Leverage the Mobile Device Extension for ad rms


Configuring the root Enterprise CA



Yüklə 3,87 Mb.
səhifə12/20
tarix16.08.2018
ölçüsü3,87 Mb.
#63133
1   ...   8   9   10   11   12   13   14   15   ...   20

Configuring the root Enterprise CA


To configure the root Enterprise CA, proceed with the following steps:

  1. Opening a remote desktop connection on the target computer.

  2. Configuring an appropriate certificate template for SSL certificate (optional).

Opening a remote desktop connection on the target computer


To open a remote desktop connection on the ADFS1 computer, proceed as illustrated before with the DC1 computer but with the ADFS1 computer instead. As previously illustrated, log on as LITWARE369\AzureAdmin with “pass@word1” as password since ADFS1 is a domain-joined computer.


Configuring an appropriate certificate template for SSL certificate (optional)


Services on both the ADFS1, ADRMS1, and EDGE1 computers will require secure sockets layer (SSL) / transport layer security (TLS) protection and corresponding certificates.

The Web Server certificate template is the one usually used to request such a SSL certificate for a domain-joined computer. Its settings are perfectly appropriated when the certificate must be installed on the server that requests it. However, for a test lab environment, it could be convenient to be able to export both the certificate and private key. In such situation, these default settings are not suitable because they do not allow to export the private key.

Consequently, we will configure a new certificate template that will duplicate this template, and thus present the same characteristics as the original template but with the possibility to export the private key.

To configure a certificate template for SSL certificate, proceed with the following steps:



  1. Open a remote desktop session as per previous section.

  2. From the Server Manager, click Tools and then Certification Authority. The Certification Authority console brings up.



  1. Expand the certification authority litware369-ADFS1-CA so that you can see Certificate Templates. The name of the certification authority may differ if you have chosen another NetBIOS domain name and another name for the ADFS1 computer.

  2. Right-click Certificate Templates and then click Manage. The Certificate Templates Console brings up.



  1. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. A Properties of New Template dialog brings up.



  1. Select the Request Handling tab.



  1. Leave unchecked Allow private key to be exported.

  2. Select the Security tab.



  1. We must ensure the domain computer accounts will have the ability to enroll for the template. To do so, click Add. A Select Users, Computers, Services Accounts, or Groups dialog brings up.



    1. In Select Users, Computers, Service Accounts, or Groups, type “Domain computers”. Click Check Names, and then click OK.

    2. Ensure that the group is selected and then select the Allow checkbox that corresponds to the Enroll permission.

  1. Select the General tab.



  1. Under Template display name, type a name that you want to use for the template, for example, “SSL Certificates” in our configuration.

  2. Click OK.

  3. Close the Certificate Templates console and return to the Certificate Authority console.

  4. In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. An Enable Certificate Templates dialog brings up.



  1. In the Enable Certificate Templates dialog, select the new certificate template that you just configured (SSL Certificates) and then click OK.


Deploying the federation server


This section walks you through the deployment of the federation server on the ADFS1 computer with the following steps:

  1. Issuing a SSL/TLS certificate.

  2. Installing and configuring the AD FS role service.

Note For more information, see the Microsoft TechNet article Windows Server 2012 R2 AD FS Deployment Guide67.
Important note You must have domain administrator permissions to deploy the AD FS role.

Issuing a SSL/TLS certificate


The AD FS role service will require a Secure Socket Layer (SSL) server certificate. The certificate should have the following attributes:

  • Subject Name (CN): adfs.litware369.com

  • Subject Alternative Name (DNS): adfs.litware369.com

Note For more information about setting up SSL/TLS certificates, see the Microsoft TechNet Wiki article Configure SSL/TLS on a Web site in the domain with an Enterprise CA68.

To issue the SSL certificate, proceed with the following steps:



  1. Open a remote desktop session if needed as LITWARE369\AzureAdmin.

  2. Open an elevated Windows PowerShell command prompt, and run the following command:

PS C:\users\AzureAdmin.LITWARE369> Get-Certificate -Template SSLCertificates -SubjectName CN=adfs.litware369.com –DnsName adfs.litware369.com -CertStoreLocation cert:\LocalMachine\My


Status Certificate Request

------ ----------- -------

Issued [Subject]…
PS C:\users\AzureAdmin.LITWARE369>


Note If you have not configured a new certificate template (e.g. the SSLCertificates in our configuration), you can use the WebServer certificate template in lieu of in the above command.
Note For more information, see the Microsoft TechNet article AD CS Administration Cmdlets in Windows PowerShell69.


  1. The SSL certificate should now be imported into the Local Computer\My Store on the ADFS1 computer. Verify whether the SSL certificate has been imported by running the following command:

PS C:\users\AzureAdmin.LITWARE369> dir Cert:\LocalMachine\My


Thumbprint Subject

---------- -------

F1DF749C3D84DFF8BE9DED211145C53F2F06D83D CN=mfalabsvc.cloudapp.net

DD6F97EAF0CE4FDB039036199136752F62C8E027 CN=litware369-ADFS1-CA, DC=litware369, DC=com

59D4CFDD539CB616B5608A555E115824BAF14E77 CN=WMSvc-ADFS1
044F380EE49583536012D77D940ACEBBCAC05B86 CN=adfs.litware369.com

PS C:\users\AzureAdmin.LITWARE369>


The certificates are listed by their thumbprint in the Local Computer\My Store. We will be later interested in the thumbprint of the newly issued certificate, i.e. the one whose CN equals adfs.litware369.com, for example in our configuration: 044F380EE49583536012D77D940ACEBBCAC05B86.


Installing and configuring the AD FS role service


To install and configure the AD FS role service, proceed with the following steps:

  1. Open an elevated Windows PowerShell command prompt if none, and run the following command:

PS C:\users\AzureAdmin.litware369> Install-windowsfeature adfs-federation –IncludeManagementTools


Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

True No Success {Active Directory Federation Services}

WARNING: To finish configuring this server for the federation server role using Windows PowerShell, see

http://go.microsoft.com/fwlink/?LinkId=224868.
PS C:\Users\AzureAdmin.LITWARE369>


  1. Run the following commands to create a Windows Internal Database (WID) along with the required gMSA account:

PS C:\users\AzureAdmin.litware369> Import-Module ADFS

PS C:\users\AzureAdmin.litware369> $certificateThumbprint = (Get-ChildItem cert:\LocalMachine\MY -DnsName "*adfs*" | Select-Object -First 1).Thumbprint

PS C:\users\AzureAdmin.litware369> Install-AdfsFarm –CertificateThumbprint $certificateThumbprint -FederationServiceDisplayName "Litware369" -FederationServiceName "adfs.litware369.com" –GroupServiceAccountIdentifier "LITWARE369\FsGmsa$"


Message Context Status

------- ------- ------

The configuration completed successf... DeploymentSucceeded Success

PS C:\Users\AzureAdmin.LITWARE369>


Important note The ‘$’ at the end of the gMSA account is required.



Note If this is NOT the first time you run this command, add OverwriteConfiguration.

Yüklə 3,87 Mb.

Dostları ilə paylaş:
1   ...   8   9   10   11   12   13   14   15   ...   20



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya