Creating AD FS lab-Windows Server 2016

Posted: January 8, 2017 in Windows Server

In this post i installed Federation Service,in this one we’ll configure web server and test claim web app

Configuring web server

Install IIS and following role

1

And Windows Identity Foundation 3.5

1.png

 

Download test web application,unzip it and save it on location at your choice,(i put it in C drive)

1.png

Right click Default Web Site-Add Application

1

Set Alias and browse to path where application folder is saved

1.png

Open MMC console add Certificates snap-in-local computer

1

2.png

Right click Personal Folder-All tasks-Request a New Certificate

3.png

Select template and click More information is required to enroll….:

4

Type Web server FQDN for Common Name and Alternate DNS

1.png

On IIS manager,Right click Default Web Site-Edit binding add https and choose SSL certificate we just enrolled

1

Test if site is working (browse HTTPS)

1.png

 

1.png

 

If compiling fails,edit web.config and set appropriate NET framework

1.png

Download and install Windows Identity Foundation SDK (choose version depending of NET framework version installed on your system)

From C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0 or C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5 (depending of NET framework version) run FedUtil.exe

1.png

Click browse and locate web.config (in web application folder)

1.png

In Application URI set web page defined during web app site creation

1

On next page click Use existing STS and put

https://fs.test.com/federationmetadata/2007-06/federationmetadata.xml

fs.test.com is AD FS server name

1.png

Disable certificate verification

1.png

No encryption

1

Check Schedule a task to perform dailt WS-Federation metdata updates

1.png

 

 

From client computer test web access:

in address box type web address of web server (https://web.test.com/claimapp-site we added at the begining),it will be redirected to adfs server (fs.test.com/adfs/ls)

1.png

Because this application is not secured by ADFS,any atempt  to sign in will fail

1.png

Creating Relaying party trust

Relying party trust is used to tell ADFS where it can expect claims to come from – it will trust the relying party so that when a user is authenticated they can be redirected back to that application.

Relying party  is the organization that receives and processes claims (test application,in this case)

Claim  are sstatements (for example, name, identity, group), made about users, that are used primarily for authorizing access to claims-based applications

In AD FS server open AD FS console-Relaying party trust-Add Relaying party trust:

1.png

Claims aware

1

Select Import data about the relying party published online or on a local network, enter the metadata URL for claimapp, and then click Next. FedUtil.exe we run earlier created a metadata .xml file on web server.

1.png

1.png

1.png

Select Permit everyone

1.png

Leave checked Configure claims issuance policy for this application

1.png

After clicking close new window will open

1

A claim rule represents an instance of business logic that will take one or more incoming claims, apply conditions to them (if x then y) and produce one or more outgoing claims based on the condition parameters.

Click Add rule

select Send Claims Using a Custom Rule, and then click Next.

1

Type rule name and in custom rule type

1.png

There are two parts to each rule.

  • Condition statement
  • Issuance statement

If the condition statement is true, the issuance statement will be executed.

Claim is represented by c variable.I used simple example in this case,in [] is specified claim type

In this rudimental example,because no claim type is specified,there is no condition for claim to be issued

What this says is “if a condition is true, issue this claim”. A special operator “=>” separates the condition from the issuance statement and a semicolon ends the statement.

c:[ ] => issue(claim = c);

Condition statement => issuance statement;

Available Claim types can be seen clicking Service-Claim Description

1.png

And now when try to log in we’ll see this page:

1.png

Advertisements
Comments
  1. Martin Master says:

    Hi,
    I got this error when try to checkif the website is working:

    Server Error in ‘/claimapp’ Application.
    ——————————————————————————–

    Compilation Error
    Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

    Compiler Error Message: CS0104: ‘IssuerNameRegistry’ is an ambiguous reference between ‘System.IdentityModel.Tokens.IssuerNameRegistry’ and ‘Microsoft.IdentityModel.Tokens.IssuerNameRegistry’

    Source Error:

    Line 20: /// This class verifies that the issuer is trusted, and provides the issuer name.
    Line 21: ///
    Line 22: public class TrustedIssuerNameRegistry : IssuerNameRegistry
    Line 23: {
    Line 24: ///

    Like

  2. JM says:

    Hi the claimsapp.zip is no longer available, possible to repost? Thanks!

    Like

  3. HV says:

    If you write a blog that please write a blog that is accurate and can be followed step by step.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s