Lab 13 Implementación de AD FS (1.3)

Administración de Sistemas Operativos Avanzado
Laboratorio 13: Implementación de AD FS
Alumno: <colocar aquí los apellidos y nombres del alumno>
Objetivos:
Al finalizar el laboratorio el estudiante será capaz de:
 Instalar y configurar AD FS
 Configurar una aplicación interna para AD FS
 Configurar AD FS para un socio federado
 Configurar una aplicación Web para usuarios externos
Seguridad:
 Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
 No ingresar con líquidos, ni comida al aula de Laboratorio.
 Al culminar la sesión de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
 Una computadora con:

 Windows 7 o superior
 VMware Workstation 10+ o VMware Player 7+
 Conexión a la red del laboratorio
 Máquinas virtuales del curso.
 DVD:
 De Windows Server 2012
Guía de Laboratorio Pág. 1

Procedimiento:
Escenario A
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que están ejecutándose
en la red de A. Datum. A. Datum desea proveer un nivel máximo de funcionalidad y acceso a las otras
compañías. Los departamentos de seguridad y operaciones desean asegurarse que los socios y los
clientes puedan acceder solamente a los recursos que correspondan.
A. Datum también está trabajando en la migración de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Para cumplir con los requerimientos solicitados, A. Datum planea implementar AD FS. En la
implementación inicial, la compañía planea usar AD FS para usarla para implementar SSO para los
usuarios internos quienes acceden a una aplicación en un servidor Web.
Como uno de los administradores de A. Datum, es su responsabilidad implementar la solución AD FS.

Como una prueba de concepto, planea implementar una aplicación a petición, y usted configurará AD
FS para habilitar a los usuarios internos para acceder a la aplicación.
Lab Setup
1. Abrir VMware Workstation y crear un “snapshot” de las máquinas virtuales: LON-DC1, LON-SVR1
y LON-CL1.
2. Encender las máquinas virtuales e iniciar sesión con la cuenta Administrador y la contraseña
Pa$$w0rd.
3. El escenario a trabajar será el siguiente:

EJERCICIO 1: Instalando y configurando AD FS
Escenario
Para iniciar la implementación de AD FS, necesita instalar AD FS en un controlador de dominio.

Durante la implementación inicial, configurará este como el primer servidor en la granja, con la opción
para la expansión posterior. El certificado para AD FS ya está instalado en LON-DC1.
Las principales tareas para este ejercicio son las siguientes:

 Crear un registro DNS para AD FS
 Crear una cuenta para el servicio
 Instalar AD FS
 Configurar AD FS
 Verificar la funcionalidad del AD FS
► Task 1: Create a DNS record for AD FS

1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click
Adatum.com.
3. Right-click Adatum.com, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.0.10, and then click Add Host.
6. In the DNS window, click OK.
7. Click Done, and then close the DNS Manager.
► Task 2: Create a service account

1. On LON-DC1, open a Windows PowerShell® prompt.
2. At the Windows PowerShell prompt, type New-ADUser -Name adfsService, and then press
Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
► Task 3: Install AD FS
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click Select a server from the server pool, click LON-
DC1.Adatum.com, and then click Next.

5. On the Select server roles page, select the Active Directory Federation Services check box,
and then click Next.
6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Confirm installation selections page, click Install.
9. When the installation is complete, click Close.
► Task 4: Configure AD FS
1. On LON-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page,
click Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.
12. On the Results page, click Close.
Note: The adfs.adatum.com certificate was preconfigured for this task. In your own environment, you
need to obtain this certificate.
► Task 5: Verify AD FS functionality

1. On LON-CL1, sign in as Adatum\Brad with the password Pa$$w0rd.
2. On the taskbar, click Internet Explorer.
3. In Internet Explorer®, in the address bar, type
https://adfs.adatum.com/federationmetadata/2007-06/federationmetadata.xml, and then
press Enter.
4. Verify that the file loads, and then close Internet Explorer.
Entregable 1. Capture la pantalla que muestre el resultado del paso 3.

Results: In this exercise, you installed and configured AD FS. You also verified that it is functioning by
viewing the FederationMetaData.xml file contents.

EJERCICIO 2: Configurando una aplicación interna para AD FS
Escenario
El primer escenario para la implementación de la prueba de concepto de la aplicación AD FS es

asegurarse que los usuarios internos pueden usar SSO para acceder a la aplicación Web Usted
planea configurar el servidor AD FS y una aplicación web para habilitar este escenario. También
desea verificar que los usuarios internos pueden acceder a la aplicación.

 Configurar un certificado para la aplicación
 Configurar el directorio activo para confiar en el proveedor de peticiones
 Configurar la aplicación para las peticiones entrantes
 Configurar un reenvío para las aplicaciones con peticiones
 Configurar las reglas de petición para los reenvíos confiables
 Probar el acceso a la aplicación de peticiones
 Configurar Internet Explore para pasar automáticamente las credenciales locales a la aplicación
► Task 1: Configure a certificate for the application

1. On LON-SVR1, in Server Manager, click Tools and click Internet Information Services (IIS)
Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do
not show this message check box, and then click No.
3. In IIS Manager, click LON-SVR1 (ADATUM\Administrator), and then double-click Server
Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the
following information, and then click Next:
 Common name: lon-svr1.adatum.com
 Organization: A. DatumXYZ
 Organizational unit: IT
 City/locality: London
 State/Province: England
 Country/region: GB
6. On the Online Certification Authority page, click Select.
7. In the Select Certification Authority window, click AdatumCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type AdatumTestApp
CertificateXYZ, and then click Finish.
9. In IIS Manager, expand LON-SVR1 (ADATUM\Administrator), expand Sites, click Default Web
Site, and then in the Actions Pane, click Bindings.
10. In the Site Bindings window, click Add.
11. In the Add Site Binding window, in the Type box, select https.
12. In the SSL certificate box, select AdatumTestApp CertificateXYZ, and then click OK.
13. In the Site Bindings window, click Close.

14. Close IIS Manager.
► Task 2: Configure the Active Directory claims-provider trust

1. On LON-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims
Provider Trusts.
3. In the middle pane, right-click Active Directory, and then click Edit Claim Rules.
4. In the Edit Claims Rules for Active Directory window, on the Acceptance Transform Rules tab,
click Add Rule.
5. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Send LDAP Attributes as Claims, and then click Next.
6. On the Configure Rule page, in the Claim rule name box, type Outbound LDAP Attributes
RuleXYZ.
7. In the Attribute Store drop-down list, select Active Directory.
8. In the Mapping of LDAP attributes to outgoing claim types section, select the following values
for the LDAP Attribute and the Outgoing Claim Type, and then click Finish:
 E-Mail-Addresses: E-Mail Address
 User-Principal-Name: UPN
 Display-Name: Name
9. In the Edit Claim Rules for Active Directory window, click OK.
► Task 3: Configure the application to trust incoming claims

1. On LON-SVR1, in the Server Manager, click Tools, and then click Windows Identity
Foundation Federation Utility.
2. On the Welcome to the Federation Utility Wizard page, in the Application configuration
location box, type C:\inetpub\wwwroot\AdatumTestApp\web.config for the location of the
sample web.config file.
3. In the Application URI box, type https://lon-svr1.adatum.com/AdatumTestApp/ to indicate the
path to the sample application that will trust the incoming claims from the federation server, and
then click Next to continue.
4. On the Security Token Service page, click Use an existing STS, in the STS WS-Federation
metadata document location box, type
“https://adfs.adatum.com/federationmetadata/2007-06/federationmetadata.xml”, and then
click Next to continue.
5. On the STS signing certificate chain validation error page, click Disable certificate chain
validation, and then click Next.
6. On the Security token encryption page, click No encryption, and then click Next.
7. On the Offered claims page, review the claims that the federation server will offer, and then click

Next.
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and
then click Finish.
9. In the Success window, click OK.
► Task 4: Configure a relying-party trust for the claims-aware application

1. On LON-DC1, in the AD FS console, click Relying Party Trusts.
2. In the Actions pane, click Add Relying Party Trust.
3. In the Relying Party Trust Wizard, on the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
5. In the Federation Metadata address (host name or URL) box, type https://lon-
svr1.adatum.com/AdatumTestApp/, and then click Next. This downloads the metadata
configured in the previous task.
6. On the Specify Display Name page, in the Display name box, type A. Datum Test AppXYZ,
7. On the Configure Multi-factor Authentication Now page, click I do not want to configure
multifactor authentication settings for this relying party trust at this time, and then click
Next.
8. On the Choose Issuance Authorization Rules page, click Permit all users to access this
relying party, and then click Next.
9. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next.
10. On the Finish page, click Close.
11. Leave the Edit Claims Rules for A. Datum Test App window open for the next task.
► Task 5: Configure claim rules for the relying-party trust

1. On LON-DC1, in the AD FS management console, in the Edit Claim Rules for A. Datum Test
App window, on the Issuance Transform Rules tab, click Add Rule.
2. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
3. In the Claim rule name box, type Pass through Windows account nameXYZ.
4. In the Incoming claim type drop-down list, click Windows account name, and then click
Finish.
5. On the Issuance Transform Rules tab, click Add Rule.
click Next.
7. In the Claim rule name box, type Pass through E-Mail AddressXYZ.

8. In the Incoming claim type drop-down list, click E-Mail Address, and then click Finish.
click Next.
11. In the Claim rule name box, type Pass through UPNXYZ.
12. In the Incoming claim type drop-down list, click UPN, and then click Finish.
click Next.
15. In the Claim rule name box, type Pass through NameXYZ.
16. In the Incoming claim type drop-down list, click Name, and then click Finish.
17. On the Issuance Transform Rules tab, click OK.
► Task 6: Test access to the claims-aware application

1. On LON-CL1, open Internet Explorer.
2. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/,
and then press Enter.
Note: It is critical to use the trailing slash in the URL for step 2.
3. In the Windows Security window, sign in as Adatum\Brad with the password Pa$$w0rd.
4. Review the claim information that the application displays.
5. Close Internet Explorer.
► Task 7: Configure Internet Explorer to pass local credentials to the application automatically
1. On LON-CL1, on the Start screen, type Internet Options, and then click Internet Options.
2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.
3. In the Local intranet window, click Advanced.
4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and
then click Close.
6. In the Local intranet window, click OK.
7. In the Internet Properties window, click OK.
8. On LON-CL1, open Internet Explorer.
9. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/,

and then press Enter.
Note: It is critical to use the trailing slash in the URL for step 9.
10. Notice that you were not prompted for credentials.

11. Review the claim information that the application displays.
Results: After completing this exercise, you will have configured AD FS to support authentication for
an application.

Escenario B
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que están ejecutándose
en la red de A. Datum. A. Datum desea proveer un nivel máximo de funcionalidad y acceso a las otras
compañías. Los departamentos de seguridad y operaciones desean asegurarse que los socios y los
clientes puedan acceder solamente a los recursos que correspondan.
A. Datum también está trabajando en la migración de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Ahora que ha implementado AD FS para los usuarios internos, el siguiente paso es habilitar el acceso
a la misma aplicación para las empresas socias y para los usuarios externos. A. Datum ha ingresado
en una relación con Trey Research, por lo tanto, necesita asegurarse que los usuarios de Trey
Research puedan acceder a la aplicación interna. También necesita asegurarse que los usuarios de A.
Datum que trabajan fuera de la oficina puedan acceder a la aplicación.
Como uno de los administradores de A. Datum, es responsable de implementar la solución de AD FS.

Como una prueba de concepto, está desarrollando un ejemplo de aplicación de peticiones, y está
configurando AD FS para habilitar que los usuarios de Trey Research y los usuarios externos de A.
Datum puedan acceder a la misma aplicación.
Lab Setup
1. Mantener abiertas las máquinas virtuales del escenario anterior.
2. Abrir y crear un “snapshot” de las máquinas virtuales: LON-SVR2 y TREY-DC1.
3. Encender las máquinas virtuales e iniciar sesión con la cuenta Administrador y la contraseña
Pa$$w0rd.
4. Verificar la configuración TCP/IPv4 de TREY-DC1, la dirección DNS debe ser: 172.16.10.10.

EJERCICIO 1: Configurando AD FS para un socio federado
Escenario
El segundo escenario de implementación es habilitar el acceso a los usuarios de Trey Research a la

aplicación Web. Usted planea configurar la integración de AD FS en Trey Research con AD FS en A.
Datum, y entonces verificar que los usuarios de Trey Research puedan acceder a la aplicación.
También debe confirmar que puede configurar que acceso esté basado en grupos de usuarios.
Ustede debe asegurarse que todos los usuarios de A. Datum, y solamente los usuarios que están en
el grupo Production en Trey Research puedan acceder a la aplicación.

 Configurar el reenvío de DNS entre empresas
 Configurar certificados entre empresas
 Instalar y configurar AD FS para Trey Research
 Configurar y probar la aplicación
 Configurar y probar las reglas de autorización
► Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com

1. On LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, expand LON-DC1, and then click Conditional Forwarders.
3. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
4. In the New Conditional Forwarder window, in the DNS Domain box, type TreyResearch.net.
5. In the IP addresses of the master servers box, type 172.16.10.10, and then press Enter.
6. Select the Store this conditional forwarder in Active Directory, and replicate it as follows
check box, select All DNS servers in this forest, and then click OK.
7. Close the DNS Manager.
8. On TREY-DC1, in the Server Manager, click Tools, and then click DNS.
9. In the DNS Manager, expand TREY-DC1, and then click Conditional Forwarders.
10. Right-click Conditional Forwarders, and then click New Conditional Forwarder.
11. In the New Conditional Forwarder window, in the DNS Domain box, type Adatum.com.
12. In the IP addresses of the master servers box, type 172.16.0.10, and then press Enter.
13. Select the Store this conditional forwarder in Active Directory, and replicate it as follows
check box, select All DNS servers in this forest, and then click OK.
Note: In a production environment, it is likely that you would use Internet DNS instead of conditional
forwarders.
► Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com

1. On LON-DC1, open File Explorer, browse to \\TREY-DC1\CertEnroll, and then copy TREY-
DC1.TreyResearch.net_TreyResearchCA.crt to C:\.
2. Close File Explorer.
3. In the Server Manager, click Tools, and then click Group Policy Management.

4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Adatum.com, right-click Default Domain Policy, and then click Edit.
5. In Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Public Key Policies, and then click
Trusted Root Certification Authorities.
6. Right-click Trusted Root Certification Authorities, and then click Import.
7. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Next.
8. On the File to Import page, type C:\TREY-DC1.TreyResearch.net_TreyResearchCAcrt, and
then click Next.
9. On the Certificate Store page, click Place all certificates in the following store, select
Trusted Root Certification Authorities, and then click Next.
10. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close
the success message.
11. Close the Group Policy Management Editor.
12. Close Group Policy Management.
13. On TREY-DC1, open File Explorer, and then browse to \\LON-DC1\CertEnroll.
14. Right-click LON-DC1.Adatum.com_AdatumCA.crt, and then click Install Certificate.
15. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click
Local Machine, and then click Next.
16. On the Certificate Store page, click Place all certificates in the following store, and then click
Browse.
17. In the Select Certificate Store window, click Trusted Root Certification Authorities, and then
click OK.
18. On the Certificate Store page, click Next.
19. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to close
20. Close File Explorer.
21. On LON-SVR1, on the taskbar, click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
23. Close Windows PowerShell.
24. On LON-SVR2, on the taskbar, click Windows PowerShell.
25. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
26. Close Windows PowerShell.
Note: If you obtain certificates from a trusted certification authority, you do not need to configure a
certificate trust between the organizations.

► Task 3: Create a DNS record for AD FS in TreyResearch.net

1. On TREY-DC1, in Server Manager, click Tools, and then click DNS.
2. In DNS Manager, expand TREY-DC1, expand Forward Lookup Zones, and then click
TreyResearch.net.
3. Right-click TreyResearch.net, and then click New Host (A or AAAA).
4. In the New Host window, in the Name box, type adfs.
5. In the IP address box, type 172.16.10.10, and then click Add Host.
6. In the DNS window, click OK, and then click Done.
► Task 4: Create a certificate for AD FS

1. On TREY-DC1, in Server Manager, click Tools and click Internet Information Services (IIS)
Manager.
2. If necessary, in the prompt for connecting to Microsoft Web Platform components, select the Do
not show this message check box, and then click No.
3. In IIS Manager, click TREY-DC1 (TREYRESEARCH\Administrator), and then double-click
Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. In the Create Certificate window on the Distinguished Name Properties page, enter the following,
and then click Next:
 Common name: adfs.TreyResearch.net
 Organization: Trey ResearchXYZ
 Organizational unit: IT
 City/locality: London
 State/Province: England
 Country/region: GB
6. On the Online Certification Authority page, click Select.
7. In the Select Certification Authority window, click TreyResearchCA, and then click OK.
8. On the Online Certification Authority page, in the Friendly name box, type
adfs.TreyResearch.net, and then click Finish.
9. Close IIS Manager.
► Task 5: Create a service account

1. On TREY-DC1, open a Windows PowerShell prompt.
2. At the Windows PowerShell prompt, type New-ADUser -Name adfsService, and then press
Enter.
3. Type Set-ADAccountPassword adfsService, and then press Enter.
4. At the Password prompt, press Enter.

5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
► Task 6: Install AD FS for TreyResearch.net

1. On TREY-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select Installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click Select a server from the server pool, click TREY-
DC1.TreyResearch.net, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box,
7. On the Active Directory Federation Services (AD FS) page, click Next.
9. When the installation is complete, click Close.
► Task 7: Configure AD FS for TreyResearch.net

1. On TREY-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page, click
Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
TREYRESEARCH\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select
adfs.TreyResearch.net.
5. In the Federation Service Display Name box, type Trey ResearchXYZ, and then click Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.

► Task 8: Add a claims-provider trust for the TreyResearch.net AD FS server

1. On LON-DC1, in Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Claims
Provider Trusts.
3. In the Actions pane, click Add Claims Provider Trust.
4. In the Add Claims Provider Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the claims provider published
online or on a local network.
6. In the Federation metadata address (host name or URL) box, type
https://adfs.treyresearch.net, and then click Next.
7. On the Specify Display Name page, in the Display name box, type Trey ResearchXYZ, and
then click Next.
8. On the Ready to Add Trust page, review the claims-provider trust settings, and then click Next
to save the configuration.
9. On the Finish page, select the Open the Edit Claim Rules dialog for this claims provider
trust when the wizard closes check box, and then click Close.
10. In the Edit Claim Rules for Trey Research window, on the Acceptance Transform Rules tab,
click Add Rule.
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
12. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account nameXYZ.
13. In the Incoming claim type drop-down list, select Windows account name.
14. Select Pass through all claim values, and then click Finish.
15. In the pop-up window, click Yes to acknowledge the warning.
16. In the Edit Claim Rules for Trey Research window, click OK, and then close the AD FS
management console.
► Task 9: Configure a relying party trust in TreyResearch.net for the Adatum.com application
1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. In the Actions pane, click Add Relying Party Trust.
4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and then click
Next.

7. On the Specify Display Name page, in the Display name text box, type A. Datum
CorporationXYZ, and then click Next.
8. On the Configure Multi-Factor Authentication Now page, click I do not want to configure
multi-factor authentication settings for this relying party trust at this time, and then click
Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access this
relying party, and then click Next.
10. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next to
save the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for the relying party
trust when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform Rules
tab, click Add Rule.
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account nameXYZ.
15. In the Incoming claim type drop-down list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.
17. Close the AD FS management console.
► Task 10: Test access to the application

1. On TREY-DC1, open Internet Explorer.
2. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.
3. On the A. Datum Corporation page, click Trey Research.
4. In the Windows Security dialog box, sign in as TreyResearch\April with the password
Pa$$w0rd.
5. After the application loads, close Internet Explorer.
6. Open Internet Explorer.
then press Enter.
8. In the Windows Security dialog box, sign in as TreyResearch\April with the password
Pa$$w0rd.

Note: You are not prompted for a home realm on the second access. Once users have selected a
home realm and have been authenticated by a realm authority, they are issued a _LSRealm cookie by
the relying-party's federation server. The default lifetime for the cookie is 30 days. Therefore, to sign in
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
► Task 11: Configure issuance authorization rules

1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. Right-click A. Datum CorporationXYZ, and then click Edit Claim Rules.
4. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Authorization Rules
tab, click Permit Access to All Users, and then click Remove Rule.
5. Click Yes to confirm deleting the claim rule.
6. Click Add Rule.
7. In the Add Issuance Authorization Claim Rules Wizard, on the Select Rule Template page, in the
Claim rule template box, select Permit or Deny Users Based on an Incoming Claim, and
then click Next.
8. On the Configure Rule page, in the Claim rule name box, type Allow Production
MembersXYZ.
9. In the Incoming claim type box, select Group.
10. In the Incoming claim value box, type TreyResearch-ProductionXYZ.
11. Click Permit access to users with the incoming claim, and then click Finish.
12. In the Edit Claim Rules for A. Datum Corporation window, click OK.
13. In the AD FS management console, click Claims Provider Trusts, right-click Active Directory,
and then click Edit Claim Rules.
14. In the Edit Claim Rules for Active Directory window, click Add Rule.
template box, select Send Group Membership as a Claim, and then click Next.
16. On the Configure Rule page, in the Claim rule name box, type Production Group ClaimXYZ.
17. To set the User's group, click Browse, type Production, and then click OK.
18. In the Outgoing claim type box, select Group.
19. In the Outgoing claim value box, type TreyResearch-ProductionXYZ, and then click Finish.
20. In the Edit Claim Rules for Active Directory window, click OK.
21. Close the AD FS management console.
► Task 12: Test the application of issuance authorization rules

1. On TREY-DC1, open Internet Explorer.


then press Enter.
3. In the Windows Security dialog box, sign in as TreyResearch\April with the password Pa$$w0rd.
4. Verify that you cannot access the application because April is not a member of the production
group.

then press Enter.
8. In the Windows Security dialog box, sign in as TreyResearch\Ben with the password Pa$$w0rd.
9. Verify that you can access the application because Ben is a member of the production group.
Results: After completing this exercise, you will have configured access for a claims-aware
application in a partner organization.

EJERCICIO 2: Configurando la aplicación Web
Escenario
El tercer escenario en la implementación de la prueba de concepto de la aplicación AD FS es el

incremento de la seguridad para la autenticación en AD FS, para ello implementará un proxy AD FS
para el AD FS y un proxy reverso para la aplicación.
Usted implementará el proxy para la aplicación Web.

 Instalar y configurar el proxy de aplicación Web
 Agregar los certificados
 Probar el proxy de aplicación Web
► Task 1: Install Web Application Proxy

1. On LON-SVR2, in the Server Manager, click Manage, and then click Add Roles and Features.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click LON-SVR2.Adatum.com, and then click Next.
5. On the Select server roles page, expand Remote Access, select the Web Application Proxy
check box, and then click Next.
8. On the Installation progress page, click Close.
► Task 2: Add the adfs.adatum.com certificate to LON-SVR2

1. On LON-DC1, on the Start screen, type mmc, and then press Enter.
2. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
4. In the Certificates snap-in window, click Computer account, and then click Next.
5. In the Select Computer window, click Local Computer (the computer this console is running
on), and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
8. Right-click adfs.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.

14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click
Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear
Entregable 7. Capture la pantalla que muestre la rama Pesonal -> Certificates que muestre la
lista de certificados.
► Task 3: Add the LON-SVR1.adatum.com certificate to LON-SVR2

Certificates.

7. In the Microsoft Management Console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
8. Right-click lon-svr1.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\lon-svr1.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close
Certificates.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-SVR1\c$\lon-svr1.pfx, and then
click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear
Entregable 8. Capture la pantalla que muestre la rama Pesonal -> Certificates que muestre la
lista de certificados.

► Task 4: Configure Web Application Proxy

1. On LON-SVR2, in the Server Manager, click the Notifications icon, and then click Open the
Web Application Proxy Wizard.
2. In the Web Application Proxy Wizard, on the Welcome page, click Next.
3. On the Federation Server page, enter the following, and then click Next:
 Federation service name: adfs.adatum.com
 User name: Adatum\Administrator
 Password: Pa$$w0rd
4. On the AD FS Proxy Certificate page, in the Select a certificate to be used by the AD FS
proxy box, select adfs.adatum.com, and then click Next.
5. On the Confirmation page, click Configure.
7. The Remote Access Management Console opens automatically. Leave it open for the next task.
► Task 5: Configure the test application in Web Application Proxy

1. On LON-SVR2, in the Remote Access Management Console, click Web Application Proxy.
2. In the Tasks pane, click Publish.
3. In the Publish New Application Wizard, on the Welcome page, click Next.
4. On the Preauthentication page, click Active Directory Federation Services (AD FS), and then
click Next.
5. On the Relying Party page, click A. Datum Test AppXYZ and click Next.
6. On the Publishing Settings page, in the Name box, type A. Datum Test AppXYZ.
7. In the External URL box, type https://lon-svr1.adatum.com/adatumtestapp/.
8. In the External certificate box, select lon-svr1.adatum.com.
9. In the Backend server URL box, type https://lon-svr1.adatum.com/adatumtestapp/, and then
click Next.
10. On the Confirmation page, click Publish.
► Task 6: Test Web Application Proxy

1. On TREY-DC1, on Start screen, type Notepad.
2. Right-click Notepad, and then click Run as administrator.
3. In Notepad, click File, and then click Open.
4. In the File name box, type C:\Windows\System32\Drivers\etc\hosts, and then click Open.
5. At the bottom of the file, add the following two lines, click File, and then click Save:

 172.16.0.22 adfs.adatum.com
 172.16.0.22 lon-svr1.adatum.com
6. Close Notepad.
then press Enter.
9. In the Windows Security dialog box, sign in as TreyResearch\Ben with password Pa$$w0rd.
10. After the application loads, close Internet Explorer.
Note: You edit the hosts to force TREY-DC1 to access the application through Web Application Proxy.
In a production environment, you would do this by using split DNS.
Results: After completing this exercise, you will have configured Web Application Proxy to secure
access to AdatumTestApp from the Internet.

DESAFIO
Espacio designado para colocar las evidencias del desafío planteado.

► Task 7: To Prepare for the Next Module
1. Volver el estado de las máquinas virtuales al “snapshot” creado antes de iniciar el laboratorio.

Conclusiones:
Indicar las conclusiones que llegó después de los temas tratados de manera práctica en este
laboratorio.

Redes y Comunicaciones de Datos
Rúbrica
1. “Los estudiantes, implementan y mantienen Redes de Computadoras y
Resultado Sistemas de Telecomunicaciones de datos, proporcionando seguridad a
los medios involucrados, aplicando técnicas y herramientas modernas”.
1.3. Desarrolla soluciones de seguridad informática en ambiente de

Criterio de
procesamiento y transferencia de la información.
desempeño
Curso Administración de Sistemas Operativos Avanzados Periodo 2018-1
Actividad Implementación de AD FS Semestre 4
Nombre del Alumno <Rellenar> Semana 13
Docente C. Arce Z. Fecha <Rellenar> Sección <A o B>
Requiere No Puntaje
Criterios a Evaluar Excelente Bueno
Mejora Aceptable Logrado
Instalación y configuración del AD FS 5 4 3 2-0
Configuración de una aplicación interna para

5 4 3 2-0
el AD FS
Configuración del AD FS para un socio
5 4 3 2-0
federado
Configuración de un proxy para una aplicación
5 4 3 2-0
Web
Total 20-17 16-13 12-9 8-0
Adicionales
 Bonificación +
 Penalidad -
Puntaje Final
Comentario al
alumno o alumnos
Descripción
Demuestra un completo entendimiento del problema o realiza la actividad
Excelente
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
Bueno
cumpliendo con la mayoría de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
Requiere mejora
con pocos de los requerimientos especificados.
No Aceptable No demuestra entendimiento del problema o de la actividad.

Lab 13 Implementación de AD FS (1.3)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 13 Implementación de AD FS (1.3)

Uploaded by

Copyright:

Available Formats

Administración de Sistemas Operativos Avanzado

Laboratorio 13: Implementación de AD FS

Alumno: <colocar aquí los apellidos y nombres del alumno>

 Una computadora con:

 Máquinas virtuales del curso.

Guía de Laboratorio Pág. 1

Como uno de los administradores de A. Datum, es su responsabilidad implementar la solución AD FS.

3. El escenario a trabajar será el siguiente:

Guía de Laboratorio Pág. 2

EJERCICIO 1: Instalando y configurando AD FS

Para iniciar la implementación de AD FS, necesita instalar AD FS en un controlador de dominio.

Las principales tareas para este ejercicio son las siguientes:

► Task 1: Create a DNS record for AD FS

► Task 2: Create a service account

Guía de Laboratorio Pág. 3

► Task 5: Verify AD FS functionality

Entregable 1. Capture la pantalla que muestre el resultado del paso 3.

Guía de Laboratorio Pág. 4

Guía de Laboratorio Pág. 5

EJERCICIO 2: Configurando una aplicación interna para AD FS

El primer escenario para la implementación de la prueba de concepto de la aplicación AD FS es

Las principales tareas para este ejercicio son las siguientes:

► Task 1: Configure a certificate for the application

Guía de Laboratorio Pág. 6

14. Close IIS Manager.

► Task 2: Configure the Active Directory claims-provider trust

► Task 3: Configure the application to trust incoming claims

Guía de Laboratorio Pág. 7

► Task 4: Configure a relying-party trust for the claims-aware application

► Task 5: Configure claim rules for the relying-party trust

Guía de Laboratorio Pág. 8

► Task 6: Test access to the claims-aware application

Entregable 2. Capture la pantalla que muestre el resultado del paso 4.

Guía de Laboratorio Pág. 9

and then press Enter.

10. Notice that you were not prompted for credentials.

Entregable 3. Capture la pantalla que muestre el resultado del paso 11.

12. Close Internet Explorer.

Guía de Laboratorio Pág. 10

Como uno de los administradores de A. Datum, es responsable de implementar la solución de AD FS.

1. Mantener abiertas las máquinas virtuales del escenario anterior.

2. Abrir y crear un “snapshot” de las máquinas virtuales: LON-SVR2 y TREY-DC1.

4. Verificar la configuración TCP/IPv4 de TREY-DC1, la dirección DNS debe ser: 172.16.10.10.

Guía de Laboratorio Pág. 11

EJERCICIO 1: Configurando AD FS para un socio federado

El segundo escenario de implementación es habilitar el acceso a los usuarios de Trey Research a la

Las principales tareas para este ejercicio son las siguientes:

► Task 1: Configure DNS forwarding between TreyResearch.net and Adatum.com

► Task 2: Configure certificate trusts between TreyResearch.net and Adatum.com

Guía de Laboratorio Pág. 12

4. In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand

Guía de Laboratorio Pág. 13

► Task 3: Create a DNS record for AD FS in TreyResearch.net

► Task 4: Create a certificate for AD FS

► Task 5: Create a service account

Guía de Laboratorio Pág. 14

► Task 6: Install AD FS for TreyResearch.net

► Task 7: Configure AD FS for TreyResearch.net

Guía de Laboratorio Pág. 15

► Task 8: Add a claims-provider trust for the TreyResearch.net AD FS server

Guía de Laboratorio Pág. 16

► Task 10: Test access to the application

Entregable 4. Capture la pantalla que muestre el resultado del paso 8.

Guía de Laboratorio Pág. 17