePoint Sites using email address .............................................. 66

Uninstall ADFS and Certification Authority Completely ......................................................................... 67

Conclusion ............................................................................................................................................... 71

Definition and Acronyms ........................................................................................................................ 71


2

Install and configure ADFS on Windows 2012

Pre-requisites

Prepare windows 20012 R2 VM and join domain

Service account – domain\adfs_install, add this account as local admin on box

DNS A record – adfs.domain.local => ADFS server IP* e.g.: in cloud domain is DC07.com

Make sure all the AD user accounts/service accounts/admin accounts has Email property populated

Add DNS A record for ADFS server domain

Open DNS and add New Host-A entry in Forward lookup zone.


3

Install and Configure Certificate Authority – Enterprise

Installing Certificate Authority


4


5


6


7


8

Configure Certificate Authority


9


10


11


12


13


14

Create SSL certificate template

Open the certification authority tool on your CA server

Right-click certificate templates and choose Manage


15

Right click on the Web server template and choose Duplicate template

On the general tab, give the template a new name for example ADFS server


16

On the request handling tab check Allow private key to be exported


17

On the Cryptography tab check “Requests can use any provider available on the subject’s computer”


18

As final step, your IIS server needs to have the proper permission to enroll this type of certificates. In my Active Directory domain (e.g. DC07.Loc) I have configured a group of all IIS servers (Web server) that may enroll certificates from my CA. Give the server where you will install ADFS on, enroll rights. Afterwards choose Apply and OK


19


20

In-case of cloud server you should add the server name and give enroll & read permission.


21

Go back to your certificate authority console and right-click certificate templates. Choose new certificate template to issue

Choose ADFS server and OK


22

ADFS Server will be appear in “Certificate Templates” section

Enroll certificate

Open an MMC console on the server where you are planning to install ADFS upon


23

Click on File and choose Add/Remove Snap-In

Choose certificates and click Add


24

Select Computer account, next

Local computer, Finish

Click OK


25

Right-click on Certificates-> Personal and choose All Tasks->Request new certificate

Next


26

Next

Check ADFS server and click on more information is required to enroll for this certificate.

Enter as common name for the certificate the name you will use to access your ADFS. Also enter

1. Common Name of the certificate; (Note: common name should have at least one “.” dot)

http://www.vankeyenberg.be/?attachment_id=891


27

2. organization, 3. OU, 4. Locality, 5. Country.

Afterwards choose OK and apply

Click Enroll


28

Finish


29

Validate your certificate in IIS

To check if the server certificate is properly installed, open IIS manager

Double click server certificates

If your certificate is enlisted here, it is properly installed


30

Install ADFS for Windows Server 2012 R2

To configure AD FS as a stand-alone federation server for Microsoft Dynamics CRM Server claims authentication, do the following:

1. Open the Windows Server 2012 R2 Add Roles and Features Wizard and add the Active Directory Federation Services server role.

2. Proceed through the wizard. Click Configure the federation service on this server.

3. On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click next.

4. Proceed through the wizard. On the Specify Service Properties page, select your SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name.

Configure ADFS

Open ADFS management


31

Start AD FS Federation server configuration wizard

Create a new federation service

Next


32

Next


33


34

Enter the service account you wish to use for ADFS here


35

Next

Close


36

Verifying AD FS installation

Use the following steps to verify the AD FS installation:

1. On the AD FS server, open Internet Explorer.

2. Browse to the URL of the federation metadata. For example, https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml http://c4968397007/federationmetadata/2007-06/federationmetadata.xml you may need to turn on Compatibility View in Internet Explorer.

3. Verify that no certificate-related warnings appear. If necessary, check your certificate and DNS settings.

Configure ADFS Relying Party Trust


37

With the correct certificate in place, we can configure ADFS to trust SharePoint as a Relying

Party. This means that SharePoint will consume claims from ADFS – in other words, rely on it.

We do this in the ADFS Management Console on MASTERCONTROL.

Above are a couple places you can click to get started.

Step 1: Enter the RP information manually. SharePoint does not provide a

FederationMetadata.xml file. However, you could choose to create and maintain such a file

yourself - and publish it in a document library or by some other means.


38

Step 2: Just a description that will help you remember what this RP is for will be fine.

Step 3: Choose the ADFS 2.0 profile.

Step 4: We're not setting up token signing and encryption at this time, but we can [and should] revisit this later.


39

Step 5: The URL for the passive endpoint in SharePoint takes a standard format.

Step 6: It's okay to leave the default identifier in place, but later we'll configure a custom realm identifier in SharePoint. We add it here in anticipation of doing this soon.


40

Step 7: In secure environments, you start by denying access to all then open it to some. I just want my demo to work; save security for another day.

Step 8: Confirm your settings.


41

Step 9: The last screen will take you directly into the Rules manager.

We'll need to create one rule for AD, and three rules to support other claim providers.


42

"Send LDAP Attributes as Claims" is used to pass through Active Directory claims.


43

We need 3 attributes from AD: E-mail Addresses, Token Groups, and User Principal Name. I used the qualified token groups, because I want to be able to make a distinction between different domains on my network. UPN also makes a distinction between domains, so if you want to merge sub-domains under a single identity you could do that with a rule or by using unqualified account name instead.

One down, three to go.


44

We need to pass through three claims. Each one must be done with a separate rule.

Passing through e-mail address is fairly straightforward.

If you want to add UPN and roles as

Now, we do the same for Role.


45

And finally add UPN.

Some of my providers actually pass through even more claims than this. For the sake of the demo, I'll keep this simple for now. We can always add more later on if we want to.


46

And you now see our completed RP configuration.


47

Generate new Primary ADFS certificates (Token Signing

and Token Decrypting)

Let's get started. The ADFS server installs with its own self-signed certificate. You can view these from the ADFS Management Console.

Viewing this certificate, you can clearly see that there is something wrong with it. The problem is that it's self-signed. We could add the certificate to Trusted Root Certificates store like they suggest in the warning, but we want to try to learn to do this the right way. So, let's create a certificate that has the correct chain of authority for our domain.

On the ADFS computer (DEMO\MasterControl), click on Start > Run and type "mmc". This will bring up the management console.


48

In the management console, go to File > Add/Remove Snap In.

Click Certificates, then the Add button. A pop-up will appear.

Pick "Computer account" to show the machine certificate store.

Select for this Local computer, not another one.


49

It'll look like this, so hit OK.

This brings us into the computer's certificate store. Leave this open as we'll get a lot of use out of this as we continue. Assuming all went well, we'll request a certificate to use for ADFS encryption and signing next.

A successfully created certificate manager snap-in will look like this.


50

Let's do a File > Save As and store this MSC file someplace so we don't have to do all these steps again the next time we need it.

Steps again the next time we need it.

Request a certificate by expanding Personal > Certificates, then right-click and choose All Tasks > Request New Certificate.


51

Request templates come from Active Directory. Sometimes an external partner may give you a URL that you can use to add additional Certificate Enrollment Policy servers to this list manually.

Check the box for "Legacy STS" then click the link to provide the additional information. (Yes, the screen shot is wrong. See the section in Part 2 on setting up the certificate template to find out why.)

A Note from Captain Hindsight: When I tried this, I found first that it took a while for my certificate template to replicate into my DEMO domain - I had some health issues in both domain replication and the enterprise CA, and secondly that the rights I had given for the template weren't enough to request the certificate in this way. In this walkthrough, I've gone back in time and retroactively corrected my instructions.


52

Provide just the information that follows. I have seen that providing too much information may cause ADFS to reject the certificate later.

CN= mastercontrol.demo.colossusconsulting.com

O=Colossus Consulting LLC

OU=Liquid Mercury Solutions

L=Baltimore

S=Maryland

C=US

Alternative name – DNS: adfs.demo.colossusconsulting.com

The last item is optional. I wanted to try an experiment using SANs (Subject Alternative Names). (Again, the screenshots are wrong; I reversed SAN and CN and used a different DNS in my SAN.)


53

It should look like this when you're done. (Again, SAN and CN reversed.)

Verify we meet the requirements for what we're trying to do 2048 bits and exportable keys.

Captain Hindsight: Now would be a good time to add permissions to the DEMO\adfs.service account too! More on this step later.


54

Note that each box you check here will ultimately have to be added to a list of trusted authorities we'll provide to the SharePoint STS.

Provide everything it wants and the link should disappear. (Again, we're using "Legacy STS" template not "Secure Token Server".)


55

Click Enroll to send the request to the CA. Assuming you have permission to enroll on the CA, this should succeed. If not, you can manually Issue the certificate at using the CA's MMC snap-in.


56

Changing the Certificates Used by ADFS Server

So, let's take the new certificate we created and set up ADFS to work with it instead.

Here's a little PowerShell script that we use to do just that.

Set-ADFSProperties -AutoCertificateRollover $false

But there are certainly more secure ways to get your scripts to work, like actually signing them. When you're done, you can run the same script with $true to restore the lock. It will throw an error, but you can safely ignore it. Here's the screenshot:

Going back to the ADFS console, when you click Add Token Signing Certificate and Add Token decryption Certificate, you'll be prompted with a menu like this one.


57

Choose your desired certificate and click OK.

For both new certificate entries, right-click and choose "Set as Primary".

You might be given a warning like this one. We haven't created any Relying Party trusts yet though, so don't worry about it.

You'll be greeted with this reminder.

This is a really important step, and if DEMO\adfs-service can't access the private keys, you'll get error 133 in the event logs. This particular event happens for lots of reasons, so troubleshooting it is a pain. Best not to omit this step, as its one more thing you'll have to troubleshoot later. Assuming you didn't add these rights when you created the certificate in the first place, let's take care of this now before we forget. Back to Certificate Manager!


58

Give Read access to both NETWORK SERVICE and DEMO\adfs-service accounts.

Test your changes by restarting the ADFS service after you've added new certificates, to make sure they are compatible before your move forward.

After you successfully restart the ADFS service without any 133 events, you can safely delete the two self-signed certificates that ADFS included when it installed.


59

When you've finished, it should look like this. And, we got no warnings about the key strength of the certificates we chose.

You can view the certificate and see there are no warnings or errors


60

Export ADFS Root and Token Signing certificate to

SharePoint

Now, we need to tell SharePoint to trust the certificate that we're using in ADFS. Additionally, SharePoint will need to trust every certificate in its chain of authority, so any subordinate CA or root CA in the chain will need to be added as well. We can easily get to the certificate chain from the ADFS console.

View the certificate to see its chain of authority.

Starting with the certificate itself, under Details, you can Copy to File in order to export the certificate.


61

Note that you *do not must be exportable)* need to put the private key on SharePoint. This is an important aspect to federated security. While your ADFS server needs access to its own private keys (they must be exportable), you should not need to give your private key to any federating partner – even one inside your own organization.

Note: for SharePoint to encrypt tokens, it will need its own certificate with a private key. To show that we don't need (or want) to share private keys, we'll issue a separate certificate for the SharePoint server, and then bring the public key back to ADFS and configure it. This will be done a little later.


62

Any format that can be read by SharePoint and PowerShell should be fine.

Save the file to a location we can access from SMARTYPANTS.


63

Once we've exported the certificate, we can use the Certification Path to view each certificate in the chain of authority. For each one, export it in the same way as was just done above.

For the certificate authority's certificate, obviously we give it a different file name.


64

Configure the Trusted Identity Provider in

SharePoint

So, you can see now we have all the certificates we'll need to use in SharePoint STS.

$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS_Certificates\new1\root.cer")

New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS_Certificates\new1\singing.cer")

New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$realm = "urn:sharepoint:c4968397007"

$signInURL = "https://adfs.SSO.local.DC07.Loc/adfs/ls"

$ap = New-SPTrustedIdentityTokenIssuer -Name <ProviderName> -Description <ProviderDescription> -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap, -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

Configuring the SharePoint Web Applications to Use the Trusted Provider

Now, we should be able to configure the web applications to accept claims from ADFS.


65

Go to Central Administration > Application Management > Manage Web Applications.

Click the web application, and then hit Authentication Providers in the Ribbon.


66

Click each of the three links in turn, and do the following for each Zone.

Enable the "ADFS 2.0" provider by checking the boxes, then hit Save.

Browse your site

ADFS User Creation in Active Directory and add Email address attribute

Make sure all the users who are accessing site via ADFS must have email id set in AD. This is mandatory because we are passing email id as claims.

Provide access to ADFS user on SharePoint Sites using email address

To access site user email must be added to Site setting site permission


67

Note: Type full email id while adding permission.

Uninstall ADFS and Certification Authority Completely


68

After uninstallation of role you need to manually remove ADFS virtual directory from IIS

ADFS is created in Default Web site.

Explore the ADFS virtual directory.


69

Remove the ADFS folder from drive

Go to below URL on ADFS server C:\Windows\System32\inetsrv\config and search for “applicationHost.config”. Make a copy of it and edit it. Search ADFS site name and remove related entries


70

ADFS is completely removed from server.

Issues:

After removing all references of ADFS still IIS was referring to ADFS site

Solution:

There was stale entry in “applicationhost.config” file located at “C:\Windows\System32\inetsrv\config”, I have removed it to.

After this we removed and added server role, re-run configuration wizard and created relay with claim rules successfully.


71

Conclusion

You can now integrated ADFS 2.0 with SharePoint 2013 and provide Single-sign-On

experience to end users.

Definition and Acronyms

Term Definition

ADFS Active Directory Federation Services

IIS Internet Information Server

install and configure adfs 2.0 on sharepoint 2013 cloudshare environment · pdf fileinstall...

Documents