For successful demos, you’ll need a couple of things.
For all your demos to work, you’ll need to install the certificate for the Certification Authority on DC1 to the list of trusted root certification authorities on each device you’re aiming to use in your demos.
To export the root certificate from the Certification Authority, use this command on server DC1:
Certutil.exe -ca.cert C:\rootcertificate.cer
Using the clipboard functionality of the Remote Desktop Client, you can then easily copy the certificate to a local hard drive and to USB media.
Although your environment already has a domain admin account and local administrator accounts, you’ll need some normal user accounts to demo certain things.
You can easily create user accounts in Active Directory Users and Computers (dsa.msc) or the Active Directory Administrative Center (dsac.exe) on server DC1. When you do, take care of these things:
- If you want users to be able to use Work Folders, make sure they are members of the group that is in scope for Work Folders. You’ve defined this group in Part 8 of this series. When you set it up like I did, membership of the Domain Users group will suffice.
- If you want users to be able to use Multi-Factor Authentication, you will need to define at least one telephone number. In the Active Directory Administrative Center (dsac.exe), you can define this information in the Organization section:
Create a user
Doing the demo ^
You can demo claims-based access on any device using the ClaimApp. When you direct a browser on the device to https://www.demo.4sysops.com/claimapp , the browser will automatically redirect the authentication request to the Active Directory Federation Services (AD FS) server. After successful authentication with the UPN, the ClaimApp will show all supported claims.
You can explain the concept of federation by directing your audience to the address bar of the browser while authenticating. This will be the external name of server ADFS.
Pointing out claims like insidecorporatenetwork and x-ms-forwarded-client-ip will make it easy for you to make the case for rich authorization scenarios, based on WIF logic involving multiple claims.
The best way to demo Workplace Join is by Workplace Joining a Windows 8.1 (or later) or Windows RT 8.1 (or later) to the workplace.
If you want to live dangerously, you can use Windows 7 with the installer contained in Workplace Join for Windows 7.zip. on Microsoft’s Connect website. Because Workplace Join is built into Windows 8.1 and Windows RT 8.1, I think demonstrating Workplace Join on these operating systems might be more appealing to your audience.
To join a Windows 8.1 or Windows RT 8.1 device to a workplace, perform these steps:
- Log on to Windows.
- Press Win + C to access the charms bar. Select Settings. Then, select PC Settings in the bottom of the pane.
- In the Modern Control Panel, in the left pane, select Network.
- In the left pane, click Workplace.
- Enter the UPN of the user account with which to demo Workplace Join. When you’re done, click Join.
- A pane will show up. This pane comes from the server ADFS. Enter the UPN again, together with the password for the user account.When you’re successful, a part of the controls will disappear, and the Join button will be replaced with a Leave button.Tip!
Workplace Join on Windows 8.1 and Windows RT 8.1 does not require administrative privileges. You can show this using whoami.exe after you log on.
- Visit the ClaimApp again. Now, the list with claims is longer. Focus on the isregistered claim. Also, note that you now have more information on the device than you did previously. A trust relation is evident.
Exit Internet Explorer altogether, and then revisit the ClaimApp. This time the Single Sign-on feature of Workplace Join kicks in.
After you’ve Workplace joined the device, an object is created for this device in Active Directory Domain Services. To show it, open the Active Directory Administrative Center (dsac.exe) on DC1. You will find objects in the RegisteredDevices container.
RegisteredDevices container in the Active Directory Administrative Center
Note that the object type is msDS-device, compared to “normal” Computer objects. When you look at the properties of the object, you’ll see a load of information.
When you have multiple user accounts defined in your test lab, and each of these accounts has a profile on the Windows (RT) box, after Workplace Joining a device as one user account, you can switch users and show that the other user account still has the ability to join a workplace. This reinforces the point that Workplace Join is based on both the device and the user.
The easiest way I have found to demo Multi-Factor Authentication (MFA) is to MFA-enable Workplace Join.
To enable MFA for Workplace Join for devices (outside of the network because in our test lab they typically are enabled), follow these steps:
- Log on to server ADFS using domain admin credentials.
- In Server Manager, on the grey ribbon, click Tools and then select AD FS Management from the context menu.
- In the left pane, expand Authentication Policies. Then, select Per Relying Party Trust.
- In the main pane, select Device Registration Service. Then, from the right Actions pane, select Edit custom Multi-Factor Authentication….
- In the Edit Authentication Policy for Device Registration Service window, on the Multi-Factor Authentication tab, select the Extranet radio button.
- Click OK.
- Close AD FS Management.
- Log off.
After you’ve made this change, you can enable user accounts for MFA. Follow these steps:
- Log on to server ADFS using domain admin credentials.
- Start the Multi-Factor Authentication Server Management console.
- In the left pane, click Users.
- At the bottom, select Import from Active Directory….
- In the Import: field, select Selected Users.
- Browse the Active Directory structure to locate the user account you want to enable for MFA. Select it in the table.
- For the Import phone: and backup: fields, select the correct phone fields you’ve provisioned in Active Directory.
- Change any other settings you’d like. Click Import when done.
- Click OK to close the Import from Active Directory report.
- Click Close to close the Import from Active Directory screen.
- In the Users view of the Multi-Factor Authentication Server Management console, select the new user from the list. Then, click the Edit… button.
- Set the Enabled option on the General tab to enable MFA.
- Click Close.
Now, Workplace Join a (different) device as the MFA-enabled user (or after you’ve left the workplace to show that). You’ll see that the authentication pane is expanded with the Multi-Factor Authentication portion.
Make sure the telephone number you’ve provisioned for each user is reachable.
I recommend showing off Work Folders on Windows 8.1 or Windows RT 8.1, although it might feel counterintuitive because of the availability of Work Folders for Windows 7 as a separate download. The product team has worked hard to make the procedure to enable Work Folders equal on both platforms. However, this means you’ll be enabling Work Folders on Windows (RT) 8.1 from the classic Control Panel:
- Log on to Windows.
- Press Win + X and select Control Panel from the Power User Menu.
- Search for Work Folders or locate it in the System and Security category.
- Click Set up Work Folders.
- Enter the credentials for a Work Folders–enabled user. Click OK.
- Specify the Work Folders location, if you want it to be different than C:\Users\%username%\WorkFolders. Click Next.
- On the Security Policies screen, select the I accept these policies on my PC option and click Set up Work Folders.
After the setup, a new library is added to the profile.
Further tips ^
When you’re not using the demo environment much, I recommend sizing the virtual machines in Azure as little as possible.
Furthermore, I would also advise disabling the password expiration for the administrator accounts you’d frequently use for configuring demos. A password manager will also help prevent you from getting locked out of your environment and will be a lot safer.
Enjoy your BYOD test lab!