1 / 29

John Craddock Infrastructure and Security Architect XTSeminars Ltd

Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2. John Craddock Infrastructure and Security Architect XTSeminars Ltd. Agenda. Federation overview What is Forefront Unified Access Gateway (UAG)

Download Presentation

John Craddock Infrastructure and Security Architect XTSeminars Ltd

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2 John Craddock Infrastructure and Security Architect XTSeminars Ltd

  2. Agenda • Federation overview • What is Forefront Unified Access Gateway (UAG) • UAG Trunks • Configuring a Trunk for ADFS v2.0 • Adding a claims enabled application to the trunk • Using claims authentication with a Kerberos application through Kerberos Constrained Delegation (KCD)

  3. Working with Partners ActiveDirectory Your ADFS STS Partner ADFS STS & IP YourClaims-aware app Partner user App trusts STS Your STS trusts yourpartner’s STS Browse app Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user ST ST ST ST Authenticate Return ST for consumption by your STS Redirected to your STS Process token Return new ST Send Token Return cookiesand page

  4. Establishing Trust

  5. ADFS Availability • The ADFS server is a key component • Requires high availability • Must scale to the authentication demands of your / partner organisation(s) • Functionality required from the Internet for remote workers ADFS STS

  6. Deployment Options Intranet AD FS 2.0 Farm Perimeter Network ADFS Proxy Farm Active Directory Internet Firewall &Load Balancer Firewall & Load Balancer Configuration SQL Cluster

  7. Adding Forefront Unified Access Gateway ADFS v 2.0 Publishes ADFS server UAG Active Directory PublishesApplications Claims aware application Kerberos application

  8. Forefront Unified Access Gateway Application publishing • Single entry-point for all remote access • Service Pack 1 adds support for ADFS v2.0 Optimizer modules for Exchange SharePoint CRM Layer3 VPN HTTP/HTTPS Third party support DirectAccess Reverse proxy for Web farms RemoteApps via Integrated RemoteDesktop Services Gateway Multipleauthenticationoptions

  9. UAG Architecture Management Console SCOM management pack Tracing and logging Session manager Config and array manager User manager DirectAccess IP VPN Denial of Service Prevention Web Application Publishing Dynamic tunnel endpoints RRAS Internalsite Portal RDSG SSL Tunnel Native IPv6 Teredo 6to4 IPHTTPS ISATAP DNS64 NAT64 UAG Filter SSTP Layer 3 IIS Threat Management Gateway (TMG) Windows Network Load Balancing Forefront components Windows Server 2008 R2

  10. UAG Trunks Endpoint detection& clean updownloaded to client UAG Trunk Evaluate Endpoint Access Settings Authenticateuser againstauthenticationservers Trunk Portal External IP and URL HTTP or HTTPS Add Applications to Trunk Authentication Servers

  11. Creating a Trunk for ADFS v 2.0 • Requires UAG SP1 • Define the ADFS STS-IP as a UAG Authentication Server • Requires federation metadata from the ADFS-IP • Define the claim that will be used as the lead value • Create an HTTPS Trunk • Select the ADFS Authentication server defined previously • Don’t forget to run Activate Configuration • If things don’t work as expected, an iisreset on the UAG server may solve it

  12. Configuring the ADFS Server • On the ADFS server define UAG as a relying party • Requires the UAG federation metadata • Only available via an external URL or via XLM stored inProgram Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\fed\FederationMetadata\2007-06 • On the ADFS server define the appropriate claims to pass in the token (Issuance Transform Rules) • On your client computer connect to the ADFS Trunk • You should be logged on via ADFS and see an empty portal

  13. Setting up the portal

  14. Man in the Middle Terminates HTTPS and then sends to ADFS server CTB prevents server accepting credentials from new SSL channel • UAG is acting a the man in the middle between the client and the ADFS server • Depending on the client and server versions Channel Binding Token (CBT) will be enforced and authentication will fail • Disable CBT on the ADFS server • Configured through the Configuration Editor for the Default Website\adfs\ls or via a script • See TechNet “Forefront UAG and AD FS 2.0 supported scenarios and prerequisites” https://adfs.example.com https://adfs.example.com

  15. Adding Claims Aware Applications • Select the application • Define name and type • Define endpoint policies • Specify the application’s internal address • Specify how SSO credentials are passed to the published App • Define how the application is shown in Trunk portal • Activate the configuration

  16. Adding a claims application

  17. None Claims Aware Applications • None claims aware application can be supported via Kerberos Constrained Delegation • Authentication to internal application via Kerberos • Shadow accounts required for external users ADFS Domain Controller running KDC UAG Request Kerberos Ticket to APP1 on behalf of user App1 Authentication & Authorization viaKerberos ticket Authenticate to APP1 using Kerberos Authentication viaSAML security token

  18. Kerberos Constrained Delegation (KCD) KDC Data server Tom UAG Server Claims Authentication Request Kerberos tokenwith user’s identity Uses: Kerberos extension Service-for-User-to-Self (S4U2Self) Request Kerberos STwith user’s identity TGT K-ST K-ST Impersonate user

  19. AD UAG Server Object • Automatically configured via UAG • You must supply the Service Principal Name • Backend application must be Kerberos

  20. Adding a Kerberos Application • As before • Select the application • Define name and type • Define endpoint policies • Specify the application’s internal address • DON’T specify how SSO credentials are passed to the published App • Define how the application is shown in Trunk portal • Select the application and change the authentication to KCD • Specify the SPN and shadow account identifier • Activate the configuration

  21. Adding a Kerberos Application

  22. Get Your Certificates Right • The UAG server will require an HTTPS certificate for the UAG portal and the ADFS server • For example adfsportal.example.com and adfs.example.com • Can use a wild card certificate *.example.com • Make sure that the UAG server has the root certificate for the ADFS token signing certificate • Make sure the client has the root certificate for the UAG server certificates • Make sure all CRL distribution points can be resolved • The client will check the certificates and CRLs for the UAG client components

  23. Virtual Test Environment Internet • Virtual ISP provides services for the virtual Internet: DNS, DHCP, CRL distribution point • Routes Internet request to / from the corporate NAT • Allows client to check CRLs for UAG client components Corporate DNS NAT DNSforwarder UAG ISP Virtual Internet Virtual CorpNet

  24. What Next? • Build a test lab • Get ADFS working first with a claims aware application • Try the Microsoft ADFS step-by-step guides • Read the ADFS Design and Deployment guides • Read the UAG guides for ADFS v 2.0 • Deploy UAG into your test environment • Publish ADFS v 2.0 and your application • Make sure all certificates and CRLs are available

  25. More on ADFS and Federation • XTSeminars one-day event: • Federation and Federated Identity (available June 2011) • info@xtseminars.co.uk for more information • Get your local Microsoft subsidiary to run the event!

  26. Consulting Services on Request Johncra@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

  27. Stay up to date with TechNet Belux Register for our newsletters and stay up to date:http://www.technet-newsletters.be • Technical updates • Event announcements and registration • Top downloads Join us on Facebook http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget

  28. TechDays 2011 On-Demand • Watchthis session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/http://technet.microsoft.com/nl-be/edge/ • Download to your favorite MP3 or video player • Get access to slides and recommended resources by the speakers

  29. THANK YOU

More Related