This video will look at creating a relying party trust in Active Directory Federation Services. A relying party trust is required in order to create claims that will be used by the resource partner.
In this video This video will create a relying party trust in the ITFreeTraining domain. In the previous videos Active Directory Federation Services and Active Directory Certificate Services were installed. In this video, an Enterprise CA was created which issued a certificate to the Active Directory Federation Server in the ITFreeTraining domain. In the HighCostTraining domain, a standalone certificate service was installed on the same server as the Active Directory Federation Service was installed on. In the previous videos, both servers had Active Directory Federation Services installed and configured. Both networks also have a Domain Controller. The Relying party trust that will be created in the ITFreeTraining domain is essentially the configuration that is created on the ITFreeTraining Active Directory Federation Server. This configuration determines how a claim will be created on that server that will be used in the HighCostTraining domain. For this reason, the relying party trust requires information from the server in order to determine what it expects.
Demonstration of creating a relying party trust 1) Open server manager and from Server Manager select the tools menu and then select the option for AD FS Management. 2) From AD FS Management, expand down through Trust Relationship. Right click Relying Party Trusts and select the option Add Relying Party Trust to start the wizard. 3) Once past the welcome screen, the next screen will ask for information about the other server. The simplest way to obtain this information is to have that server contact the other server to obtain the information. The information can also be exported to a file and imported. As a last resort, the administrator is able to manually enter in this information. 4) The information obtained from the other server is obtained from an XML file. If you expand service and then look in the container EndPoints, under Metadata you will find the information about the server. If you want to export this data, open it in Internet Explorer and save it to a file. This can then be imported in the other server. 5) If you use the option to contact the other server directly to obtain the required information the other server will need to be resolvable. If it is in another company, you can configure DNS forwarding which was done in this video. You could also use the IP Address to connect to the other server. 6) If you obtain an error stating that a secure channel could not be created between the two servers, you will need to export and import the certificate as explained below. In this case the relying party trust is being created and thus HighCostTraining
needs the certificate import. In this case both certificates are imported, as in the later video the claims provider trust is created and HighCostTraining needs access to ITFreeTraining in order to do this. 7) On the Specify Display Name screen, enter in a meaningful display name so other administrators know what the trust was created for. You also have the option to enter in additional notes about the trust. 8) The wizard gives you the option to configure multi-factor authentication. In this case, the option to do this was not selected. 9) The Choose Issuance Authorization Rules determines the default permissions for the trust. The trust can either be by default allow access or access can be denied. For better security it is best to deny access, however that will mean that the administrator will have to specify who can use the trust, otherwise the trust cannot be used. 10) The Ready to add trust screen will show all the information about the trust. Once next is pressed, the trust will be created. 11) The last screen of the wizard will give you the option to edit the trust after it is created. If you clear this option, the administrator can edit the trust later on. Demonstration of editing the trust and configuring rules 1) To edit a relying party trust, select it in the Relying Party Trusts container, right click and select the option Edit Claim Rules. 2) The trust has 3 sets of rules. The Issuance Transform Rules allows changes to be made to data before it is packaged into a claim to be sent to the other party. Delegation Authorization Rules allows a user to impersonate another user. 3) To add an Issuance authorization rule, select the tab and then press the button add rule, this will start the rule creation wizard. First a template needs to be selected from the list. In this case the template Send Group Membership as a Claim was selected. 4) On the next screen of the wizard, a name for the rule needs to be entered in. Next, a group for the claim needs to be entered, this can be done by pressing the browse button and entering in the group name. The option outgoing claim type allows the administrator to select how the data will be presented in the token. In this case the option chosen was group, however you are free to choose whichever option that you want. For example, you could change data from one format to another. You can also use Outgoing claim value and assign a name to the claim that could be different from the original data. For example, you could change the group name to something different from the original. Demonstration of Import/Export Certificates 1) To export a certificate, right click the start menu and enter in MMC in the run menu. 2) Once MMC has opened, select the file menu and then select the option Add/Remove Snap-in. From the list of snap-ins that are displayed, add the snap-in
Certificates. When the snap-in is added, Windows will ask which scope of certificates you want to manage. In this case select the option Computer account so that the certificates that are used by the local machine are displayed. Also when prompted, accept the default option of local computer so that the certificates that will be managed will be the ones on the local computer. 3) To see the certificate that is used with Active Directory Federation Services, expand down to certificates found under personal. 4) To export the certificate, double click the certificate which will open the certificate showing the properties of the certificate. Next select the tab Certification Path. This will show the root certificate for Enterprise CA. You could export the certificate for the Active Directory Federation Server and use this one. The advantage of exporting the Enterprise CA is that any other certificate that is exported in the future will be trusted because the root CA certificate is trusted. 5) To export the Enterprise CA, on the Certification Path tab, have the certificate selected and then press the button view certificate. Once the certificate is open, select the details tab and then press the button at the bottom Copy to file. 6) In the export wizard, select the option for DER. It is just matter of completing the wizard and saving the file to an appropriate place. In this example the certificate was saved to a USB flash drive which will be taken to the other server and imported. 7) To import the certificate on the HighCostTraining server, open the USB flash drive in Windows Explorer and double left click the file to open the certificate. Once the certificate is open, press the button Install Certificate to start the certificate import wizard. 8) From the import certificate wizard, select the option local machine. When asked which certificate store to put the certificate in, select the option Trusted Root Certification Authorities. See http://youtube.com/itfreetraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References AD FS 2.0 Step-by-Step and How To Guides http://technet.microsoft.com/enus/library/adfs2-step-by-step-guides(v=ws.10).aspx