Section 3 - Chapter 17 Flashcards
AD FS - Federation Service
Created by servers that share a trust policy
AD FS - Federation Service Proxy
Server sits in perimeter, passes info from user’s browser to the federation service
AD FS - 3 Architectural Designs
Federated Web SSO - links apps contained within an extranet in resource orgs to internal directory store of accounts org
Web SSO - used when users do not have AD DS accounts
Federation with Cloud Services - access to cloud-based services
AD FS - Account Federation Server
Server that is hosted in the account orgs internal network
Performs claims mapping and issues tokens
Authenticates user
Extracts federation attributes and group membership for attribute store
Creates claim
Generates and signs security token
AD FS - Configuration db
db stores config data for AD FS instance or Federation Service
SQL (all read/write), 2005 or later, fsconfig.exe to create, located centrally, no need to place on federation server, auto discard token replays when detected
or
WID (first primary read/write, all others read), AD FS Fed Server Config Wiz, stand alone or farm deployment
AD FS - Identity Metasystem Interoperability Protocol (IMIP)
Outlines how to provision Information Cards
AD FS - Information Cards
Digital Identities
Managed - issued by claims providers
Personal - issued by users themselves
AD FS - Information Card Group Policies
Two GPOs that outline how to provision and how to use Information Cards in AD DS
AD FS - Security Assertion Markup Language (SAML)
Web SSO protocol that outlines http web browser redirects to exchange assertion data used to authenticate and authorize clients across firewalls
AD FS - SAML Security Token
Special data format used to exchange claims between claims providers and relying parties
AD FS WS-Federation
Web server specification outlines standards to be used when implementing federation
AD FS Components
Attribute Store - db or directory, stores user accounts and attributes
AD FS Config db - scope of a single instance
Claims
Claim Rules
AD FS Claims Value and Sources
AD FS supports access to apps thru generation of claims
Value sourced thru attribute store or transformed into another by applying a rule
Supported: UPN, email, common name, group membership, private personal identifiers, SAML name identifiers, user account or group account SIDs, Windows account names
AD FS - Claim Rules
Business logic that takes incoming claims, applies conditions and generates outgoing claims
Processed thru claims engine
Support permission or dential of access to resources within the Federation Service
Processing: passed thru as is, filtered to specific condition, transformed to new claim
AD FS - Claims Templates
Pass thru or filter incoming claim
Transform incoming claim
Send LDAP attributes as claim
Send group membership as claim
Send claims using custom rules
Permit or deny users based on incoming claims
Permit all users
AD FS - Federation Server Certs
Server Authentication Cert - secures web traffic between federation server and Federation Service Proxy or web clients, bound to Default Web Site, aka Server Communication Cert
Token Signing Cert - ensures that security token cannot be tampered with during transit
AD FS issues a self signed cert at install, replace with a trusted root
Verification Cert - public key of token signing cert
AD FS - Federation Service Proxies Certs
Server Authentication Cert to support SSL encrypted communication with web clients
AD FS and AD CS
FS can rely on CA for certs
Certs must be trusted cert authorities for outward facing roles
If not trusted, you must modify the Trusted CA store on each web client
AD FS 2.0 vs 1.1
Built on interoperability standards of OASIS
Can now be integrated with 3rd party attribute stores
AD LDS no longer supported as an attribute store
Windows NT token based web agent no longer supported
Claims aware web agent for SharePoint 2007 no longer supported, use SharePoint 2010
Federated Web SSO with Forest Trust deployment no longer supported
AD FS Time Sync
Time cannot be off by more than 5 minutes, token time stamps will be invalid, use PDC Emulator Operations Master for clock synch
Use Network Time Protocol (NTP) to linke servers to external clock
AD FS Config
Import server authentication cert to default web servers
Config federation servers and federation server proxies (FSPs) in each AD DS domain
Config token-signing and token-decrypting certs on federation servers
Verify operational
AD FS - PowerShell
AD FS support module-
add-PSSnapin Microsoft.Adfs.Powershell
Federation server proxies can only be managed thru WinPS
AD FS - Files Installed
Windows PowerShell .Net Framework Web Server (IIS) Windows Identity Foundation
AD FS - Default Web Sites Config
Admin Tools, IIS Manager, ServerName, Server Certs, Create Cert
Sites, Default Web Site, bindings
AD FS Config Wizard
Stop AD FS server
Start WID db service
Generate signing and token encryption certs and set to auto rollover
Select SSL Cert
Assign Network Service Account - gives access to db, cert private keys and end points
Enable default set of end points
Deploy browser sign in web site
Federation Service name Server03.contoso.com
Start AD FS server
AD FS Client Computers
Enable IE to access and trust the account federation server
GPMC - User Config, Policies, Windows Settings, IE Maintenance, Security
Distribute federation certs to clients
GPMC - Computer Config, Policies\Windows Settings\Secuirty Settings\Public Key Policies
Trusted Root Cert Authorities, Import
