AD FS Configuring a Relying Party Trust


Welcome to the ITFreeTraining video on configuring
a relying party trust in Active Directory Federation Services in Windows Server 2012
R2. Before I get started, let’s have a quick look at the network that has been built in
the previous videos and at what I will be performing in this video. In this video, I will be configuring a relying
party trust on the ITFreeTraining Active Directory Federation Server. This server is located
in the ITFreeTraining Domain. The Relying Party Trust is essentially the configuration
on the Active Directory Federation Server in the ITFreeTraining domain. This trust is
used to create claims that will be sent to the HighCostTraining domain. There is also
configuration that needs to be performed on the High Cost Training Active Directory Federation
Server. However, this will be covered in a later video when I look at claims provider
trusts. In this case, notice that the server that
is running Active Directory Federation Services is also running a standalone certificate authority.
This was done to reduce the number of servers required; however, more than likely it would
not done in this way in a production environment. In the ITFreeTraining domain notice that an
Enterprise CA was used to issue certificates. Both networks have a domain controller. That
is the basics of each network. Active Directory Federation Services was installed in previous
videos so it is assumed in this video that it has been installed and up and running. I will now change to my server in ITFreeTraining,
running Active Directory Federation Services, and look at how to configure a relying party
trust. From my Windows Server 2012 R2 server, first
I will open Server Manager. To configure Active Directory Federation Services, I will select
the tools menu and then select the menu option AD FS Management. From AD FS Management, select the container
“Relying Party Trusts”. To create a new relying party trust, right click the container and
select the option “Add Relying Party Trust” to start the wizard. Once I am past the welcome screen, the next
screen asks for some information about the relying party trust. The easiest way to obtain
this information is accessing the other Active Directory Federation Server directly. If I cancel out of here, I will next open
the end points container. End points are what provide access to functionality of Active
Directory Federation Services. If I scroll down, the section that I am interested in
is Metadata. The Metadata that I am particularly interested in is this XML file. This file
contains all the configuration information about this server. Another Federation Server
can read this information and use it, in this case use the information to configure a relying
party trust. I will now go back and run the relying party
trust wizard again and skip the welcome screen and go back to the data source screen. For
the Federation metadata address, I will put in the computer name of the Federation Server
in the High Cost Training domain. In order for this to be resolvable, I have configured
DNS forwarding between ITFreeTraining and HighCostTraining. In some cases you may not have a direct connection
between the two servers. If this is not the case you can use the second option “Import
data about the relying party from a file”. If you use this option, you will need to export
the data from the server and exchange it with the other company. For example, sending them
a USB key in the mail. They will also need to send you their metadata. As a last resort, you have the option “Enter
data about the relying party manually”. This option means that you will need to enter in
all the data for the trust relationship which is a time consuming process, so I would recommend
using the metadata if you can. Since I have a direct resolvable connection
between the two servers, I will press next and let Windows attempt to contact the other
server, which will result in an error message. Notice at the end the error message “Could
not establish a trust relationship for the SSL/TLS secure channel”. The problem is that a secure connection could
not be made between the two servers because the certificate used by this server is not
trusted by the other server. To correct this problem, I will right click
the start menu and enter in MMC to open Microsoft Management Console. Once open, I will select
the file menu and then select the option “Add/Remove Snap-in”. Once Add or Remove Snap-ins has
appeared, it is just a matter of adding certificates from the list. When I attempt to add the snap-in, Windows
will prompt me for the scope of certificates that I want to manage. In this case, I will
select the option “Computer Account”, as the certificates that I want to manage are the
local certificates for the computer. Once I press next, I will be asked if I want
to manage the certificates on this computer or another computer. In this case, I will
leave it on the default option of the local computer and press finish and then o.k. to
go back to the console. If I expand down to ‘certificates’ under Personal,
notice that the Active Directory Federation Services certificate is listed here. If I
double click the certificate and open it, I can view the details of the certificate. The last tab, “Certification Path”, will show
the certificate chain this certificate is part of. The certificate at the bottom is
the certificate for this Active Directory Federation Services. At the top, you can see
the certificate for the Enterprise CA. This is the root CA certificate for the enterprise
CA on this network. In order for the other Federation servers
to trust this federation server, I will need to export this certificate. To do this, I
will press the button at the bottom (“view certificate”) to view this certificate. Once
the certificate is open, I next need to press the details tab and then press the button
at the bottom (“copy to file”) to start the certificate export wizard. Once I am passed the welcome screen, on the
next screen, I need to decide which format to export the certificate in. In this case,
I do not need to export the private key, so the first option DER will work fine, so I
will press next and move on. On the next screen, I need to press browse
and, in this case, I will save the certificate to a USB Flash Drive as ‘ITFreeTraining Root
Certificate’. Once the filename has been entered, all I need to do is complete the wizard and
the certificate will be exported to the USB Flash Drive. Now that the certificate has been exported,
I will remove the USB Flash Drive and change to the Active Directory Federation Server
running in the High Cost Training domain. The certificate that I exported from ITFreeTraining
needs to be added to the local certificate store on this server. To do this, I will open
Windows Explorer and browse to the USB thumb drive, and then double click on the ITFreeTraining
Root Certificate. Once the certificate is open, I next need to press the button “Install
Certificate” to start the import wizard. Once the import wizard has opened, on the
welcome screen I need to decide which certificate store that I want to store the certificate
in. In this case, the certificate will be used by the server, so I need to select the
option at the bottom “Local Machine” and move on. On the next screen I need to decide where
to store the certificate. In this case, I will leave it on the default option of “Automatically
select the certificate store based on the type of certificate” just to prove a point.
In most cases, Windows will decide the correct location but in this case Windows will choose
the wrong location to store this certificate. Once I press next I can press finish to complete
the wizard and the certificate will be imported and stored in the local certificate store. To have a look at where Windows put the certificate,
I will right click on the start menu, select run and run MMC. From MMC, I will add the
certificates snap-in. Once the certificates snap-in has been added, it will ask me which
certificates I want to manage. In this case I need to make sure that computer account
is selected, and then complete the wizard and go back to MMC. If I now expand down to Certificates under
“Intermediate Certification Authorities”, notice that the certificate has been imported
into this location. If I open the certificate, notice that under certificate information,
there is a statement saying the root certificate is not trusted and it needs to be moved to
the root certificate store. In order to do this, I will right click the
certificate and select the cut option. I then need to navigate to “Trusted Root Certification
Authorities” and paste the certificate in there. Notice now, the certificate has been
added and if I open the certificate, there is no longer any messages saying that it is
not trusted or in the wrong certificate store. The certificate from High Cost Training will
also need to be exported for use on the ITFreeTraining network, so while I am in the certificates
snap-in, I will navigate to certificates under personal. There are two certificates listed in here.
The first certificate is the certificate from the Federation install and the second certificate
is the root certificate for High Cost Training, so I will double click the second certificate
to open it. Once open, I will select the “Details” tab and press the button “copy to file” to
launch the export certificate wizard. Once I am past the welcome screen, on the next
screen, I will be asked if I want to export the private key. Since the stand alone CA
is also installed on this server, the private key is available to be exported. Whenever
you export certificates to 3rd parties, make sure that you do not export the private key. Just like when I exported the certificate
in ITFreeTraining, I will choose the default option of DER and save the certificate file
to the USB Flash Drive. Now that the certificate has been exported
to the USB Flash Drive, I can remove the flash drive and change back to the ITFreeTraining
Federation Server. Just like on the High Cost Training server,
I need to open the USB Thumb Drive and double click on the High Cost Training Certificate
in order to import it to the local certificate data store. Once the certificate is opened, I will press
the button “Install Certificate” to launch the import certificate wizard. From the import
wizard I will select “local machine” and move on. On the next screen, rather than allowing Windows
to decide where to put the certificate, I will instead press the “Browse” button and
select the certificate store “Trusted Root Certification Authorities” to ensure that
the certificate is stored in the right location. Once this is done, I can complete the wizard. Now that the certificate has been imported,
if I go to certificates under “Trusted Root Certification Authorities”, you can see the
certificate that I just imported. If the certificate does not appear, press F5 to refresh the view. Now that the certificate has been imported,
I can close down MMC, go back to Server manager, and run AD FS Management under the tools menu. Once AD FS Management has opened, I will expand
down to “Relying Party Trusts”, right click it, and select “Add Relying Party Trust”,
to launch the wizard. Once I am past the welcome screen, I will enter in the name of the HighCostTraining
Federation Server. Once this is done and I press next, notice that, this time, the wizard
is able to contact the other server and move on to the next screen without issue. On this screen I will change the default display
name to something a bit more descriptive. You also have the option to add notes in here,
if you wish. Once entered, I will move on to the next screen. This screen asks if you want to configure
multi-factor authentication. For example, if you wanted to use extra authentication
such as Smart Cards. In this case, I will not configure any additional authentication
methods, so I will accept the default option and move on to the next screen of the wizard. The next screen determines the default permissions
for the trust. By default, all users will be granted access. In some cases this may
be what you want, in this case I will select the second option “Deny all users access to
this relying party”. When this is selected only users that I configure will be allowed
to use this trust. The next screen will show you all the information
about the trust that is about to be created. As you can see as I go through the tabs, there
is a lot of information that is configured in the trust. Once I press next, the trust
will be created. The last screen of the wizard has a tickbox
that will open the rules dialog of the trust and allow you to edit those rules. In this
case, I will clear this tick box and edit the rules a different way. Once I press close, I will be taken back to
AD FS Management. If I right click on the trust that I just created, I can select the
option “Edit Claim Rules”. The rules have 3 tabs. The first tab is “Issuance
Transform Rules”. This tab allow rules to be transformed before being sent to the other
party. For example, you could create a custom rule that modifies the data retrieved from
Active Directory and sends it to the other party in a different format. The tab “Delegation Authorization Rules” allows
rules to be created that determine if a requester is allowed to impersonate another user. In
this case, I will create a new rule on the tab “Issuance Authorization Rules”. To do
this, I need to press the button “Add Rules” to start the rules creation wizard. To create the rule, I first need to select
a template. Notice that in the list, there are a lot of different templates to choose
from. The rules created in here determine who can use the trust. If there is no matching
rule in here then the user will be denied access. In this case, I will select the option
“Send group Membership as a Claim”. This will allow authentication to happen, based on group
membership. Once selected and I move on to the next screen,
I need to configure some information about the rules. First I will enter in a meaningful
name for the claim. Once entered, I will next configure a group for the claim by pressing
the browse button. In this case I will use the Domain Users groups. If you want to restrict
the access to particular users you will need to create your own group and put the users
that you want to have access to the trust in that group. In this case there are two domains in the
forest, so two domain users groups have been found. In this case, I will select the domain
users group in the domain ITFreeTraining. The next option that I will configure is under
“Outgoing Claim Type”, you will notice that there are a lot of options here. The option
you choose here will determine what the other side will see. In this particular case, I
will select group; however, a different option could be chosen if you wanted to change what
the other party was seeing. At the bottom, notice that you can enter in
a value for the claim. In this case, I will enter in “Web Application”. Essentially this
will accept the group name “Domain Users” and change it to the group name “Web Application”.
As far as the other party is aware, the group name is “Web Application”. Once I press finish the rule will be created.
If I exit out of “edit claim rules” notice that the new “Relying Party Trust” has been
configured. Since the rule has been created, it is ready to go. However, before this will
work, the “Claim Provider Trust” must be created on the other side, but I will leave that to
an upcoming video. I hope that you have enjoyed this video from
ITFreeTraining and found it informative. I hope to see you in future videos from this
course and others. Till then, good bye and thanks for watching.

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *