After seven articles full of steps to configure the test environment, you now have a fully functioning test lab for your claims-based authentication demos. However, Bring Your Own Device (BYOD) does not only entail making authentication and authorization available over the universal bypass firewall protocols (HTTP and HTTPS). In an ideal BYOD world, colleagues would also be able to access their files in that way.

Microsoft long ago made available the ability to synchronize files over the Internet. Both SharePoint Server and Groove (or SharePoint Workspace, SkyDrive Pro, and OneDrive for Business, as groove.exe is known more recently) unlock this capability. However, SharePoint and Groove have not seen the widespread adoption of many other Microsoft products across end users. The reasons for this have been plenty, but one feature built into Windows might have everything in its favor: Work Folders.

The Work Folders feature is a great feature for these reasons:

  • It’s built into Windows, so you don’t have to license it beyond Windows.
  • Its backend technology is a Windows Server 2012 R2-based File Server, not a SQL Server.
  • Because its back end is a File Server, it supports file classification, quota, etc.
  • It supports claims-based authentication.
  • It supports MDM-triggered device wipes.
  • It uses TCP port 443 for its block-based file synchronization.
  • File synchronization is automatic; it doesn’t require user interaction, as long as colleagues place their data in the Work Folders library on their Windows 7, Windows 8.1, and/or Windows RT 8.1-based devices.

The only downside is that Work Folders merely applies to user data—the data your colleagues make for their own use. Colleagues cannot share data from their Work Folders with other colleagues. Work Folders are private, like Home Folders.

Let’s configure the FileServer as our Work Folders server so that we can demo this fabulous feature.

Step 21: Configure the File Server

We’ll start with performing the basic configuration of server FileServer. Let’s make it part of our domain:

  1. Log on to server FileServer.
  2. Press Win + X or right-click the Start button. In the context menu, select System.
  3. In the main pane, select Change settings in the Computer name, domain and workgroup settings section.
  4. In the system Properties window, click Change…
  5. In the Computer Name/Domain Changes window, select the Domain: radio option. Type the domain name, and then press OK.
  6. Restart server FileServer.

Next, let’s get a certificate from the Certification Authority (CA):

  1. Log on to server FileServer with domain credentials.
  2. Press the Start button.
  3. Type mmc.exe and press Enter.
  4. This will start an empty Microsoft Management Console window.
    On the Console1window, from the File menu, select Add/Remove Snap-in…
    Add or Remove Snap-ins
  5. On the Add or Remove Snap-ins window, select Certificates from the list of available snap-ins and click Add >.
  6. Select Computer account and click Next >.
  7. Select Local Computer and click Finish.
  8. On the Add or Remove Snap-ins window, click OK.
  9. In the left pane, expand Certificates (Local Computer), then Personal, and then Certificates.
  10. In the Action pane (to the right), click More Actions, click All Tasks, and click Request New Certificate….
  11. On the Certificate Enrollment window, click Next twice.
  12. Select Web Server.
  13. Click the link More information is required to enroll for this certificate. Click here to configure settings..
  14. On the Certificate Properties window, perform these actions:
    1. In the Subject name: area, change the Type: to Common Name and then type Click Add >.
    2. In the Alternative name: area, change the Type: to DNS and then type Click Add >.
    3. In the Alternative name: area, change the Type: to DNS and then type Click Add >.
  15. Click OK when done.
  16. Click Enroll.
  17. Click Finish.
  18. Close the Microsoft Management Console window. You don’t need to save it.

Step 22: Configure the File Server Role

Now, let’s install the File Server Role:

  1. While still logged on as a Domain Administrator, go to Server Manager.
  2. In the grey top pane, click Manage and then select Add Roles and Features from the context menu.
  3. Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
  4. Click Next > on the Select Installation Typepage to accept the Role-based or feature-based installation option.
  5. Click Next > on the Select Destination Server page.
  6. On the Select Server Rolespage, expand the File and Storage Services. Then, expand the File and iSCSI Services category and select Work Folders.
  7. On the pop-up window, click the Add Features button to also install the IIS Hostable Web Core feature to make Work Folders work.
    Select server roles for file and iSCSI services
  8. Click Next >.
  9. Click Next > on the Select Features page.
  10. Verify the information on the Confirm Installation Selections page. Then, click Install.
  11. After installation, click Close on the Installation Progress page.

Step 23: Configure Work Folders

Configuring Work Folders is not a big deal. However, publishing Work Folders through the Web Application Proxy is a bit tricky, but we’ve got you covered. Let’s walk through it and begin with some simple file server operations. Let’s create a folder where we’re going to store the Work Folders for our colleagues:

  1. Click the File Explorer icon on the taskbar of server FileServer.
  2. Navigate to the C:\ disk on the server.Note:
    Storing Work Folders on C:\ is by no means a best practice, but, then again, this is a lab environment.
  3. In the Ribbon of File Explorer, go to the Home tab and click New folder.
  4. Name the folder appropriately. I chose WorkFolders.
  5. Close File Explorer.

Now, let’s configure Work Folders:

  1. Log on to FileServer with a user account that has domain admin privileges.
  2. In the right pane of Server Manager, click File and Storage Services.
  3. From the new second pane, click Work Folders.
  4. Click the Tasks button in the top right corner (not the one in the grey ribbon). Select New Sync Share… from the context menu.
  5. Click Next > to skip the Before You Begin window.
  6. On the Select the Server and Path window, type the path to the folder you just created as the local path.
    New Sync Share Wizard, Part 1
  7. Click Next >.
  8. Click Next > to accept the User Alias as the folder-naming format.
  9. Click Next > to accept the Sync Share name, based on the folder name.
    New Sync Share Wizard, Part 2
  10. On the Grant Sync Access to Groupswindow, click the Add… button. For demo purposes, we’ll add the Domain Users group.Note:
    In a production environment, you would only allow sync access to certain groups. You might even distribute sync shares over multiple Work Folders servers, depending on group membership.
  11. Click Next >.
    New Sync Share Wizard, Part 3
  12. Select the Encrypt Work Folders setting, so client devices of colleagues configuring Work Folders on these devices will have the Work Folders library encrypted.Note:
    When you encrypt the contents of the Work Folders library on devices, you can make the contents of these folders wipeable through your Mobile Device Management (MDM) solution.Also, apply the device policies around the default lock screen settings and default password settings on the devices your colleagues use. This option is selected by default.Click Next > when done.
  13. Click the Create button on the Confirm Selections window to create the Sync Share.
  14. Click Close to close the wizard after it has completed.

Next, let’s enable SSL for Work Folders:

  1. Open an elevated PowerShell window.
  2. Type the following command:Get-ChildItem -path cert:\LocalMachine\My
  3. From the list of certificates, we’ll copy the thumbprint for the certificate.
  4. With the mouse, select the whole thumbprint string. Then, press Enter.
  5. Now start typing the command below. When you arrive at the point where you need to enter the thumbprint, click the PowerShell logo in the app bar, select Edit from the context menu, and then click Paste.Netsh add sslcert import= certhash=thumbprinthere appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorname=My
  6. Close the PowerShell window.

Next, we’ll enable claims-based authentication to the Sync Share:

  1. In the right pane of Server Manager, click File and Storage Services.
  2. In the new second pane, click Servers.
  3. In the main pane, select server FileServer. Right-click it and select Work Folders Settings from the context menu.
    Work Folders Authentication Settings
  4. Select Active Directory Federation Services as the authentication method and specify as the Federation Services URL:.
  5. Click OK when done.

Now, as the pièce de résistance, let’s configure the Active Directory Federation Services (AD FS) side of things.

For this, all you need to do is issue this PowerShell command on server ADFS:

$ECSIdentifier = "https://Windows-Server-Work-Folders/V1"; 
$ECSDisplayName = "EnterpriseClientSync"; 
$TransformRuleString = '@RuleTemplate = "LdapClaims" @RuleName = "Ldap" c:[Type == "", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("", "", "", ""), query = ";userPrincipalName,displayName,sn,givenName;{0}", param = c.Value);' ; 
$AuthorizationRuleString = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "",Value = "true");' ;

Add-ADFSRelyingPartyTrust -Identifier $ECSIdentifier -Name $ECSDisplayName -IssuanceTransformRules $TransformRuleString -IssuanceAuthorizationRules $AuthorizationRuleString -EncryptClaims:$false -EnableJWT:$true -AllowedClientTypes Public;

And, because our test lab features a Web Application Proxy, we need to publish both the Sync Share and the Work Folders AutoDiscover.

To publish the Sync Share through the Web Application Proxy, run the following command on server Edge in the PowerShell Integrated Scripting Environment (ISE):

$WAPAppName = "EnterpriseClientSync"
$ExternalURL = ""
$BackEndServerURL = ""
Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL $ExternalURL -ExternalCertificateThumbprint 5313D63D210F806D0337AFF0A819089D121AAD42 -BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -ADFSRelyingPartyName EnterpriseClientSync –UseOAuthAuthentication

Then, to publish the AutoDiscover, run the following command on server Edge in the PowerShell ISE:

$WAPAppName = "WorkFoldersDiscovery"
$ExternalURL = ""
$BackEndServerURL = ""
Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL $ExternalURL -ExternalCertificateThumbprint 5313D63D210F806D0337AFF0A819089D121AAD42 -BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -ADFSRelyingPartyName EnterpriseClientSync -UseOAuthAuthentication

And you’re done.

Subscribe to 4sysops newsletter!


Setting up Work Folders is straightforward when you know PowerShell. In the next post of this series, we will configure multi-factor authentication in your BYOD lab.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account