Microsoft Active Directory Federation Service

Transcription

1 www. t ha lesesec u ri t y. c o m Thales esecurity Microsoft Active Directory Federation Service Integration Guide

2 Version: 0.2 Date: Tuesday, September 11, 2018 Copyright 2018 Thales UK Limited. All rights reserved. Copyright in this document is the property of Thales UK Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales UK Limited neither shall it be used otherwise than for the purpose for which it is supplied. Words and logos marked with or are trademarks of Thales UK Limited or its affiliates in the EU and other countries. Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Information in this document is subject to change without notice. Thales UK Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales UK Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. Where translations have been made in this document English is the canonical language. Page 2 of 37 Microsoft Active Directory Federation Service - Integration Guide

3 Contents 1 Introduction Configuring AD FS using nshield Hardware Security Modules (HSMs) Requirements Pre-requisites Domain Controller: Create the Group Managed Service Account Security Worlds and key protection Application Key Tokens AD FS Server: Install Security World Software Install and register the CNG provider Certificate Authority: Create a TLS certificate template for use by AD FS AD FS Server: Request a SSL/TLS certificate for use on the AD FS server Install the AD FS server role Configure the AD FS server Check and enable the AD FS install and sign-on page 25 2 Add Thales HSM certs to AD FS Add HSM protected token signing and encryption certificates to the AD FS server 27 3 Uninstalling AD FS HSM protected service 33 Internet addresses 35 Microsoft Active Directory Federation Service - Integration Guide Page 3 of 37

4 1 Introduction 1 Introduction Active Directory Federation Services (AD FS) is an installable component of the Microsoft Windows operating System. Once configured it provides the facility for single sign on for credential sharing and access control between trusted business partners (known as a federation) and across multiple business boundaries via a claims based authorization process using standards-based protocols such as https. The user s organization has responsibility for authenticating and providing identity information required by a trusted partner within an extranet in order to allow its users to transparently connect to a web application being hosted by one of the trusted members within a given federation. Active Directory Federation Services effectively provides and secures a mutually trusted zone encompassing multiple security domains. Integrating AD FS with Thales Hardware Security Modules provides increased robustness and control between these boundaries by securely managing the high value Transport Layer Security (TLS) and Token keys required by AD FS within a fully FIPS approved (FIPS level 3) hardware environment. 1.1 Configuring AD FS using nshield Hardware Security Modules (HSMs) This document covers the integration using module protection for the AD FS Token keys. Module protection utilises an AES 256 bit symmetric key with 128 bit security secured by the Security World module key which is stored in the HSM hardware at FIPS level 3. The module key derived from the ciphersuite: DLf3072s256mRijndael conforms to NIST SP A. For further information on Security World module keys, please refer to the supplied documentation. 1.2 Requirements This integration guide provides a step by step account detailing the configuration of the Microsoft AD FS for use with Thales Hardware Security Modules. The integration was performed and tested in the lab using the following configuration: Microsoft Windows 2016 Domain Controller hosting the AD Certification Authority (CA) Microsoft Windows 2016 for AD FS server Thales nshield HSM with Security World software using CNG Key Storage Provider Thales nshield Hardware Security module (nshield Connect / nshield XC). Microsoft Active Directory Federation Service - Integration Guide Page 4 of 37

5 1 Introduction 1.3 Pre-requisites Windows Server 2016 minimum will be used for Domain Controller, the AD CA and the AD FS servers. A working Issuing CA A Group Managed Service Account for the AD FS service. A server is built and added to the domain that can be used as the first AD FS server or the AD FS server and role has already been installed and configured. The AD FS server has the Security World software installed upon it with the CNG wizard available. A Security World has already been created and AD FS keys will be module protected. (For details on installing and registering the Thales CNG KSP via the installed CNG wizard, see Install and register the CNG provider on page 9. For details on installing and configuring the Active Directory Certificate Authority using Thales HSMs, refer to the Microsoft AD CS and OCSP Integration Guide for Microsoft Windows Server 2016 available at You must create a DNS Value for the AD FS service, as the AD FS service will have a different name from the AD FS host server. If you are deploying AD FS across the internet using Web Application Proxy, you will need a certificate issued by a third party whose Root Certificate is installed on all Computers and devices that will be accessing the service. 1.4 Domain Controller: Create the Group Managed Service Account 1. Create a Key Distribution Services, (KDS) Root Key. Typically this will take the form of: PS C:\> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) Once this has been created it will take several hours to propagate across to all Domain Controllers on the network. Page 5 of 37 Microsoft Active Directory Federation Service - Integration Guide

6 1.4 Domain Controller: Create the Group Managed Service Account 2. Next create the gmsa: New-ADServiceAccount <Name of AD FS gmsa> -DNSHostName <FQDN of AD FS service> - ServicePrincipalNames http/<name of AD FS service> Example: PS C:\> New-ADServiceAccount FedServgMSA -DNSHostName adfs1.example.com - ServicePrincipalNames http/adfs1.example.com 3. Then set the Service Principle Name (SPN): setspn s host/<name of the AD FS service> <name of gmsa the AD FS service is running under> Example: PS C:\> setspn s host/adfs1.example.com example.com\fedservgmsa$ 4. Create DNS forward look up on your Domain Controller to point the AD FS service name to the AD FS host server IP address: a. Using Server Manager, click on Tools > DNS. b. Select the Domain controller and then click to expand the Forward Lookup Zones. c. Click to select <your domain>. Microsoft Active Directory Federation Service - Integration Guide Page 6 of 37

7 1 Introduction d. Right click either: <your domain> in the left hand pane or right click in the right hand pane to pull up a list of options and select New Host (A or AAAA) (Figure 1. Create New Host (A or AAA)). e. In the New Host dialogue box enter: Figure 1. Create New Host (A or AAA) Name: <AD FS service name> (the FQDN will auto complete) IP address: <IP address of the AD FS host server> f. Click the Add Host button at the bottom of the dialogue box. 1.5 Security Worlds and key protection This section covers the available options for Security World when configuring AD FS. AD FS uses the ncipher CNG Key Storage Provider; there are certain restrictions on the use of this provider concerning methods of protection and operations that are available. Table 1. Supported key protection methods for AD FS and Thales CNG provider shows the restrictions on HSM key protection methods available when using the Thales ncipher CNG KSP. Table 1. Supported key protection methods for AD FS and Thales CNG provider Security World Type Protection type Supported Works in Pool mode Module Yes Yes FIPS level2 Softcard No No Operator Card Set 1/n No No Operator Card Set k/n No No Page 7 of 37 Microsoft Active Directory Federation Service - Integration Guide

8 1.6 Application Key Tokens 1.6 Application Key Tokens Application Key Tokens are an encrypted form of a Security World generated cryptographic key. These Key Tokens must not be mistaken for or regarded as being a Key in or of itself. The key is at all times obfuscated in this encrypted form and is only available for use as a cryptographic key when copied to the FIPS level 3 security boundary of a correctly configured Thales Hardware Security Module. If you intend to use a Web Application Proxy server you should consider carefully if deploying under Strict FIPS level 3 compatibility mode. Private Keys can only be exported in a wrapped state and ACS authorization is required to generate Application keys. 1.7 AD FS Server: Install Security World Software Install the latest version of Security World Software on the designated AD FS server. For details on installing the software, refer to the documentation on the removable media supplied with the HSM. 1. Make sure that %NFAST_HOME%\bin exists on the %Path%. Open a CLI and run >echo %PATH%, make sure that C:\Program Files (x86)\ncipher\nfast\bin is reported. 2. If C:\Program Files (x86)\ncipher\nfast\bin is not visible, add it to the environment variables as follows: a. Select Control Panel > System > Advanced System Properties and in the lower right hand corner of the Systems Properties dialogue, click on Environment Variables. b. In the System Variables window scroll down and select Path. c. When highlighted, click on Edit. In the Edit Environment variable window, click New and enter the full path to the bin folder. d. Click OK twice to exit the Environment Variables window. e. Click OK to exit System Properties. f. Open a new CLI and run >echo %PATH%. The NFAST_HOME%\bin folder should now be visible. echo %PATH% C:\Windows\system32;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\ncipher\nfast\bin; If you are using PowerShell you will need to run >echo $Env:PATH If yu are using the Thales Java cards, you must make sure that the cardlist file, C:\ProgramData\nCipher\Key Management Data\config\cardlist; has either the relevant card unique number in full or has the wildcard * flag set. Microsoft Active Directory Federation Service - Integration Guide Page 8 of 37

9 1 Introduction 1.8 Install and register the CNG provider It is possible to use the CNG wizard to either load (reuse) an existing Security World instance or create a new instance. If you are creating a new Security World please refer to the installation guide available in the document folder on the removable media provided with the HSM for information required when defining Security World parameters. The HSM must be properly configured before running the CNG installation wizard. To confirm the HSM is available: 1. Open a CLI as Administrator, you must run the cmd with elevated privileges; to do this right click the cmd icon and select Run as administrator. 2. Run the command: >enquiry Server: and Module #1: should be reported showing the serial number (in form eeee-ssss-nnnn) of the module and hardware status as OK (this can be found at the bottom of the section detailing information on the module #). If you are using an exisiting Security World you can check to make sure it is available by running the command nfkminfo. The Security World should be reported as initialized and usable (ie. there should be no! prefix). 3. Once the Security World software is operational you must run the CNG install wizard to install and register the Thales Key Storage Provider (KSP). This can be performed via the CNG install wizard that can be found in the Apps By name screen of the desktop. Page 9 of 37 Microsoft Active Directory Federation Service - Integration Guide

10 1.8 Install and register the CNG provider 4. Click the Start button and look for the recently added ncipher utilities, double click the CNG configuration wizard (Figure 2. Install and register nshield CNG provider). If the User Access Control prompt pops up click YES to continue. Figure 2. Install and register nshield CNG provider Figure 3. CNG install Welcome screen Microsoft Active Directory Federation Service - Integration Guide Page 10 of 37

11 1 Introduction 5. The Enable HSM Pool Mode screen (Figure 4. Select to enable / disable Pool Mode) prompts you to Enable HSM Pool Mode for CNG Prividers. Leave the default value with the check box unticked and click Next. Figure 4. Select to enable / disable Pool Mode 6. If you already have a Security World that you intend to use for Always Encrypted the next screen will allow you to select to Use the existing security world. If you do not currently have a Security World or would like to create a new Security World then check the Create a new Security World radio button and click Next (for the purposes of this integration guide we have chosen to use an existing Security World). Page 11 of 37 Microsoft Active Directory Federation Service - Integration Guide

12 1.8 Install and register the CNG provider 7. If you are creating a new Security World, refer to the Thales nshield documentation for details on creating and configuring a new Security World. Make sure that the Set Module States show the available modules as (Figure 5. Set Module States): Mode = initialisation State = (pre)-initialisation Figure 5. Set Module States If state is state is reported as Operational, this can be changed by using the npoclearfail untility. For example (where x is the module to be used): nopclearfail -I -Mx 8. Click Next. Microsoft Active Directory Federation Service - Integration Guide Page 12 of 37

13 1 Introduction 9. Leave the Enable this module as a remote target un-checked (Figure 6. Optional setting to enable module for remote shares) (this is not to be confused with the nshield Remote Administration utility). Figure 6. Optional setting to enable module for remote shares 10. For details on Remote Administration setup and configuration, refer to the nshield Documentation on the removable media that came with your Thales HSM. 11. Click Next. If you are using an existing Security World you must have the World file in the %NFAST_KMDATA%\local folder. Be prepared to present the quorum of Administrator cards (Figure 7. Present ACS card when prompted). Figure 7. Present ACS card when prompted Page 13 of 37 Microsoft Active Directory Federation Service - Integration Guide

14 1.8 Install and register the CNG provider 12. When the ACS quorum has been presented, and the Security World loaded/created, return the HSM to Operational mode. 13. Click Next (Figure 8. Register CNG Providers). Figure 8. Register CNG Providers Microsoft Active Directory Federation Service - Integration Guide Page 14 of 37

15 1 Introduction 14. The Thales ncipher CNG providers will now be installed and the KSP will be registered. To confirm that the KSP has been successfully registered open either a CLI or PowerShell (right click and Run as Administrator) and run the following command: >cnglist.exe --list-providers PS C:\WINDOWS\system32> cnglist.exe --list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider ncipher Primitive Provider ncipher Security World Key Storage Provider PS C:\WINDOWS\system32> You should see the ncipher Security World key Storage Provider listed (highlighted red in the example above). You will find the provider in the registry at this location: HKEY_LOCAL_ MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStora geprovider 15. Verify that the Thales CNG KSP is installed correctly, run the command: >cnglist.exe list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider.... ncipher Primitive Provider ncipher Security World Key Storage Provider Page 15 of 37 Microsoft Active Directory Federation Service - Integration Guide

16 1.9 Certificate Authority: Create a TLS certificate template for use by AD FS 1.9 Certificate Authority: Create a TLS certificate template for use by AD FS Create a TLS certificate template for use by AD FS as follows: 1. On an Issuing CA, open the Certification Authority management console (Figure 9. Open Certificate Authority Console). Figure 9. Open Certificate Authority Console 2. Expand the Certification Authority node in the left hand pane right click on Certificate Templates and select Manage (Figure 10. Manage Certificate Templates). Figure 10. Manage Certificate Templates Microsoft Active Directory Federation Service - Integration Guide Page 16 of 37

17 1 Introduction 3. In the Certificate Templates Console, locate the Web Server certificate template (Figure 11. Select Duplicate Web Server Template), right click it and from the context menu select Duplicate Template. Figure 11. Select Duplicate Web Server Template 4. Click the General tab (Figure 12. General tab - Name template). In the Template display name field, name the template, for example ADFS TLS1. Change the Validity Period to whatever value is desired. Figure 12. General tab - Name template Page 17 of 37 Microsoft Active Directory Federation Service - Integration Guide

18 1.9 Certificate Authority: Create a TLS certificate template for use by AD FS 5. Select the Compatibility tab and change the Certification Authority to Windows Server 2016 and the Certificate Recipient to Windows 10/Windows Server 2016 (Figure 13. Compatibility tab - Select OS). Figure 13. Compatibility tab - Select OS 6. Select the Subject name tab and make sure that Supply in the request is selected, as the AD FS service name will be different form the AD FS Server name, this will need to be specified in the request. Microsoft Active Directory Federation Service - Integration Guide Page 18 of 37

19 1 Introduction 7. Select the Request handling tab and under Purpose select Signature and encryption (Figure 14. Request Handling - Select Key permissions). Figure 14. Request Handling - Select Key permissions a. Check the box for Authorize additional service accounts to access the private key. b. Click the Key Permissions button. c. In the Permissions for... dialog box, click Add. d. Click Object Types and then check the boxes for Service Accounts and Computers from the listed objects (Figure 15. Select to add Object Types). e. Click OK. Figure 15. Select to add Object Types Page 19 of 37 Microsoft Active Directory Federation Service - Integration Guide

20 1.9 Certificate Authority: Create a TLS certificate template for use by AD FS 8. Select the Advanced tab, click Find Now and select the Group Manged Service Account you created on your Domain Controller. a. Click OK to add into the Enter the object names field. b. Click OK. c. Check the box to Allow Full Control. d. Repeat to add the AD FS server Computer account, make sure that the AD FS server Computer account has Full Control (Figure 16. Add gmsa and AD FS server). e. Click OK. Figure 16. Add gmsa and AD FS server If you are going to be using a Web Application Proxy server you will need to additionally check the Allow private key to be exported (see Figure 14. Request Handling - Select Key permissions on page 19). If you are using strict FIPS level 3 Security World, exporting private keys is forbidden unless they are exported using a wrapping key. Allowing a Private Key to be exported is not considered best practice but is sometimes necessary. Be sure to exercise extreme caution when exporting Private Keys doing so could compromise the integrity of your environment. Microsoft Active Directory Federation Service - Integration Guide Page 20 of 37

21 1 Introduction 9. Click on the Cryptography tab: a. Make sure Key Storage Provider is selected from the drop down list for Provider Category. b. For Algorithm Name, select appropriately from the drop down list, Note that if you do not have ECC feature activated on your HSM you should choose type: RSA. c. Set the Minimum Key Size to not less than d. Make sure that Requests can use any provider available on the subject s computer is selected and set Request Hash to at least SHA Select the Security tab: a. Add the following Computer Accounts (make sure both Read and Enrol permissions are allowed): Domain Computers Group Managed Service account created earlier AD FS server computer account. b. Click to Add. On the pop up screen select Object types and tick the boxes for Service Accounts and Computers. c. Click OK. d. Click Advanced. On the next screen click Find Now locate the Managed Service Account previously created and double click to enter into the Enter the object names to select:. e. Click OK, make sure the Enrol box in the Permissions for account is ticked. f. Repeat the above steps for the AD FS and Domain Computers. 11. Make sure that Authenticated Users are set with Read and Enrol permissions. Domain Admins/Enterprise Admins already have these rights and must continue to do so. 12. Once all template configuration has been completed, click Apply and OK then close the Certificate Templates console. 13. Make sure that you are logged into the AD CA as Domain administrator. 14. Open the Certificate Authority console. 15. On the Server Manger Dashboard go to Tools > Certificate Authority. 16. Under Certification Authority (local), expand the Domain (this is presented as a computer with a green tick next to it). You may need to restart Active directory Certificate Service to make sure the new template is available. 17. Right click on Certificate Templates (last item from the list in the left hand section). 18. Select New and click on Certificate Template to Issue. 19. Select the certificate template just created, and then click OK. The new template will now appear in the Certificate templates list. Page 21 of 37 Microsoft Active Directory Federation Service - Integration Guide

22 1.10 AD FS Server: Request a SSL/TLS certificate for use on the AD FS server 1.10 AD FS Server: Request a SSL/TLS certificate for use on the AD FS server The instructions below assume that a certificate for AD FS will be issued from an internal CA. If an external (publicly trusted) CA is required, modify the steps below to create a CSR which can be submitted to a commercial CA. See for more details. 1. On the AD FS server, open certlm.msc using the the Run command or an administrator level command prompt. 2. From the left hand panel beneath Certificates-Local Computer, right click on Personal folder, select All Tasks > Request New Certificate (Figure 17. Request New Certificate). Figure 17. Request New Certificate 3. The Certificate Enrolment wizard will start, Click Next. 4. On the Select Certificate Enrolment Policy screen, click Next the Request Certificates window should display the recently created certificate template, click on the link More information is required to enrol for this certificate. Click here to configure settings to continue. Figure 18. Select More information is required 5. If the new certificate template is not visible, try running gpupdate to refresh the Group Policy. Open a CLI (cmd) and type, gpupdate /force: C:\>gpupdate /force Updating Policy... User Policy update has completed successfully. Computer Policy update has completed successfully. Microsoft Active Directory Federation Service - Integration Guide Page 22 of 37

23 1 Introduction 6. On the Certificate Properties window, set the following: a. In the Subject Name, Type box choose Common Name (Figure 19. Set certificate Properties). Figure 19. Set certificate Properties b. In the Value box add the FQDN for the AD FS service (e.g. AD FS.domain.com). c. Click Add. d. In the Alternative name, Type box, choose DNS. e. In the Value add the FQDN for the AD FS service (e.g. AD FS.domain.com). f. Click Add. g. If you intend on using Device Registration in the same manner as with Windows Server 2012 r2 you will need to include < enterpriseregistration. your_domain > in the Value field in the Alternative name, Type box choose DNS and then click Add. This method of device authentication is deprecated in Windows Server h. If you intend on using User Certificate Authentication on port 443 then you need to supply a further value under Alternative name, Type box choose DNS and add the value <certauth. full_ad FS_service_name >. i. Under the General tab, specify a sensible and recognisable name for the certificate. j. Select the Private Key tab. k. Click on Cryptographic Service Provider. Make sure that only the RSA,nCipher Security World Key Storage Provider is checked. Only if you intend to install the certificate on a Web Application Proxy server then you must make sure that Make private key exportable is ticked. This can be found under the Key options drop down in the Private Key tab. Page 23 of 37 Microsoft Active Directory Federation Service - Integration Guide

24 1.11 Install the AD FS server role. l. Click OK to close the Certificate Properties window. m. On the Certificate Enrollment, Request Certificates window, check the box for the certificate just requested, and then click Enrol. n. Once enrolment has successfully completed, click Finish. 7. Open a cmd as Administrator and run nfkminfo.exe k. This will print the CNG key created via the Certificate template, the key will have been generated using the ncipher Key Storage Provider. It is possible to use the keys AppName and its Ident to show further details. Example: Key list - 1 keys AppName caping Ident machine--c4ce33928f457a19dd5a536a9038b55f02a2eaf1 C:\Program Files (x86)\ncipher\nfast\bin>nfkminfo.exe -k caping machine-- c4ce33928f457a19dd5a536a9038b55f02a2eaf1 Key AppName caping Ident machine--c4ce33928f457a19dd5a536a9038b55f02a2eaf1 BlobKA length 1052 name "te-adfstls-3ec97a8c-791a-4139-a0e6-ecbf1e185bd8" hash 42b4875c0a2fc7af57fa8a904939c4a361c30ff9 recovery Enabled protection Module 1.11 Install the AD FS server role. 1. Open Server Manager, click on Manage > Add Roles and Features. a. On the Before you begin page, click Next. b. On the Select installation type page, click Role-based or feature-based installation, and then click Next. c. On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next. d. On the Select server roles page, click Active Directory Federation Services, and then click Next. e. On the Select features page, click Next. f. On the Active Directory Federation Service (AD FS) page, click Next. g. After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install. h. On the Installation progress page, verify that everything installed correctly, and then click Close. Microsoft Active Directory Federation Service - Integration Guide Page 24 of 37

25 1 Introduction 1.12 Configure the AD FS server Click on the link to configure the AD FS server. 1. Select the option to Create the first federation server in a federation server farm, click Next. 2. Connect to Active Directory Domain Services. Select the account you want to use to perform the configuration and click Next. 3. On the Specify Service Properties window: a. Select the appropriate SSL Certificate from the drop down list (if the certificate is not available in this list, select Import and browse to the location of your SSL certificate). b. To provide a name for your federation service, enter the same value that you provided when you enrolled the SSL certificate in Active Directory Certificate Services (AD CS). c. Enter a meaningful name for your federation service, e.g. Company name AD FS. 4. On the Specify Service Account page, select Use an existing domain user account or group Managed Service Account, and then specify the gmsa account AD FSgMSA1 that you created on the domain controller. 5. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next. 6. On the Review Options page, verify your configuration selections, and then click Next. 7. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure. 8. On the Results page you should see a green tick against This server was successfully configured. You should be informed that a machine restart is required. 9. Click Close to exit the configuration and restart the server Check and enable the AD FS install and sign-on page The AD FS sign-on page is not enabled by default in Windows To enable and allow verification of a successful installation, open a PowerShell CLI as Administrator and run the following command: PS C:\Users\Administrator.INTEROP> Set-AdfsProperties -EnableIdPInitiatedSignonPage $true On a test machine, open a web browser and type (where <adfspri> is the FQDN of the AD FS service): You should see the AD FS sign in screen, enter your credentials to sign in AD FS (Figure 20. Verify AD FS is working). Page 25 of 37 Microsoft Active Directory Federation Service - Integration Guide

26 1.13 Check and enable the AD FS install and sign-on page Figure 20. Verify AD FS is working Microsoft Active Directory Federation Service - Integration Guide Page 26 of 37

27 2 Add Thales HSM certs to AD FS 2 Add Thales HSM certs to AD FS The Token-decryption and Token-signing certificates are self-signed by default. This section adds two new certificates for Token signing and encryption, signed by an Enterprise Issuing CA which improves the security of the solution. When importing the new certificates, you should make sure that you set the newly imported certs as the 'Primary' certificate but DO NOT delete the old self-signed certificates if AD FS has already been used within the organisation as this will break any existing trusts. 2.1 Add HSM protected token signing and encryption certificates to the AD FS server The Subject names of these two certificates can be anything desired. They do not need to reflect the FQDN of the AD FS server. 1. On the AD FS server, open a Powershell command prompt with admin privileges. 2. Run the following command: > Set-AdfsProperties -AutoCertificateRollover $false 3. Open certlm.msc using the Run command or an administrator level command prompt. 4. In the Certificates window for the local computer, right-click on Personal, point to All Tasks and choose Request New Certificate, click Next. 5. On the Before you Begin screen, click Next. 6. Click next on the Select Certificate Enrolment Policy screen. 7. On the Request Certificates screen, find the AD FS SSL (or TLS if applicable) certificate template (the example below is named FedServer SSL). Microsoft Active Directory Federation Service - Integration Guide Page 27 of 37

28 2 Add Thales HSM certs to AD FS 8. Click on the link which says More information is required to enroll for this certificate. Click here to configure settings (Figure 21. Create new AD FS token signing certificate). Figure 21. Create new AD FS token signing certificate 9. On the Certificate Properties window set the following: a. Select the Subject tab in Subject name: select Type,Common Name from the drop down list. Enter a meaningful name in the Value field, for example HSM sign cert, then click Add. b. Select the General tab; enter a friendly name for the Certificate. c. Select the Private Key tab. Expand Cryptographic Service Provider. Make sure that only the RSA,nCipher Security World Key Storage Provider is checked. d. Optional: if using a Web Application Proxy server, make sure that you tick the box to Make private key exportable. e. Click OK to close the Certificate Properties window. 10. On the Request Certificates window, check the box for the AD FS TLS certificate, then click Enroll. 11. On the Create new key prompt, click Next. If you have multiple OCS select the required one for protecting the Signing certificate and click Next. 12. Enter the passphrase when prompted, and click Next. When card reading complete is displayed click Finish to close the create key wizard Page 28 of 37 Microsoft Active Directory Federation Service - Integration Guide

29 2.1 Add HSM protected token signing and encryption certificates to the AD FS server 13. Certificate Installation Results should show STATUS: Succeeded (Figure 22. Token certificate enrolment success). Figure 22. Token certificate enrolment success 14. Open the AD FS Management console from the Server Manager this can be found under the Tools Menu (Figure 23. Open AD FS management Console). Figure 23. Open AD FS management Console 15. Under the AD FS folder click to expand the Services Directory, then click on the Certificates folder. Microsoft Active Directory Federation Service - Integration Guide Page 29 of 37

30 2 Add Thales HSM certs to AD FS 16. From the right hand pane click Add Token-Signing Certificate (Figure 24. Add HSM protect Token-Signing Certificate). Figure 24. Add HSM protect Token-Signing Certificate 17. In the Select a token-signing certificate pop-up dialogue box, click on More Choices and select the newly created Signing Certificate (Figure 25. Select Certificate). Figure 25. Select Certificate 18. A warning will pop up advising you to make sure the Private key is accessible for each server. You must install a Securty World on each server in the farm and copy the Application key token across. 19. The new certificate should be visible in the centre pane, right click on the new HSM protected certificate. In the right hand pane the option to Set as Primary can be seen, click to select this, but do not delete the original certificate, this should be marked as Secondary. 20. Click Yes on the information pop-up dialogue warning that this will break trust relationship with any relying party. All relying parties will need updating to trust and reflect this newly created certificate. Page 30 of 37 Microsoft Active Directory Federation Service - Integration Guide

31 2.1 Add HSM protected token signing and encryption certificates to the AD FS server 21. Repeat the process detailed above for the Decryption Certificate, this time select the appropriate Decryption certificate just created (Figure 26. Add Token-Decrypting Certificate). Figure 26. Add Token-Decrypting Certificate Microsoft Active Directory Federation Service - Integration Guide Page 31 of 37

32 2 Add Thales HSM certs to AD FS 22. Click on More Choices and Select the Decrypting Certificate just created (Figure 27. Select Token-Decrypting Certificate). Figure 27. Select Token-Decrypting Certificate The two new HSM protected certificates should now be visible in the AD FS management console (Figure 28. Set HSM certificates as Primary). Figure 28. Set HSM certificates as Primary 23. Right click the new certificates and select to Set as Primary. Do not delete the existing Token certificates, leave these as Secondary. 24. Close the AD FS Management Console. Page 32 of 37 Microsoft Active Directory Federation Service - Integration Guide

33 3 Uninstalling AD FS HSM protected service 3 Uninstalling AD FS HSM protected service To uninstall a AD FS HSM protected service: 1. Open the AD FS management console from the Server Manager this can be found under the Tools Menu. 2. Under the AD FS folder click to expand the Services Directory, then click on the Certificates folder. 3. Right click the Signing Certificate and select to set it as Primary certificate. Do the same with the Decrypting Certificate (Figure 29. Remove HSM protection on Token certificates). Figure 29. Remove HSM protection on Token certificates 4. Delete any OCS cardsets using the createocs.exe utility: C:\Program Files (x86)\ncipher\nfast\bin>createocs.exe -e 5. Uninstall the Security World Software using the Control Panel (Figure 30. Uninstall Security World Software). Microsoft Active Directory Federation Service - Integration Guide Page 33 of 37

34 3 Uninstalling AD FS HSM protected service Figure 30. Uninstall Security World Software Page 34 of 37 Microsoft Active Directory Federation Service - Integration Guide

35 Internet addresses Web site: Support: Online documentation: International sales offices: Addresses and contact information for the main Thales e-security sales offices are provided at the bottom of the following page. Microsoft Active Directory Federation ServiceIntegration Guide 35

36 About Thales esecurity Thales esecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government is both secure and trusted in any environment - on premise, in the cloud, in data centers or big data environments - without sacrificing business agility. Security doesn't just reduce risk, it's an enabler of the digital initiatives that now permeate our daily lives - digital money, e- identities, healthcare, connected cars and with the Internet of Things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance - through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization s digital transformation. Thales esecurity is part of Thales Group. Follow us on: