Recently learning some of the features of Windows Server R2 and discovering something very interesting that can be used in conjunction with our exchange, this is where we share this with the Exchange and ADFS-enabled SSO series, which we hope will be useful to all of you:)
The content to be shared today is the ADFS in Windows Server R2, and honestly I didn't have much to do with or learn about ADFS before R2, but after I contacted, I found that ADFS would make a lot of sense after the release of R2 and later.
ADFS is called Active Directory Federation Services, and ADFS technology enables you to extend the authentication of Web services across forests and enable SSO for Web applications such as our exchange for single-point authentication.
In R2, we will make it easier to implement multiple authentication methods through ADFS on a unified Web login page, access and use multiple resources within the intranet, and many Microsoft home software has already done more integration with ADFS, such as Exchange, Lync, SharePoint, and more.
This article will be the basis for ADFS, first of all, we set up a virtual machine, can be called ADFS or STS, because my virtual machine named ADFS (originally wanted to build an ADFS cluster), in order to better identify, I still separate in DNS to establish the STS host record.
650) this.width=650; "height=" 417 "title=" clip_image001[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image001[4] "src=" http://s3.51cto.com/ Wyfs02/m02/5a/d6/wkiol1t-ba_jvxfgaaeggk8np2i132.jpg "border=" 0 "/>
We then prepared the required certificates for the ADFS server in advance:
650) this.width=650; "height=" 484 "title=" clip_image002[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image002[4] "src=" http://s3.51cto.com/ Wyfs02/m00/5a/d6/wkiol1t-bbsqgtoqaainoashtc8036.jpg "border=" 0 "/>
Request a new certificate from the Certificates snap-in for the local computer-personal.
650) this.width=650; "height=" 441 "title=" clip_image003[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image003[4] "src=" http://s3.51cto.com/ Wyfs02/m01/5a/d6/wkiol1t-bbjhpu3zaaiscwcoyh0339.jpg "border=" 0 "/>
650) this.width=650; "height=" 423 "title=" clip_image004[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image004[4] "src=" http://s3.51cto.com/ Wyfs02/m01/5a/db/wkiom1t-bj7aneafaaecl_wsb0e952.jpg "border=" 0 "/>
During the application process we select the Active Directory enrollment policy to request a certificate directly from our internal CA (the deployment of the CA is no longer duplicated here, so refer to the previous article). Click to register this certificate for more information, click here to configure the settings. ”
650) this.width=650; "height=" 423 "title=" clip_image005[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image005[4] "src=" http://s3.51cto.com/ Wyfs02/m02/5a/db/wkiom1t-bkdrwsdyaafbnv-gqbe139.jpg "border=" 0 "/>
Configure the details in the certificate properties, set sts.contoso.com at the subject name location (not necessarily the same as the server name, but are recommended for STS). Add sts.contoso.com and enterpriseregistration.contoso.com to the alternate name.
650) this.width=650; "height=" 484 "title=" clip_image006[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image006[4] "src=" http://s3.51cto.com/ Wyfs02/m00/5a/db/wkiom1t-bklavqfkaafziwhktb0458.jpg "border=" 0 "/>
Then, set the friendly name of the certificate in the General tab.
650) this.width=650; "height=" 484 "title=" clip_image007[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image007[4] "src=" http://s3.51cto.com/ Wyfs02/m01/5a/db/wkiom1t-bkldkltjaadr0bzfeyk569.jpg "border=" 0 "/>
When the settings are complete, click OK, and then make sure that the check boxes in front of our certificates are selected, click Register.
650) this.width=650; "height=" 423 "title=" clip_image008[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image008[4] "src=" http://s3.51cto.com/ Wyfs02/m02/5a/d6/wkiol1t-bchhzys6aae34nm_tpm852.jpg "border=" 0 "/>
For a moment, when the certificate status is displayed as success, click Finish.
650) this.width=650; "height=" 423 "title=" clip_image009[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image009[4] "src=" http://s3.51cto.com/ Wyfs02/m00/5a/d6/wkiol1t-bcoskdelaaec-jbqzxq630.jpg "border=" 0 "/>
Upon completion, we will need to establish an ADFS administrator account, but this is not required, and the default administrator account can also be used in the test environment, if it is recommended to establish a dedicated ADFS Administrator account in a production environment.
650) this.width=650; "height=" 484 "title=" clip_image010[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image010[4] "src=" http://s3.51cto.com/ Wyfs02/m01/5a/d6/wkiol1t-bcwwydp9aafs1j6cq-0006.jpg "border=" 0 "/>
First we open the PowerShell for admin and then execute:
Add-kdsrootkey–effectivetime (get-date). AddHours (-10).
650) this.width=650; "height=" 359 "title=" clip_image011[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image011[4] "src=" http://s3.51cto.com/ Wyfs02/m02/5a/d6/wkiol1t-bcbrkhqhaaeajmgcopg152.jpg "border=" 0 "/>
Then we can create the ADFS Global service account and execute the following command to create:
New-adserviceaccount gmsa-dnshostname sts.reindemo.com-serviceprincipalnames http/sts.reindemo.com
650) this.width=650; "height=" 399 "title=" clip_image012[4] "style=" margin:0px;border:0px;padding-top:0px; Padding-right:0px;padding-left:0px;background-image:none; "alt=" clip_image012[4] "src=" http://s3.51cto.com/ Wyfs02/m00/5a/db/wkiom1t-bk3xbv4taafmxrfzw9k967.jpg "border=" 0 "/>
Then we set the SPN for the ADFS Global managed service account on the ADFS server by entering the following command:
650) this.width=650; "height=" 399 "title=" clip_image013[7] "style=" border:0px;padding-top:0px;padding-right:0px; Padding-left:0px;background-image:none; "alt=" clip_image013[7] "src=" http://s3.51cto.com/wyfs02/M00/5A/DB/ Wkiom1t-bk-g4gcqaafdq_swq3o410.jpg "border=" 0 "/>
The prerequisites for ADFS are now ready, and the content is simple, but it's something we have to do before we deploy ADFS.
This article is from the "Reinember" blog, make sure to keep this source http://reinember.blog.51cto.com/2919431/1618946
Exchange and ADFS Single Sign-on Part 1: Prerequisite Preparation