Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
To show off claims-based authentication and the ability to make authorization decisions based on these claims, we’ll need a claims-enabled web application on a claims-aware webserver.
Let’s go right ahead and configure that very webserver!
Step 12: Configure the webserver ^
Just like the ADFS server, we’re going to have to bolt our webserver to our Active Directory–based identity platform:
- Log on to server WebServer.
- Press Win + X or right-click the Start button. In the context menu, select System.
- In the main pane, select Change settings in the Computer name, domain and workgroup settings section.
- On the System Properties window, click Change…
- On the Computer Name/Domain Changes window, select the Domain: option. Type the domain name, and then click OK.
- Restart server WebServer.
Also, for secure communications to the Internet, we’d want a certificate to protect HTTP communications with Secure Sockets Layer (SSL).
Next, let’s get a certificate from the Certification Authority (CA):
- Log on to server WebServer with domain credentials.
- Click the Start button.
- Type mmc.exe and press Enter.
- This will start an empty Microsoft Management Console window.
On the Console1window, from the File menu, select Add/Remove Snap-in…
- On the Add or Remove Snap-ins window, select Certificates from the list of available snap-ins and click Add >.
- Select Computer account and click Next >.
- Select Local Computer and click Finish.
- On the Add or Remove Snap-ins window, click OK.
- In the left pane, expand Certificates (Local Computer), then Personal, and then Certificates.
- In the Action pane (to the right), click More Actions, click All Tasks, and then click Request New Certificate….
- On the Certificate Enrollment window, click Next twice.
- Select Web Server.
- Click the link More information is required to enroll for this certificate. Click here to configure settings.
- On the Certificate Propertieswindow, perform these actions:
- In the Subject name: area, change the Type: to Common Name and then type webserver.demo.4sysops.com. Click Add >.
- In the Alternative name: area, change the Type: to DNS and then type webserver.demo.4sysops.com. Click Add >.
- Also in the Alternative name: area, change the Type: to DNS and then type www.demo.4sysops.com. Click Add >.
- Click OK when done.
- Click Enroll.
- Click Finish.
- Close the Microsoft Management Console window. You don’t need to save it.
Step 13: Install a custom webserver role with the WIF SDK ^
To build the demo websites, we’ll need to download some bits to the WebServer server. We’ll need the following bits:
- The .NET Framework 3.5 Windows Identity Framework (WIF) Software Deployment Kit (SDK)
- The SXS folder from the Windows Server 2012 R2 DVD
Although you could download the WIF SDK on the host itself, for the SXS folder this isn’t necessarily the ideal way. We’ll only need a small portion of the contents of the Windows Server 2012 R2 DVD, and the virtual hard disk of our webserver won’t be compressed after we throw the rest out.
Instead, I opt to use the Connected Resources option in the Terminal Services Client (mstsc.exe) to connect a local hard drive from the device I use to connect to the WebServer server. This way, I’ll be able to use the setup files without adding them to the contents of the virtual hard disk of the WebServer server.
You might not have the Windows Server 2012 R2 DVD laying around. To get access to the Windows Server 2012 R2 DVD, register for the Windows Server 2012 R2 trial and download the virtual DVD file (*.iso) file. Mount it and then copy the SXS folder from it to the disk you connected to the WebServer server Terminal Services connection.
We’ll use the two data sources above to install a custom webserver. Perform these tasks:
- While logged on as a Domain Administrator, go to Server Manager.
- In the top grey pane, click Manage and then select Add Roles and Features from the context menu.
- Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
- Click Next > on the Select Installation Typepage to accept the Role-based or feature based installation option.
- Click Next > on the Select Destination Server page.
- On the Select Server Rolespage, select Web Server. Click Next >.
- On the Select Features page, select Windows Identity Foundation 3.5. Click Next >.
- Scroll down. Expand Application Development and select Asp.Net 3.5. Click Next >.
- Before you click Install, follow the Specify Alternate Source Path link. Specify the path to the Windows Server 2012 R2 SXS folder.
After installation, click Close on the Installation Progress page.
Next, we’ll install the WIF SDK.
This is a straightforward installation. Simply run WindowsIdentityFoundation-SDK-3.5.msi and click Next four times. Then, click Install. Upon installation completion, click Finish.
Step 14: Create the ClaimsApp ^
To demo the power of claims, we’ll create a website that displays all claims in a default Active Directory Federation Services (AD FS) claims ticket. Luckily, we won’t have to create this website from scratch, since the WIF SDK contains a pretty decent template for this. Perform these steps:
- Copy the contents of the PassiveRedirectBasedClaimsAwareWebApp folder from C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Web Application to C:\Inetpub\ClaimApp.
- In this newly created folder, open default.aspx.cs with the built-in Windows text editor (notepad.exe).
- Use Ctrl + F to search for instances of ExpectedClaims. Comment out the second instance, including the brackets on the line under it and the three lines under the instance:
- Use Ctrl + S to save these changes.
- Use Ctrl + O to open another file in the same folder: Web.Config.
- Use Ctrl + F, but this time use it to search for Microsoft.IdentityModel. You’ll find it somewhere five-sixths of the way through.
- Delete the section.
- Use Ctrl + S to save these changes.
- Use Alt + F4 to close Notepad.
We’ve created a claims-aware application from the WIF SDK examples and tailored it to our needs. Now, all that is left is to create the trusts and supply the right settings in Internet Information Services (IIS) Manager and between the webserver and the AD FS server. We’ll cover that in Part 6.