Leverage the Mobile Device Extension for ad rms


Preparing the Internet-facing computer



Yüklə 3,87 Mb.
səhifə13/20
tarix16.08.2018
ölçüsü3,87 Mb.
#63133
1   ...   9   10   11   12   13   14   15   16   ...   20

Preparing the Internet-facing computer


To prepare the Internet facing computer, proceed with the following steps in order:

  1. Opening a remote desktop connection on the target computer.

  2. Allowing the domain users to open a remote session.

  3. Testing the federation server configuration.

  4. Issuing a SSL/TLS certificate.

  5. Configuring HTTPS on the default web site.

  6. Deploying the Web Application Proxy (WAP).

The following subsections describe each of these steps in the context of our test lab environment.

Opening a remote desktop connection on the target computer


To open a remote desktop connection on the EDGE1 computer, proceed as illustrated before with the DC1 computer but with the EDGE1 computer instead. As previously illustrated, log on as LITWARE369\AzureAdmin with “pass@word1” as password since EDGE1 is a domain-joined computer.


Allowing the domain users to open a remote session


We have previously modified group policy settings so that our test user accounts can log on locally on member servers. We now need to apply the modified group policies.

To update the group policies, proceed with the following steps:



  1. Open a remote desktop session as per previous section.

  2. Open an elevated Windows PowerShell command prompt.

  3. Run the following command:

PS C:\users\AzureAdmin.LITWARE369> gpupdate /force

Updating policy...
Computer Policy update has completed successfully.

User Policy update has completed successfully.


PS C:\Users\AzureAdmin.LITWARE369>

In addition, we need to add our test user accounts to the local group Remote Desktop Users so that they can open a remote desktop session on the virtual machine in Azure.

To add the test user accounts to the local group Remote Desktop Users, proceed with the following steps:


  1. Open an elevated Windows PowerShell command prompt, and run the following command to add Janet Schorr to the local group:

PS C:\users\AzureAdmin.LITWARE369> net localgroup "Remote Desktop Users" /add "LITWARE369\janets"

The command completed successfully.
PS C:\users\AzureAdmin.LITWARE369>


  1. Run the following command to add Robert Hatley to the local group:

PS C:\users\AzureAdmin.LITWARE369> net localgroup "Remote Desktop Users" /add "LITWARE369\Roberth"

The command completed successfully.
PS C:\users\AzureAdmin.LITWARE369>

Testing the federation server configuration


Before testing the configuration, you need to configure your browser settings to trust the federation server role by adding your federation service name (for example in our configuration, https://adfs.liteware369.com) to the browser’s local intranet zone.

To configure the browser settings accordingly on the EDGE1 computer, proceed with the following steps:



  1. Close the current remote desktop connection and open a new one on the EDGE1 computer as LITWARE369\JanetS with “pass@word1” as password.

  2. Start Internet Explorer and select Internet Options on the Tools menu. An Internet Options dialog pops up.

  3. Click the Security tab, select the Local intranet zone, and then click Sites. A Local intranet dialog appears.



  1. Click Advanced. A Trusted sites dialog appears.



  1. In Add this website to the zone, type “https://adfs.litware369.com”, and then click Add. You should replace litware369.com by your own domain as already mentioned.

  2. Click Close, and then click OK.



  1. Verify that the security level for the zone is set to the default setting of Medium-low which enables Windows integrated authentication for Intranet zones.

  2. Click OK to close the Internet Options dialog.

To verify that a federation server on ADFS1 is operational, proceed with the following steps:

  1. Open a browsing session on ADFS1 and navigate to the federation service metadata endpoint, for example, in our configuration:

https://adfs.litware369.com/federationmetadata/2007-06/federationmetadata.xml

If in your browser window you can see the federation server metadata without any SSL errors or warnings, your federation server is operational.





  1. You can alternatively navigate to the metadata exchange endpoint, which offers an XML service description:

https://adfs.litware369.com/adfs/services/trust/mex



  1. You can alternatively navigate to the AD FS sign-in page, for example in our configuration:

https://adfs.litware369.com/adfs/ls/idpinitiatedsignon.htm

This displays the AD FS sign-in page where you can sign in with the domain credentials.



Click Sign in to verify that the user is successfully and seamlessly authenticated thanks to the Windows Integrated Authentication. You shouldn’t see any Windows Security dialog if AD FS has been properly configured.




Issuing a SSL/TLS certificate


The default web site will require a SSL server certificate. The certificate MUST have the following attributes:

  • Subject Name (CN): www.litware369.com

  • Subject Alternative Name (DNS): adfs.litware369.com

  • Subject Alternative Name (DNS): adrms.litware369.com

  • Subject Alternative Name (DNS): www.litware369.com

For demonstration purpose, you can issue such a SSL certificate with the test lab certification authority litware369-ADFS1-CA as illustrated hereafter.

You can instead use a SSL certificate issued from a public certification authority is required. The exact method depends on the chosen public certification authority. Please refer to their instructions.

With the exception of the SSL certificate import into the Local Computer\My Store on the EDGE1 computer, the rest of the suggested configuration doesn’t differ from the one illustrated in this document.

To issue the SSL certificate with the test lab certification authority, proceed with the following steps:


  1. Close the current remote desktop connection and open a new one on the EDGE1 computer as LITWARE369\AzureAdmin with “pass@word1” as password.

  2. Open an elevated Windows PowerShell command prompt, and run the following command:

PS C:\users\AzureAdmin.LITWARE369> Get-Certificate -Template SSLCertificates -SubjectName CN=www.litware369.com –DnsName adfs.litware369.com, adrms.litware369.com, www.litware369.com -CertStoreLocation cert:\LocalMachine\My


Status Certificate Request

------ ----------- -------

Issued [Subject]…
PS C:\users\AzureAdmin.LITWARE369>
Note If you haven’t previously configured a new certificate template (e.g. the SSL certificates in our configuration), you can use the WebServer certificate template in lieu of in the above command.

Configuring HTTPS on the default web site


To configure HTTPS on the default web site, proceed with the following steps:

  1. Open an elevated Windows PowerShell command prompt if none, and run the following command to add a SSL binding to the default web Site:

PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

PS C:\users\AzureAdmin.LITWARE369>


  1. Run the following commands to associate the imported SSL certificate to the newly created SSL binding:

PS C:\users\AzureAdmin.LITWARE369> Get-ChildItem cert:\LocalMachine\MY | where { $_.Subject -match "CN\=www.litware369.com" } | select -First 1 | New-Item IIS:\SslBindings\0.0.0.0!443


IP Address Port Host Name Store Sites

---------- ---- --------- ----- -----

0.0.0.0 443 MY Default Web Site

PS C:\Users\AzureAdmin.LITWARE369>




  1. Open a browsing session and navigate to the default web site at https://www.litware369.com:


Deploying the Web Application Proxy (WAP)


The Web Application Proxy (WAP) is the new proxy for AD FS in Windows Server 2012 R2.

Note For more information, see the Microsoft TechNet article Web Application Proxy Overview70 as well as the section Deploying Federation Server Proxies71 of the Windows Server 2012 R2 AD FS Deployment Guide also available on Microsoft TechNet.

To install and configure the Web Application Proxy role service, proceed with the following steps:



  1. Open an elevated Windows PowerShell command prompt if none, and run the following command:

PS C:\Users\AzureAdmin.LITWARE369> Install-WindowsFeature Web-Application-Proxy –IncludeManagementTools


Success Restart Needed Exit Code Feature Result

------- -------------- --------- --------------

True No Success {RAS Connection Manager Administration Kit...

WARNING: To finish configuring this server for the Web Application Proxy role service using Windows PowerShell, see

http://go.microsoft.com/fwlink/?LinkId=294322.

PS C:\Users\AzureAdmin.LITWARE369>




  1. Run the following command to collect the credential of the LITWARE369\AzureAdmin user:

PS C:\Users\AzureAdmin.LITWARE369> $credentials = Get-Credential


cmdlet Get-Credential at command pipeline position 1

Supply values for the following parameters:

Credential

PS C:\Users\AzureAdmin.LITWARE369>


When prompted, enter the following credential in the dialog below and click OK:

Username: LITWARE369\AzureAdmin

Password: pass@word1



  1. Run the following commands to install and configure the Web Application Proxy (WAP):

PS C:\users\AzureAdmin.litware369> $certificateThumbprint = (Get-ChildItem cert:\LocalMachine\MY -DnsName "*adfs*" | Select-Object -First 1).Thumbprint

PS C:\users\AzureAdmin.litware369> Install-WebApplicationProxy -FederationServiceTrustCredential $credentials -CertificateThumbprint $certificateThumbprint -FederationServiceName "adfs.litware369.com"

Message Context Status

------- ------- ------

The configuration completed successf... DeploymentSucceeded Success

PS C:\Users\AzureAdmin.LITWARE369>
Note For more information, see the Microsoft TechNet article Web Application Proxy Cmdlets in Windows PowerShell72.

To verify that you can successfully authenticate against the federation server on the Internet, proceed with the following steps:



  1. Open a browsing session on your local computer and navigate to the AD FS sign-in page, for example in our configuration:

https://adfs.litware369.com/adfs/ls/idpinitiatedsignon.htm

Note If the SSL certificate used in the configuration has not been issued by a public certification authority, you will need to add the test lab certification authority Litware369-ADFS1-CA root certificate to the trusted root certification authorities of your user’s store.

As before, this displays the AD FS sign-in page where you can sign in with the domain credentials.





  1. Click Sign in to verify that you can successfully be authenticated.



  1. Enter the following credential and the click Sign in:

Username: LITWARE369\JanetS

Password: pass@word1





Yüklə 3,87 Mb.

Dostları ilə paylaş:
1   ...   9   10   11   12   13   14   15   16   ...   20



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya