Professional Documents
Culture Documents
Objetivos:
Al finalizar el laboratorio el estudiante será capaz de:
Instalar y configurar AD FS
Configurar una aplicación interna para AD FS
Configurar AD FS para un socio federado
Configurar una aplicación Web para usuarios externos
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con líquidos, ni comida al aula de Laboratorio.
Al culminar la sesión de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
DVD:
De Windows Server 2012
Procedimiento:
Escenario A
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que están ejecutándose
en la red de A. Datum. A. Datum desea proveer un nivel máximo de funcionalidad y acceso a las otras
compañías. Los departamentos de seguridad y operaciones desean asegurarse que los socios y los
clientes puedan acceder solamente a los recursos que correspondan.
A. Datum también está trabajando en la migración de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Para cumplir con los requerimientos solicitados, A. Datum planea implementar AD FS. En la
implementación inicial, la compañía planea usar AD FS para usarla para implementar SSO para los
usuarios internos quienes acceden a una aplicación en un servidor Web.
Lab Setup
1. Abrir VMware Workstation y crear un “snapshot” de las máquinas virtuales: LON-DC1, LON-SVR1
y LON-CL1.
2. Encender las máquinas virtuales e iniciar sesión con la cuenta Administrador y la contraseña
Pa$$w0rd.
Escenario
► Task 3: Install AD FS
1. On LON-DC1, in the Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard, on the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installation, and then
click Next.
4. On the Select destination server page, click Select a server from the server pool, click LON-
DC1.Adatum.com, and then click Next.
5. On the Select server roles page, select the Active Directory Federation Services check box,
and then click Next.
6. On the Select features page, click Next.
7. On the Active Directory Federation Services (AD FS) page, click Next.
8. On the Confirm installation selections page, click Install.
9. When the installation is complete, click Close.
► Task 4: Configure AD FS
1. On LON-DC1, in the Server Manager, click the Notifications icon, and then click Configure the
federation service on this server.
2. In the Active Directory Federation Services Configuration Wizard, on the Welcome page,
click Create the first federation server in a federation server farm, and then click Next.
3. On the Connect to Active Directory Domain Services page, click Next to use
Adatum\Administrator to perform the configuration.
4. On the Specify Service Properties page, in the SSL Certificate box, select adfs.adatum.com.
5. In the Federation Service Display Name box, type A. Datum Corporation, and then click Next.
6. On the Specify Service Account page, click Use an existing domain user account or group
Managed Service Account.
7. Click Select, type adfsService, and then click OK.
8. In the Account Password box, type Pa$$w0rd, and then click Next.
9. On the Specify Configuration Database page, click Create a database on this server using
Windows Internal Database, and then click Next.
10. On the Review Options page, click Next.
11. On the Pre-requisite Checks page, click Configure.
12. On the Results page, click Close.
Note: The adfs.adatum.com certificate was preconfigured for this task. In your own environment, you
need to obtain this certificate.
Results: In this exercise, you installed and configured AD FS. You also verified that it is functioning by
viewing the FederationMetaData.xml file contents.
Escenario
Next.
8. On the Summary page, review the changes that will be made to the sample application by the
Federation Utility Wizard, scroll through the items to understand what each item is doing, and
then click Finish.
9. In the Success window, click OK.
8. In the Incoming claim type drop-down list, click E-Mail Address, and then click Finish.
9. On the Issuance Transform Rules tab, click Add Rule.
10. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
11. In the Claim rule name box, type Pass through UPNXYZ.
12. In the Incoming claim type drop-down list, click UPN, and then click Finish.
13. On the Issuance Transform Rules tab, click Add Rule.
14. In the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then
click Next.
15. In the Claim rule name box, type Pass through NameXYZ.
16. In the Incoming claim type drop-down list, click Name, and then click Finish.
17. On the Issuance Transform Rules tab, click OK.
Note: It is critical to use the trailing slash in the URL for step 2.
3. In the Windows Security window, sign in as Adatum\Brad with the password Pa$$w0rd.
4. Review the claim information that the application displays.
5. Close Internet Explorer.
► Task 7: Configure Internet Explorer to pass local credentials to the application automatically
1. On LON-CL1, on the Start screen, type Internet Options, and then click Internet Options.
2. In the Internet Properties window, on the Security tab, click Local intranet, and then click Sites.
3. In the Local intranet window, click Advanced.
4. In the Local intranet window, in the Add this website to the zone box, type
https://adfs.adatum.com, and then click Add.
5. In the Add this website to the zone box, type https://lon-svr1.adatum.com, click Add, and
then click Close.
6. In the Local intranet window, click OK.
7. In the Internet Properties window, click OK.
8. On LON-CL1, open Internet Explorer.
9. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/AdatumTestApp/,
Note: It is critical to use the trailing slash in the URL for step 9.
Results: After completing this exercise, you will have configured AD FS to support authentication for
an application.
Escenario B
A. Datum ha establecido una serie de relaciones comerciales con otras empresas y clientes. Algunas
de estas empresas y clientes deben acceder a las aplicaciones de la empresa que están ejecutándose
en la red de A. Datum. A. Datum desea proveer un nivel máximo de funcionalidad y acceso a las otras
compañías. Los departamentos de seguridad y operaciones desean asegurarse que los socios y los
clientes puedan acceder solamente a los recursos que correspondan.
A. Datum también está trabajando en la migración de algunas partes de la infraestructura de red para
los servicios de Microsoft Online incluyendo Windows Azure y Office 365.
Ahora que ha implementado AD FS para los usuarios internos, el siguiente paso es habilitar el acceso
a la misma aplicación para las empresas socias y para los usuarios externos. A. Datum ha ingresado
en una relación con Trey Research, por lo tanto, necesita asegurarse que los usuarios de Trey
Research puedan acceder a la aplicación interna. También necesita asegurarse que los usuarios de A.
Datum que trabajan fuera de la oficina puedan acceder a la aplicación.
Lab Setup
3. Encender las máquinas virtuales e iniciar sesión con la cuenta Administrador y la contraseña
Pa$$w0rd.
Escenario
Note: In a production environment, it is likely that you would use Internet DNS instead of conditional
forwarders.
Note: If you obtain certificates from a trusted certification authority, you do not need to configure a
certificate trust between the organizations.
5. At the second Password prompt, type Pa$$w0rd, and then press Enter.
6. At the Repeat Password prompt, type Pa$$w0rd, and then press Enter.
7. Type Enable-ADAccount adfsService, and then press Enter.
8. Close the Windows PowerShell prompt.
► Task 9: Configure a relying party trust in TreyResearch.net for the Adatum.com application
1. On TREY-DC1, in the Server Manager, click Tools, and then click AD FS Management.
2. In the AD FS management console, expand Trust Relationships, and then click Relying Party
Trusts.
3. In the Actions pane, click Add Relying Party Trust.
4. In the Add Relying Party Trust Wizard, on the Welcome page, click Start.
5. On the Select Data Source page, click Import data about the relying party published online
or on a local network.
6. In the Federation metadata address (host or URL) box, type adfs.adatum.com, and then click
Next.
7. On the Specify Display Name page, in the Display name text box, type A. Datum
CorporationXYZ, and then click Next.
8. On the Configure Multi-Factor Authentication Now page, click I do not want to configure
multi-factor authentication settings for this relying party trust at this time, and then click
Next.
9. On the Choose Issuance Authorization Rules page, select Permit all users to access this
relying party, and then click Next.
10. On the Ready to Add Trust page, review the relying-party trust settings, and then click Next to
save the configuration.
11. On the Finish page, select the Open the Edit Claim Rules dialog box for the relying party
trust when the wizard closes check box, and then click Close.
12. In the Edit Claim Rules for A. Datum Corporation window, on the Issuance Transform Rules
tab, click Add Rule.
13. In the Add Transform Claim Rule Wizard, on the Select Rule Template page, in the Claim rule
template box, select Pass Through or Filter an Incoming Claim, and then click Next.
14. On the Configure Rule page, in the Claim rule name box, type Pass through Windows
account nameXYZ.
15. In the Incoming claim type drop-down list, select Windows account name.
16. Click Pass through all claim values, click Finish, and then click OK.
17. Close the AD FS management console.
Note: You are not prompted for a home realm on the second access. Once users have selected a
home realm and have been authenticated by a realm authority, they are issued a _LSRealm cookie by
the relying-party's federation server. The default lifetime for the cookie is 30 days. Therefore, to sign in
multiple times, you should delete that cookie after each logon attempt to return to a clean state.
Results: After completing this exercise, you will have configured access for a claims-aware
application in a partner organization.
Escenario
14. On the File to Export page, in the File name box, type C:\adfs.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close
the success message.
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
20. In the Certificates snap-in window, click Computer account, and then click Next.
21. In the Select Computer window, click Local Computer (the computer this console is running
on), and then click Finish.
22. In the Add or remove Snap-ins window, click OK.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-DC1\c$\adfs.pfx, and then click
Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear
the success message.
Entregable 7. Capture la pantalla que muestre la rama Pesonal -> Certificates que muestre la
lista de certificados.
32. Close the Microsoft Management Console and do not save the changes.
5. In the Select Computer window, click Local Computer (the computer this console is running
on), and then click Finish.
6. In the Add or remove Snap-ins window, click OK.
7. In the Microsoft Management Console, expand Certificates (Local Computer), expand
Personal, and then click Certificates.
8. Right-click lon-svr1.adatum.com, point to All Tasks, and then click Export.
9. In the Certificate Export Wizard, click Next.
10. On the Export Private Key page, click Yes, export the private key, and then click Next.
11. On the Export File Format page, click Next.
12. On the Security page, select the Password check box.
13. In the Password and Confirm password boxes, type Pa$$w0rd, and then click Next.
14. On the File to Export page, in the File name box, type C:\lon-svr1.pfx, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish, and then click OK to close
the success message.
16. Close the Microsoft Management Console and do not save the changes.
17. On LON-SVR2, on the Start screen, type mmc, and then press Enter.
18. In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
19. In the Add or Remove Snap-ins window, in the Available snap-ins column, double-click
Certificates.
20. In the Certificates snap-in window, click Computer account, and then click Next.
21. In the Select Computer window, click Local Computer (the computer this console is running
on), and then click Finish.
22. In the Add or remove Snap-ins window, click OK.
23. In the Microsoft Management Console, expand Certificates (Local Computer), and then click
Personal.
24. Right-click Personal, point to All Tasks, and then click Import.
25. In the Certificate Import Wizard, click Next.
26. On the File to Import page, in the File name box, type \\LON-SVR1\c$\lon-svr1.pfx, and then
click Next.
27. On the Private key protection page, in the Password box, type Pa$$w0rd.
28. Select the Mark this key as exportable check box, and then click Next.
29. On the Certificate Store page, click Place all certificates in the following store.
30. In the Certificate store box, select Personal, and then click Next.
31. On the Completing the Certificate Import Wizard page, click Finish, and then click OK to clear
the success message.
Entregable 8. Capture la pantalla que muestre la rama Pesonal -> Certificates que muestre la
lista de certificados.
32. Close the Microsoft Management Console and do not save the changes.
172.16.0.22 adfs.adatum.com
172.16.0.22 lon-svr1.adatum.com
6. Close Notepad.
7. Open Internet Explorer.
8. In Internet Explorer, in the address bar, type https://lon-svr1.adatum.com/adatumtestapp/, and
then press Enter.
9. In the Windows Security dialog box, sign in as TreyResearch\Ben with password Pa$$w0rd.
10. After the application loads, close Internet Explorer.
Note: You edit the hosts to force TREY-DC1 to access the application through Web Application Proxy.
In a production environment, you would do this by using split DNS.
Results: After completing this exercise, you will have configured Web Application Proxy to secure
access to AdatumTestApp from the Internet.
DESAFIO
1. Volver el estado de las máquinas virtuales al “snapshot” creado antes de iniciar el laboratorio.
Conclusiones:
Indicar las conclusiones que llegó después de los temas tratados de manera práctica en este
laboratorio.
Rúbrica
1. “Los estudiantes, implementan y mantienen Redes de Computadoras y
Resultado Sistemas de Telecomunicaciones de datos, proporcionando seguridad a
los medios involucrados, aplicando técnicas y herramientas modernas”.
Requiere No Puntaje
Criterios a Evaluar Excelente Bueno
Mejora Aceptable Logrado
Adicionales
Bonificación +
Penalidad -
Puntaje Final
Comentario al
alumno o alumnos
Descripción
Demuestra un completo entendimiento del problema o realiza la actividad
Excelente
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
Bueno
cumpliendo con la mayoría de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
Requiere mejora
con pocos de los requerimientos especificados.
No Aceptable No demuestra entendimiento del problema o de la actividad.