Information Technology Reference
In-Depth Information
tokens the Web applications need to make authorization decisions. The forest trust enables the
Web agent to authenticate users from the internal network. External users are authenticated
because the Web agent server is a member of the perimeter network forest. The federated Web
SSO with forest trust design is most often used in business-to-employee relationships and allows
both internal and external employees to access ADFS-enabled Web applications.
Preparing to Deploy AD FS
As discussed, four AD FS role services can be installed with the Add Roles feature in Server
Manager. After you have decided on a federation design and know which role services will be
installed on which servers, there are a few other requirements to consider:
• AD FS is supported by Windows Server 2003 R2 Enterprise and Datacenter editions and
Windows Server 2008 Enterprise and Datacenter editions.
• Federation servers, federation proxy servers, and Web servers hosting AD FS Web agents
must be configured with Transport Layer Security/Secure Sockets Layer (TLS/SSL), which
is used by the HTTPS protocol. Firewalls must permit HTTPS traffic.
• Web browsers on client computers must have JScript and cookies enabled.
• One or more account stores, such as AD DS or AD LDS, must be running on the network.
However, running AD DS on the same server as any AD FS role services isn't recommended.
• Certificates are required by federation servers, federation server proxies, and ADFS-
enabled Web servers. Certificates can be requested from a public certification authority
(CA) or internally from an AD CS CA. Optionally, you can self-sign certificates, which
works well for testing environments.
As you have seen in the figures of AD FS designs, installing and testing AD FS requires a
complex network environment and several computers. Setting up and testing AD FS with the
simplest design, Web SSO, requires at least four computers. Other designs could require up to
eight computers, if proxies are used.
Following is an overview of the steps for implementing a Web SSO design:
1. Install the Federation Service role service on a server in the internal network.
2. Install the Federation Service Proxy role service on a server in the perimeter network (optional).
3. Install the Web Server role service and the AD FS Web Agent role service on your ADFS-
enabled Web server.
4. Install AD DS or AD LDS to maintain the account store (the database containing user
accounts). With Web SSO designs, AD LDS or a similar LDAP-compatible account store is
usually used.
5. Install the claims-aware or Windows NT token-based application on the Web server.
Most of these steps involve several substeps, such as issuing certificates, configuring DNS,
and so forth. The Microsoft Technet Web site provides a thorough step-by-step procedure for
deploying each AD FS design at http://technet.microsoft.com/en-us/library/cc771833.aspx .
Active Directory Rights Management Service
You have learned methods for allowing some users to access information while disallowing other
users. Access to digital information stored on computers can be allowed and disallowed by con-
trolling who can authenticate to the servers storing information, assigning permissions to files
and folders in the form of DACLs, and using encryption methods, such as EFS. However, what
users can do with data after being granted access to it hasn't been discussed.
Active Directory Rights Management Service (AD RMS) helps administrators get a handle
on this critical step in securing data. Whether protecting trade secrets, customer account infor-
mation, or intellectual property, many organizations are struggling with this important facet of
network security. With AD RMS, an administrator can create usage policies that define how a
document can be used after a user accesses it. Actions such as copying, saving, forwarding, and
 
Search WWH ::




Custom Search