Adfs2 How to Setup Lab Environment for Federated Collaboration

HOW TO SET UP THE AD FS 2.0 VM LAB ENVIRONMENT

FOR FEDERATED COLLABORATION

Microsoft Corporation

Published: May 2010

Version: 1.0

Authors: Brad Mahugh, Tariq Sharif

Editor: Jim Becker

Abstract This guide walks you through the setup of a small test lab environment that you can use to

evaluate the next generation of Microsoft® federated identity technologies, Active Directory®

Federation Services (AD FS) version 2.0. This document is intended for information technology

(IT) professionals and application developers who want to create a lab environment specifically

for use with the Federated Document Collaboration Using Microsoft

Office SharePoint® Server 2007 and AD FS 2.0 guide, which demonstrates the implementation

and evaluation of an end-to-end, claims-based, identity federation solution. The instructions in

this guide should take approximately four hours to complete.

Contents

HOW TO SET UP THE AD FS 2.0 VM LAB ENVIRONMENT FOR FEDERATED COLLABORATION ..................... 1

About this guide ........................................................................................................................... 6

What this guide does not provide ............................................................................................ 7

Requirements ........................................................................................................................... 7

About the lab environment ...................................................................................................... 8

Step 1: Create and configure VMs using Hyper-V Manager .......................................................... 10

Make or obtain base hard drive image files .............................................................................. 10

Create a differencing disk for each VM ...................................................................................... 10

Create the VMs .......................................................................................................................... 11

Step 2: Download and install prerequisite software ..................................................................... 13

Step 3: Reconfigure the IP and DNS settings for all VMs .............................................................. 15

Create a new virtual network .................................................................................................... 15

Configure static IP and DNS settings for each VM ..................................................................... 16

Change the names of the computers ..................................................................................... 17

Step 4: Install and configure AD DS ............................................................................................... 18

Install and configure AD DS ........................................................................................................ 18

Install AD DS ............................................................................................................................ 18

Join the client computer to the Contoso domain ................................................................... 19

Create accounts ...................................................................................................................... 19

Create accounts in the Contoso domain ............................................................................. 20

Create accounts in the Fabrikam domain ........................................................................... 21

Configure DNS zones for services .............................................................................................. 21

Configure DNS service records for Contoso ........................................................................... 22

Configure zones for the Contoso.com domain ................................................................... 22

Create host (A) resource records for the Contoso.com domain ......................................... 22

Configure zones for Fabrikam.com domain ........................................................................ 23

Create host (A) resource records for the Fabrikam.com domain ....................................... 23

Step 5: Install and Configure IIS, Certificates, and Group Policy ................................................... 23

Disable Internet Explorer Enhanced Security Configuration ..................................................... 24

Configure Group Policy .............................................................................................................. 25

Push Internet Explorer settings to computers in the Contoso domain .................................. 25

Push Internet Explorer settings to computers in the Fabrikam domain ................................ 26

Refresh Group Policy .............................................................................................................. 27

Configure certificates ................................................................................................................. 27

Install AD CS ............................................................................................................................ 27

Disable CRL Extension ............................................................................................................. 28

Configure certificate templates .............................................................................................. 29

Create a shared certificate for AD RMS and AD FS 2.0 on ContosoSrv01 .............................. 30

Create a certificate for AD FS 2.0 on Fabrikam.com ............................................................... 31

Configure the Default Web Site on FabrikamSrv01 with the new server authentication

certificate ............................................................................................................................ 32

Export and import Root CA certificates ..................................................................................... 33

Export both Root CA certificates ............................................................................................ 33

Import both Root CA certificates ............................................................................................ 34

Refresh Group Policy .............................................................................................................. 35

Install and configure AD RMS as a root cluster ...................................................................... 35

Install SQL Server 2008 Standard SP1 ..................................................................................... 37

Create the HOL Doctors Role database on ContosoSrv01 ...................................................... 38

Step 6: Install and configure the SharePoint site on ContosoSrv02 .............................................. 38

Create an SSL certificate for the SharePoint site .................................................................... 39

Install .NET Framework 3.5 on ContosoSrv02 ........................................................................ 40

Install Microsoft Office SharePoint Server 2007 .................................................................... 40

Configure Microsoft Office SharePoint Server 2007 .............................................................. 41

Extend the default SharePoint application to docs.contoso.com .......................................... 41

Set the SSL certificate for docs.contoso.com ......................................................................... 42

Upload Sample Documents to docs.contoso.com .................................................................. 42

Step 7: Install and configure Windows claims-aware identity software ....................................... 43

Install and configure AD FS 2.0 on ContosoSrv01 .................................................................. 43

Install and configure AD FS 2.0 on FabrikamSrv01 ................................................................. 44

Customize the AD FS 2.0 sign-in pages ................................................................................... 46

Install and configure the WIF and SharePoint support software on ContosoSrv02 ............... 46

Install and configure the Desktop Experience feature on FabrikamSrv02 ............................. 46

Install and configure Microsoft Office 2007 on FabrikamSrv02 ............................................. 47

Step 8: Configure ContosoSrv02 and FabrikamSrv02 for the step-up authentication scenario ... 47

This document is provided for informational purposes only and Microsoft makes no warranties,

either express or implied, in this document. Information in this document, including URL and

other Internet Web site references, is subject to change without notice. The entire risk of the

use or the results from the use of this document remains with the user. Unless otherwise noted,

the example companies, organizations, products, domain names, e-mail addresses, logos,

people, places, and events depicted herein are fictitious, and no association with any real

company, organization, product, domain name, e-mail address, logo, person, place, or event is

intended or should be inferred. Complying with all applicable copyright laws is the responsibility

of the user. Without limiting the rights under copyright, no part of this document may be

reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any

means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,

Windows Server, and Windows Vista are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

This document is intended for developers and system architects who are interested in

completing the walkthrough demonstration of the features, functionality, and interoperability

capabilities of Active Directory® Federation Services (AD FS) version 2.0 and Windows® Identity

Foundation (WIF),

About this guide This guide provides instructions for setting up federated identity technologies in a small test lab

with servers running the Windows Server® 2008 operating system. It explains how to install and

configure all settings and prerequisite software necessary to create the four virtual machine

(VM) images that you need to have available so that you can complete all the steps in the

following guide:

Federated Document Collaboration with Microsoft Office SharePoint Server 2007 and AD FS 2.0

(http://go.microsoft.com/fwlink/?LinkId=148503).

While you can download VM images that are preconfigured for trial use, this guide assists you if

you choose to make the images yourself. The overall goal of this guide is to give you a good

understanding of the base configuration requirements necessary to deploy and enable

federated identity technologies in your environment.

To maximize your chances of completing the objectives of this guide successfully, it is important

that you do all of the following:

Complete the steps in this guide in the order in which they are presented.

Use the exact IP addresses that this guide specifies.

Use the exact computer, user, group, company, claim, and domain names that this guide

specifies.

Important Any modifications that you make to the configuration details in this guide may affect or

limit your chances of setting up this lab successfully on the first try.

Note Microsoft has tested this guide successfully with the Windows Server 2008 Hyper-V™

virtualization technology product.

The instructions in this guide take approximately four hours to complete.

http://go.microsoft.com/fwlink/?LinkId=148503

What this guide does not provide This guide does not provide the following information:

Guidance for setting up and configuring AD FS 2.0 for federation in a production

environment

Instructions for setting up and configuring a federation server proxy

Instructions for setting up the test lab computer (Hardware and software requirements are

listed in the following section, however.)

Instructions for making your own base virtual hard drive (.vhd) images.

Requirements To complete all the steps in this guide, you must have a virtual test lab computer where you can

configure four virtual machines (VMs) running the following operating systems:

Windows Server 2008 R2 Enterprise for the four virtual servers.

Your virtual test lab computer must be able to meet the minimum requirements in the following

table.

Processor 64-bit quad core with 2.0 gigahertz (GHz) or higher CPU speed

Operating system Windows Server 2008 Enterprise R2

Memory 8 gigabytes (GB) of RAM or higher

Disk drive 100 GB or more of free available space

Additional software The following server role must be added: Microsoft® Hyper-V

Other devices CD-ROM or ROM drive

High resolution monitor (1024x768)

Keyboard and Microsoft mouse or compatible pointing device

Administrative credentials

To perform all the tasks in this guide, use the local Administrator account for each computer,

unless instructed otherwise. To create accounts in Active Directory Domain Services (AD DS), log

on with the Administrator account for the domain. For example, when you create user accounts

for Contoso Pharmaceuticals, use the CONTOSO\Administrator account.

About the lab environment For the virtual test lab environment, create four VMs. You can use each of the VMs that you

create and configure later to accomplish scenario tasks in which you implement and evaluate a

claims-based, federated identity solution, as described in Federated Document Collaboration with

Microsoft Office SharePoint Server 2007 and AD FS 2.0

(http://go.microsoft.com/fwlink/?LinkId=148503) guide. To set up the test lab to accomplish the

goals in that guide, follow the steps in order as described in the following tables to establish a

working test lab environment.

Steps Step title Description

Step 1 Create and configure

VMs using Hyper-V

Manager

This step demonstrates the information technology (IT)

pro experience for creating a virtual test lab

environment for the purpose of evaluating federated

identity technologies.

Step 2 Download prerequisite

software

This step provides details about the software

dependencies and applications that are required for

updating each of the virtual servers and the virtual client

so that you can use them to support the AD FS 2.0 test

lab environment that you will need to emulate a

business-to-business (B2B) federated identity

configuration.

Step 3 Reconfigure the IP and

DNS settings for all

VMs.

This step demonstrates the network changes involved in

reconfiguring network settings for the VMs to move

from VM setup to the settings that are required for the

private network that you will need for the virtual test

lab.

Step 4 Install and configure

Active Directory

Domain Services

(AD DS)

This step demonstrates the underlying configuration

requirements for installing and configuring AD DS to be

used by two separate companies that are involved in a

B2B scenario.




IIS, certificates, and

Group Policy


requirements for installing and configuring Internet

Information Services (IIS), Active Directory Certificate

Services (AD CS), and Group Policy for both of the

companies involved in a B2B scenario.


the SharePoint Site on

ContosoSrv02


requirements for installing and configuring Microsoft

Office SharePoint Server® 2007 for document

collaboration needs in a B2B scenario.


Windows claims-based

identity software


requirements for installing and configuring AD FS 2.0

and related technologies for federation service in both

of the companies involved in a B2B scenario.

Step 8 Configure

ContosoSrv02 and

FabrikamSrv02 for

step-up authentication

scenario


requirements for configuring step-up authentication.

Step 1: Create and configure VMs using Hyper-V Manager

Before you install AD FS 2.0 and other claims-aware technologies, you must first set up the four

VM computers that you will use to implement and evaluate a federated identity solution.

Make or obtain base hard drive image files We recommend that you start by making or obtaining two virtual hard disk (.vhd) base image

files. These files are a clean-installed drive VHD image snapshot of the two Windows operating

systems listed earlier in the Requirements section for the three virtual servers and the virtual

client.

Before you proceed to the next step, make a folder (for example, D:\LabVhdFiles) that you will

use for the remainder of this step, and copy your base .vhd files to it. Ensure that the Read-only

attribute is set for each file.

Tip If you do not already have clean-installed Windows Server 2008 R2 virtual hard drive images, you can download and use the base evaluation .vhd files to build the base VMs for this lab. The files are available on the Microsoft Web site at Windows Server 2008 R2 Virtual Hard Drive Images (http://go.microsoft.com/fwlink/?LinkId=179734).

Create a differencing disk for each VM In Hyper-V, a differencing disk drive is a .vhd file that functions as the "child" drive in a parent-

child relationship with the "parent" (or base) virtual hard drive. The advantage of this

configuration is you can make changes to the data or operating system that are stored as

differences and that only modify the "child" differencing drive. Your "parent" drive is left intact

and unmodified. If, later, you choose to revert to the original state and start over with a new

differencing drive, you can do so easily.

To create a differencing disk for each VM

1. On the virtual test lab computer, open Hyper-V Manager.

To open Hyper-V Manager, click Start, point to Administrative Tools, and then click

Hyper-V Manager.



2. On the Action menu, point to New, and then click Hard Disk.

3. When the New Virtual Hard Disk Wizard appears, click Next.

4. On the Choose Disk Type page, click Differencing, and then click Next.

5. On the Specify Name and Location page, do the following, and then click Next:

a. In Name, type machine_name.vhd where machine_name is the name of the VM

that you are creating a differencing disk for. For example, start with

"CONTOSOSRV01.vhd".

b. In Location, browse to the location where you copied the base .vhd images for the

virtual server or client differencing disk drive in the previous section. For example, if

the path you used there was D:\LabVhdFiles, select that path here.

6. On the Configure Disk page, in Location, click Browse to locate the appropriate base

.vhd image in the path that was used in the previous step, and then click Next.

For example, if you are creating a virtual hard drive for CONTOSOSRV01 and also using

the downloaded base .vhd image, follow the instructions provided in the download page

here: Windows Server 2008 R2 Evaluation Virtual Hard Drive Images for Hyper-V (180 Days)


7. On the Completing the New Virtual Hard Disk Wizard page, click Finish.

8. Repeat this procedure three more times to make differencing drives for all four VMs

before moving on to the next part of the process.

For example, after you run this procedure the first time to make a drive for

CONTOSOSRV01, repeat the process and create drives for the other three VMs that you

will use in the lab environment. Be sure to select the corresponding base .vhd file for

each of the other two server VMs and the client VM.

Create the VMs After you create the four differencing drives—one for each of the four VMs that you will set

up—you are ready to create the four VMs. The following table contains the settings to use in

Hyper-V when you create each of these VMs.


VM Name RAM (in MB)

CONTOSOSRV01 1536

FABRIKAMSRV01 1536

CONTOSOSRV02 1536

FABRIKAMSRV02 1536

. To create the VMs


To open Hyper-V Manager, click Start, point to Administrative Tools, and then click

Hyper-V Manager.

2. On the Action menu, point to New, and then click Virtual Machine.

3. When the New Virtual Machine Wizard appears, click Next.

4. On the Specify Name and Location page, do the following, and then click Next.

a. In Name, type the name of the VM that you are creating as the name of the VM. For

example, start with "CONTOSOSRV01".

b. In Location, use the default location.

5. On the Assign Memory page, in Memory, enter the corresponding number from the

RAM column (in MB) as provided in the previous table for the VM that you are creating,

and then click Next.

For example, if you are creating CONTOSOSRV01, enter 1536 here.

6. On the Configure Networking page, in Connection, select the network connection that

maps to a physical network adapter that has access to the Internet, and then click Next.

7. On the Connect Virtual Hard Disk page, click Use an existing hard disk, and then click

Browse to locate the differencing disk image file (CONTOSOSRV01.vhd) that you created

in the previous procedure, and then click Next.

8. On the Completing the New Virtual Machine Wizard page, select the Start the virtual

machine after it is created check box, and then click Finish.

9. Repeat this procedure three more times to make all four VMs before moving on to the

next part of the process.

After you complete these steps, you should be able to verify that you can log on to each

VM with the local Administrator account and then verify that you have Internet access

before moving on to the following steps. Before you create and start each subsequent

VM, be sure that the previously created VM is up and running.

Important Before you reconfigure your VMs in subsequent steps of this guide, we recommend

that you first do the following for each VM while it has Internet connectivity:

Complete Windows activation.

For consistency with later hands-on lab instructions set the Administrator password

to " demo!23" on all the VMs.

Make sure that you have downloaded all corresponding prerequisite software that

is mentioned in the following section (Step 2) to the appropriate VM computers.

Make sure to turn on Network discovery and File sharing in the Network and

Sharing Center Control Panel on each of the Windows Server 2008 VMs.

Make sure that all the clocks on each of the VM computers are set to the same time

or within five minutes of each other. This ensures that token time stamps are always

valid.

Step 2: Download and install prerequisite software

Before you begin installing and configuring the lab settings for each of the four VMs, download

and install additional software that is specific to each of the VMs. The following table provides

details about the required software for each VM, which actions to take, the reasons that the

software is needed, and links to locations for downloading the software. Downloads that are for

evaluation versions of software (such as Office SharePoint Server 2007) are noted where

applicable.

Note For now, you can download all the software, but install the software only where advised to do so in this step. Later steps will indicate the appropriate time to install and configure the remainder of the software that you download at this point.

Required software Action Description Link to download the software

Microsoft

SQL Server 2008S

tandard with

Management

Studio

Download only

to contososrv01.

This software is required. It

acts as the policy store for

each federation server.

Note Accept all the

default settings in

the installation

wizard.

Microsoft SQL Server 2008

Evaluation (180 day trial)

(http://go.microsoft.com/f

wlink/?LinkId=179740)

Windows Identity

Framework (WIF),

WIF SDK and

SharePoint

Configure

Package

Download only

to contososrv02.

This software is required to

configure SharePoint for

federation and enable it to

provide claims-aware

access.

Windows Identity Framework


wlink/?LinkID=179831)

AD FS 2.0 Download only

to the

contososrv01

and

fabrikamsrv01

VM computers.

This software is

required to create the

security token services

(STSs) for both Contoso

Pharmaceuticals and

Fabrikam Suppliers.

AD FS 2.0



Microsoft

Office 2007

Professional

Download and

install on

fabrikamsrv01.

This software is

required to access

documents on the

SharePoint site by the

Fabrikam client in later

hands-on lab exercises.

Microsoft Office 2007

Professional



Office SharePoint Download only This software creates Microsoft Office SharePoint



http://go.microsoft.com/fwlink/?LinkID=179831





Required software Action Description Link to download the software

Server 2007 SP1 to the

contososrv02

computer.

the SharePoint site

server that will be used

to implement

collaboration between

Contoso and Fabrikam.

Server 2007 (trial version)



For product IDs to use in

trial activation of this

product, see Microsoft

Office SharePoint Server 2007

Trial Version (x64)


wlink/?LinkID=150950).

Support files for

the Federated

Document

Collaboration Lab

Setup

Download and

install on all VM

computers.

This software contains

files that are used to

assist in completing

various hands-on lab

tasks throughout the

feature walkthrough.

Support Files for Federated

Document Collaboration



Step 3: Reconfigure the IP and DNS settings for all VMs

After you completed the previous steps, it is no longer necessary to keep your VMs configured

for Internet access through the physical adapter for your virtual test lab computer. In this step,

we work through the process of reconfiguring the IP and DNS settings for each of the four VMs

so that they are able to be connected in their own virtual network.

Create a new virtual network All of the VM images (servers as well as clients) must be reconfigured to use a virtual private

network interface. The following procedures describe how to create this network and

reconfigure VMs to use it.







To create the virtual network


To open Hyper-V Manager, on the Start menu, point to Administrative Tools, and then click Hyper-V Manager.

2. In Hyper-V Manager, on the Action menu, click Virtual Network Manager.

3. In Virtual Network Manager, click Internal for the type of virtual network that you want

to create, and then click Add.

4. In New Virtual Network, in Name type Internal-Network, verify that for Type the

Internal network option is selected, and then click OK.

Note that the network name is case sensitive and it should be entered exactly as

indicated above. All four VMs will have to use this network, which will be a "local only"

interface. All four VM images should already be IP configured as described in the

following procedure.

To reconfigure the network settings for each VM

1. In Hyper-V Manager, select a VM in the Virtual Machines list.

2. On the Action menu, click Settings.

3. In the Settings dialog box, under the Hardware settings, click Network Adapter.

4. In the Network Adapter settings, click the Network drop-down list, and then click

Internal-Network.

5. Click OK.

6. Repeat steps 1 through 5 for the other three VMs.

Configure static IP and DNS settings for each VM All the VM images (servers as well as clients) must be reconfigured to use static IP version 4

(IPv4) address and Domain Name System (DNS) client settings. For more information about how

to do this, see Configure a DNS Client for Static IP Address



Note You can also disable IP version 6 (IPv6) as you complete this process to avoid warnings about

setting dynamic IPv6 when you install the AD DS and DNS server roles in the next step.

The following table provides the details of how these settings must be configured for each VM.

VM name IP configuration DNS client settings

CONTOSOSRV01 10.0.0.1/8 (AD DS, DNS, AD CS)

10.0.0.20/8 (AD FS 2.0)

10.0.0.30/8 (AD RMS)

Preferred: 10.0.0.1

Alternate: 10.0.0.101

FABRIKAMSRV01 10.0.0.101/8 (AD DS, DNS, AD CS)

10.0.0.120/8 (AD FS 2.0)

Preferred: 10.0.0.101

Alternate: 10.0.0.1

CONTOSOSRV02 10.0.0.2/8 Preferred: 10.0.0.1

FABRIKAMSRV02 10.0.0.110/8 Preferred: 10.0.0.101

Change the names of the computers Change the name of the computers for each VM to the following. For more information about

renaming computers, see Rename the Computer


VM Name Computer Name

CONTOSOSRV01 CONTOSOSRV01

CONTOSOSRV02 CONTOSOSRV02

FABRIKAMSRV01 FABRIKAMSRV01

FABRIKAMSRV02 FABRIKAMSRV02


Step 4: Install and configure AD DS

In this step, we install AD DS and configure a single-domain forest for each of the two companies

(Contoso Pharmaceuticals and Fabrikam).

Install and configure AD DS This section includes the following procedures:

Install AD DS

Create accounts

Join the client computer to the Contoso domain

Install AD DS You can use the Add Roles Wizard to create two new Active Directory forests on both the

federation server VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard

pages, use the company names and AD DS domain names in the following table.

Note AD FS 2.0 has no dependency on forest functional level. When you install AD DS, you can

select any forest functional level that is appropriate for your environment.

To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and

then, in the right pane, click Add Roles.

Important Configure the IP addresses as specified in the table in the Configure static IP and DNS

settings for each VM section of this guide before you attempt to install AD DS. This helps

ensure that DNS records are configured appropriately.

Computer name Company name AD DS domain name

(new forest)

DNS configuration

Contososrv01 Contoso

Pharmaceuticals

contoso.com Install DNS when you

are prompted.

Fabrikamsrv01 Fabrikam fabrikam.com Install DNS when you

Computer name Company name AD DS domain name

(new forest)

DNS configuration

are prompted.

If you need assistance in creating a new Windows Server 2008-based AD DS forest, see Installing

a New Forest (http://go.microsoft.com/fwlink/?LinkId=101704).

Join the client computer to the Contoso domain Use the value in the following table to identify which computer to join to the contoso.com

domain.

Computer name Join to:

CONTOSOSRV02 contoso.com

FABRIKAMSRV02 fabrikam.com

For more information about how to do this, see Join a Computer to a Domain

(http://go.microsoft.com/fwlink/?LinkID=150213).

Create accounts After you set up two forests, log on as the Administrator for each domain and start the

Active Directory Users and Computers snap-in on both domain controllers (both contososrv01

and fabrikamsrv01) to create several accounts that you will use to test and verify federated

access across both forests.

For more information about how to create accounts in AD DS, see Create a New User Account

(http://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group


For more information about how to add a user to a group in AD DS, see Add a Member to a Group








Create accounts in the Contoso domain

Create and configure the accounts with the values in the following table at CONTOSOSRV01 for

the Contoso.local domain. When you create the accounts, clear the User must change password

upon login check box.

Note: In addition to creating new accounts, set the email address for the Administrator account

to "[email protected]".

Create: Account name User

name Action

User

account (AD RMS service account) Adrmssrvc

Set password to never

expire and the password

value to "p@ssw0rd" for

this account.

Add as a member of the

Domain Admins group.

User

account AD FS 2.0 Service Account adfssrvc



value to "p@ssw0rd" for

this account.

User

account Daniel Weisman Danielw



value to "demo!23" for this

account.

Set the e-mail address for

this account to

"[email protected]".

Security

group -

Global

account

DrugTrial1Admins N/A Add danielw as a member

of this group.

Create accounts in the Fabrikam domain

Create and configure the account values in the following table at FABRIKAMSRV01 for the

Fabrikam domain. In addition to creating new accounts, set the e-mail address for the

Administrator account to "[email protected]".

Create: Account name User name Action

User account Frank Miller frankm

Set password to never expire

and the password value to "

demo!23" for this account.


this account to


User account AD FS Service adfssrvc


and the password value to

"p@ssw0rd" for this account.

Security

group -

Global

account

DrugTrial1Auditors N/A Add frankm as a member of

this group.

User account Alice Scott alices


and the password value to

"p@ssw0rd" for this account.


this account to


Configure DNS zones for services When AD DS is installed and configured as a server role on CONTOSOSRV01 and

FABRIKAMSRV01, you will also have installed the DNS Server role on these VMs as well. The

Contoso zones will be managed using the DNS Server that you added for CONTOSOSRV01. The

Fabrikam zones will be managed using the DNS Server that you added for FABRIKAMSRV01.

To assist in locating services to be used in later virtual lab exercises, additional resource records

must be configured on each of these two DNS servers.

Configure DNS service records for Contoso Configuring DNS service records for the Contoso domain is a two-step process. In the first step,

we create new zones for the contoso.com domain. Next, we add host (A) resource records to

the zone.

Configure zones for the Contoso.com domain

To configure zones for the Contoso.com domain

1. Log on to CONTOSOSRV01 as CONTOSO\Administrator, and then open the DNS

Manager snap-in.

To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. Add new host (A) resource records as described in the following section to the Forward

Lookup Zone for contoso.com.

Create host (A) resource records for the Contoso.com domain

The following are host (A) resource records that you can add using DNS Manager on

CONTOSOSRV01. For more information about how to add these records, see "Add a Resource

Record to a Zone" in the DNS Server Help.

Name Type Data

Adrms Host (A) 10.0.0.30

Docs Host (A) 10.0.0.2

Pki Host (A) 10.0.0.1

sts1 Host (A) 10.0.0.20

Configure zones for Fabrikam.com domain

To configure zones for the Fabrikam.com domain

1. Log on to FABRIKAMSRV01 as FABRIKAM\Administrator, and open the DNS Manager

snap-in.

To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. Add new host (A) resource records as described in the following section to the Forward

Lookup Zone for fabrikam.com.

Create host (A) resource records for the Fabrikam.com domain

The following are host (A) resource records that you can add using DNS Manager on

FABRIKAMSRV01.

Name Type Data

Pki Host (A) 10.0.0.101

sts2 Host (A) 10.0.0.120

Step 5: Install and Configure IIS, Certificates, and Group Policy

Use the following procedure to install the IIS (Web Server) role on FABRIKAMSRV01,

CONTOSOSRV01, and CONTOSOSRV02.

To install IIS

1. Click Start, and then click Server Manager.

2. Right-click Roles menu, click Add Roles.

3. On the Add Roles Wizard, click Next.

4. On the Select Server Roles page, select the Web Server (IIS) check box, and then click

Next twice.

5. On the Select Role Services page, select ASP.NET.

6. In the Add role services required for ASP.NET? dialog box, click Add Required Role

Services.

7. On the same page, select the Windows Authentication and IIS 6 Metabase

Compatibility check boxes.

8. Click Next to go to the Confirm Installation Options page.

9. Click Install to begin installing IIS with the options that appear on the page.

When the setup process is complete on all servers in the lab, proceed to the next step.

Disable Internet Explorer Enhanced Security Configuration For SharePoint and AD FS login pages to work correctly, Internet Explorer Enhanced Security

Configuration (ESC) must be disabled on all VMs. To disable ESC, complete the following steps

on all four VMs (ContosoSrv01, ContosoSrv02, FabrikamSrv01, and FabrikamSrv02).

To disable ESC

1. Login into the computer using the domain Administrator account.

2. Click Start, and then click Server Manager.

3. In the console tree, select the top-level (Server Manager) node, and then in the details

pane click Configure IE ESC.

4. In the Configure IE ESC dialog box, click Off for both administrators and users, and then

click OK.

Configure Group Policy Use the following procedures to configure Group Policy to push important browser-specific

settings to client computers. This section includes procedures for pushing Internet Explorer

settings to the computers in both the Contoso and Fabrikam domains.

Push Internet Explorer settings to computers in the Contoso domain Use the following procedure to configure Group Policy on the contososrv01 VM computer.

To push Internet Explorer settings in the Contoso domain

1. Log on to contososrv01 with the Domain Administrator account.

2. Click Start, click Run, type mmc, and then click OK.

3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove

Snap-ins dialog box opens.

4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor,

and then click OK. The Group Policy Wizard opens.

5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object

dialog box opens.

6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and

then click OK.

7. Click Finish, and then click OK.

8. In the Default Domain Policy console tree, expand the following: User Configuration,

Policies, Windows Settings, Internet Explorer Maintenance, Connection.

9. Double-click Automatic Browser Configuration, clear the Automatically detect

configuration settings check box, and then click OK.

10. In the Default Domain Policy console tree, expand the following: User Configuration,

Policies, Windows Settings, Internet Explorer Maintenance, Security.

11. Double-click Security Zones and Content Ratings, click Import the current security

zones and privacy settings, click Continue when you see the prompt, and then click

Modify Settings.

12. In the Internet Properties dialog box, click the Security tab, click the Local intranet icon,

and then click Sites.

13. In the Local Intranet dialog box, in Add this website to the zone, type *.contoso.com,

click Add, select the Require server verification (https) for all sites in this zone, click

Close, and then click OK.

Push Internet Explorer settings to computers in the Fabrikam domain Use the following procedure to configure Group Policy on the fabrikamsrv01 VM computer.

To push Internet Explorer settings in the Fabrikam domain

1. Log on to Fabrikamsrv01 with the Domain Administrator account.






5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog

box opens.

6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then

click OK.


8. In the Default Domain Policy console tree, expand the following path: User

Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection.

9. Double-click Automatic Browser Configuration, clear the Automatically detect

configuration settings check box, and then click OK.

10. In the Default Domain Policy console tree, expand the following path: User

Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Security.

11. Double-click Security Zones and Content Ratings, click Import the current security zones

and privacy settings, click Continue when you see the prompt, and then click Modify

Settings.

12. In the Internet Properties dialog box, click the Security tab, click the Local intranet icon,

and then click Sites.

13. In the Local Intranet dialog box, in Add this website to the zone, type *.fabrikam.com,

click Add, select the Require server verification (https) for all sites in this zone check

box, and then click Close.

Refresh Group Policy To refresh Group Policy, complete the following procedure on each of the four VM

computers (contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02).

To refresh Group Policy

1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt

window opens.

2. At the command prompt, type gpupdate /force, and then press ENTER.

Configure certificates Now that you have configured Group Policy to distribute certificates for the users in the

contoso.com and fabrikam.com domains, use the following procedures to create the user and

computer certificate templates.

This section includes the following procedures:

Install AD CS

Disable CRL extension

Configure certificate templates

Configure the Default Web Site on FabrikamSrv01

Install AD CS Use the following procedure to install Active Directory Certificate Services (AD CS) on the

contososrv01 and fabrikamsrv01 VM computers.

To install AD CS

1. Log on to contososrv01 and fabrikamsrv01 with the domain administrator account.

2. Click Start, point to Administrative Tools, and then click Server Manager.

3. In the Roles Summary section, click Add roles.

4. On the Select Server Roles page, select the Active Directory Certificate Services check

box. Click Next two times.

5. On the Select Role Services page, select the Certification Authority and Certification

Authority Web Enrollment check boxes.

6. In the Add role services required for Certification Authority Web Enrollment dialog

box, click Add Required Role Services, and then click Next.

7. On the Specify Setup Type page, click Enterprise, and then click Next.

8. On the Specify CA Type page, click Root CA, and then click Next.

9. On the Set Up Private Key page, click Create a new private key, and then click Next.

10. On the Configure Cryptography for CA page, click Next to accept the default settings.

11. On the Configure CA Name page, click Next to accept the default settings.

12. On the Set Validity Period page, accept the default validity period, and then click Next.

13. On the Configure Certificate Database page, accept the default values, and then click

Next.

14. On the Web Server (IIS) page, click Next.

15. On the Select Role Services page, select the CGI, Client Certificate Mapping

Authentication, IIS Client Certificate Mapping Authentication, and URL Authorization

check boxes, and then click Next.

16. Verify the information on the Confirmation page, and then click Install.

17. Review the information on the confirmation screen to verify that the installation was

successful.

Disable CRL Extension For the purpose of this demonstration, we are going to not publish the certificate revocation list

(CRL) endpoint in the certificates. To disable the CRL extension in the issued certificates,

complete the following steps on contososrv01 and fabrikamsrv01:

1. Logon to the contososrv01 and fabrikamsrv01 with domain administrator credentials.

2. Click Start, point to Administrative Tools, and then click Certificate Authority.

3. In the window Certsrv, right-click the computer name (either contoso-

CONTOSOSRV01-CA or fabrikam-FABRIKAMSRV01-CA), and then click

Properties.

4. In the dialog box that appears, click the Extensions tab.

5. Delete all entries in the CRL Distribution Point list by selecting each item in the field

and clicking Remove.

6. After all entries are deleted, click OK to exit the dialog box.

7. Click Yes in the next dialog box that appears.

Configure certificate templates Use the following procedure to configure the domain user certificates in AD CS on the

contososrv01 and fabrikamsrv01 VM computers.

To configure certificate templates

1. Log on to contososrv01 and fabrikamsrv01 with the domain administrator account.

2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and

then click Add/Remove Snap-in.

3. In Available snap-ins, double-click Certificate Templates, and then click OK.

4. In the console tree, click Certificate Templates. All the certificate templates appear in

the details pane.

5. In the details pane, right-click the Web Server template, and then click Properties.

If the Security tab does not appear (you will need it in the next step), you might have to

reopen this properties page by clicking the Manage link in the Actions pane.

6. On the Security tab, click Add. In Enter the object names to select, type Domain

Computers, and then click OK.

7. In Permissions for Domain Computers, under Allow, select the Read and Enroll check

boxes, and then click OK.

8. On the Security tab, click Add. In the Enter object names to select, type Domain

Controllers, and then click OK.

9. In Permissions for Domain Controllers, under Allow, select the Read and Enroll check

boxes, and then click OK.

10. Close the console, and open the command prompt window (click Start, click Run, type

cmd, and then click OK), and type the following two commands to restart AD CS:

net stop "Active Directory Certificate Services"

net start "Active Directory Certificate Services"

Create a shared certificate for AD RMS and AD FS 2.0 on ContosoSrv01

To create the certificate for AD RMS and AD FS 2.0 to use

1. Log on to contososrv01 as the CONTOSO\Administrator account with " demo!23" as the

password.

2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative

Tools, and then click Internet Information Services (IIS) Manager.

3. In the console tree, click CONTOSOSRV01.

4. In Features View pane, double-click Server Certificates.

5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard

opens.

6. On the Distinguished Name Properties page of the wizard, enter the settings from the

following table, and then click Next.

Field Value

Common name *.contoso.com

Organization Contoso Pharmaceutical

Organizational unit IT

City/Locality Redmond

State/Province WA

Country/Region US

7. On the Online Certification Authority page, in Specify Online Certification Authority,

click Select to search for a certification authority (CA) server in the domain.

Note The Select button will be enabled only if a CA is correctly configured and exists on

the domain.

8. Select the certification authority (CA) that appears in the list, and then click OK.

9. In Friendly name, type *.contoso.com Certificate, and then click Finish.

Note You must provide a friendly name for the certificate.

Create a certificate for AD FS 2.0 on Fabrikam.com

To create the certificate for AD FS 2.0 Server to use

1. Log on to fabrikamsrv01 as the FABRIKAM\Administrator account with "demo!23" as

the password.

2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative

Tools, and then click Internet Information Services (IIS) Manager.

3. In the console tree, click FABRIKAMSRV01.

4. In Features View pane, double-click Server Certificates.

5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard

opens.

6. On the Distinguished Name Properties page of the wizard, enter the settings from the

following table, and then click Next.

Field Value

Common name Sts2.fabrikam.com

Organization Fabrikam Research

Organizational unit IT


State/Province WA

Country/Region US

7. On the Online Certification Authority page, in Specify Online Certification Authority,

click Select to search for a CA server in the domain.

Note The Select button will be enabled only if a CA is correctly configured and exists on

the domain.

8. Select the CA that appears in the list, and then click OK.

9. In Friendly name, type sts2.fabrikam.com Certificate, and then click Finish.

Note You must provide a friendly name for the certificate.

Configure the Default Web Site on FabrikamSrv01 with the new server authentication certificate Each security token service (STS) requires a server authentication certificate (also known as a

Secure Sockets Layer (SSL) certificate) to be bound to the Default Web Site before you can use

AD FS 2.0. The Web server also requires this certificate.

To configure the Default Web Site on FabrikamSrv01 with the new server authentication certificate

1. Log on to contososrv01 with the Domain Administrator account.

2. Click Start, point to Administrative Tools, and then click Internet Information Services

(IIS) Manager.

3. In the console tree, double-click FABRIKAMSRV01, double-click Sites, click Default Web

Site, and then in the Actions pane, click Bindings.

4. On the Site Bindings dialog box, click Add.

5. In the Add Site Binding dialog box, under Type click https, under SSL certificate, select

sts2.fabrikam.com Certificate in the list, click OK, and then click Close.

6. In the details pane, double-click SSL Settings. Under Client certificates, verify that the

Ignore option is selected, and then click Apply.

Export and import Root CA certificates This section includes the following procedures:

Export both Root CA certificates

Import both Root CA certificates

Export both Root CA certificates Use the following procedure to export the Root CA certificates from both the contososrv01 and

the fabrikamsrv01 VM computers.

To export both Root CA certificates

1. Log on to contososrv01 with the domain administrator account

(CONTOSO\Administrator).

2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and

then click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available

snap-ins, and then click Add.

4. In the Certificate snap-in dialog box, click Computer account, and then click Next.

5. In the Select Computer dialog box, ensure that Local computer: (the computer this

console is running on) is selected, and then click Finish.

6. In the Add or Remove Snap-ins dialog box, click OK.

7. In the console tree, expand Certificates (Local Computer), and then double-click

Personal.

8. Click Certificates; in the details pane, right-click Contoso-CONTOSOSRV01-CA; point to

All Tasks, and then click Export.

9. On the Welcome to the Certificate Export Wizard page, click Next.

10. On the Export Private Key page, click No, do not export the private key, and then click

Next.

11. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click

Next.

12. On the File to Export page, type c:\users\public\ContosoCA.cer, and then click Next.

13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.

14. Repeat steps 1 through 14 on the fabrikamsrv01 VM computer using

FABRIKAM\Administrator for the login. In step 8, the certificate that you select will be

named Fabrikam-FABRIKAMSRV01-CA. In step 12, type

c:\users\public\FabrikamCA.cer as the File to Export value.

Import both Root CA certificates Use the following procedure to import the Root CA certificates to both the contososrv01 and the

fabrikamsrv01 VM computers and then share it with all the client computers using Group

Policy..

To import both Root CA certificates

1. Log on to contososrv01 with the CONTOSO\Administrator account.






5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object

dialog box opens.

6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and

then click OK.


8. Double-click Default Domain Policy. In the console tree, expand the following path:

Computer Configuration, Policies, Windows Settings, Security Settings, Public Key

Policies, Trusted Root Certification Authorities.

9. Right-click Trusted Root Certification Authorities, and select Import.

10. On the Welcome to the Certificate Import Wizard page, and then click Next.

11. On the File to Import page, type \\fabrikamsrv01\c$\users\public\FabrikamCA.cer,

and then click Next.

12. On the Certificate Store page, select Place all certificates in the following store and

verify that it is pointed to the Trusted Root Certification Authorities store, and then

click Next.

13. On the Completing the Certificate Import Wizard page, click Finish, and then click

Finish.

14. Repeat steps 2 through 13 on the fabrikamsrv01 VM computer using

FABRIKAM\Administrator as the login. In step 11, type

\\contososrv01\c$\users\public\ContosoCA.cer as the File to Import value.

Refresh Group Policy

To refresh Group Policy

1. Log on to the contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02 VM

computers, click Start, click Run, type cmd, and then press ENTER.

The Command Prompt window opens.

2. At the command prompt, type gpupdate /force, and then press ENTER.

Install and configure AD RMS as a root cluster Use the Add Roles Wizard to create a new Active Directory Rights Management Services

(AD RMS) cluster on the contososrv1 VM.

To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager,

and then in the right pane click Add Roles.

Note AD RMS creates new groups in AD DS. Therefore, you should install AD RMS after the

AD DS role is fully installed and configured. Also, select the Add Required Role Services

option during role installation.

Complete the Add AD RMS Role Wizard using the information in the following table.

Wizard page Settings to use

Select Role Services Select Active Directory Rights Management Server.

Do not select Identity Federation Support.

Create or Join an AD RMS

Cluster

Select Create a new AD RMS cluster.

Select Configuration Database Select Use Windows Internal Database on this server

Specify Service Account In Domain User Account, click Specify, and then select

the CONTOSO\adrmssrvc account.

Note If the password does not validate when it is applied,

ensure that the adrmssrvc account is a member of

the CONTOSO\Domain Admins group.

Configure AD RMS Cluster Key

Storage

Select Use AD RMS centrally managed key storage.

Specify AD RMS Cluster Key

Password

Enter "p@ssw0rd" as the password.

Select AD RMS Cluster Web

Site

Select Default Web Site.

Specify Cluster Address Select the Use an SSL-encrypted connection option.

In Internal Address, in Fully-Qualified Domain Name,

type adrms.contoso.com. In Port, use 443; and then

click Validate. When the URL validates, you can click

Next.

Choose a Server

Authentication Certificate for

SSL Encryption

Select the Choose an existing certificate for SSL

encryption option.

Select the certificate issued to *.contoso.com.

Name the Server Licensor

Certificate

In Name, use CONTOSOSRV01.

Register AD RMS Service

Connection Point

Select Register the AD RMS service connection point

now.

Web Server (IIS) Accept the default options for the role, and then click

Next.

Note After the AD RMS role is added, you must log off and log on again before you can administer

the AD RMS role.

Install SQL Server 2008 Standard SP1 We will be using Microsoft SQL Server® 2008 Standard Service Pack 1 (SP1) to show how

AD FS 2.0 connects to another data store and issue tokens containing value from that data store.

To install Microsoft SQL Server 2008 Standard SP1

1. Log on to the contososrv01 computer with the Domain Administrator account.

2. Locate the Setup.exe installer that you downloaded to the contososrv01 computer,

and then double-click it.

3. On the SQL Server Installation Center wizard page, click Installation.

4. On the Installation page, click New SQL Server stand-alone installation or add

features to an existing installation.

5. Continue the installation. Accept the defaults for all installation options.

When you install SQL Server 2008 Standard SP1, in the SQL Server 2008 Setup Wizard use

default choices, except for the following specific configuration changes to support the AD FS 2.0

virtual lab environment:

On the Feature Selection page, select the Database Engine Services and Management

Tools - Basic check boxes as your installed feature options.

On the Server Configuration page, on the Service Account tab, for Account name, select

NTAUTHORITY\SYSTEM, as the account to be used.

On the Database Engine Configuration page, on the Account Provisioning tab, where it

lists Specify SQL Server Administrators, click Add Current User, click Add, and then

browse and add the user account (adfssrv) that you created.

Create the HOL Doctors Role database on ContosoSrv01 After you install and configure SQL Server on ContosoSrv01, you then create the hands-on lab

Doctors Role database.

To create the hands-on lab (HOL) Role database on CONTOSOSRV01


2. Start the SQL Server Management studio by clicking Start, All Programs, Microsoft SQL

Server 2008, and SQL Server Management Studio.

3. In the dialog box that appears, type ContosoSrv01 for the server name.

4. Use the SQL script (HOL_Doctors_DB.sql) included with the support files for this lab setup.

Open it using the Microsoft SQL Server Management Studio by clicking File, Open, and then

selecting File.

Note

This document is part of the support files download for this lab setup. For more

information see the table in Step 2: Download and install prerequisite software.

5. Select the file HOL_Doctors_DB.sql in the directory where it is saved.

6. To run the script, click Execute. This should create the necessary database and associated

tables.

Step 6: Install and configure the SharePoint site on ContosoSrv02

To enable SharePoint document collaboration across a federated trust, you install and configure

a SharePoint portal site on the appropriate VM computer in the test lab environment. For this

configuration, use the CONTOSOSRV02 VM. In addition to installing

Office SharePoint Server 2007, you apply additional configuration changes to enable SharePoint

collaboration before you begin walking through the scenarios.


Create an SSL certificate for the SharePoint site

Install .NET Framework 3.5 on ContosoSrv02

Install Microsoft Office SharePoint Server 2007

Create an SSL certificate for the SharePoint site

To create an SSL certificate for the extranet site


2. On the Start menu, click Administrative Tools, and then click Internet Information

Services (IIS) Manager.

3. Click the name of the server in the Connections column, and then double-click

Server Certificates.

4. In the Actions pane, click Create Domain Certificate.

5. Enter all the following information about your company and the domain that you

are securing, and then click Next.

Field name Value

Common name docs.contoso.com

Organization Contoso Pharmaceutical

Organizational Unit IT


State/Province WA

Country/Region US

6. Under Specify Online Certificate Authority, click Select, and then click Contoso-

CONTOSOSRV01-CA.

Note The Select button is enabled only if a CA is correctly configured and exists on the

domain.

7. Under Friendly name, type docs.contoso.com Certificate, and then click Finish.

Install .NET Framework 3.5 on ContosoSrv02 Before you install Microsoft Office SharePoint Server 2007, you must install .NET Framework 3.5

on ContosoSrv02.

To install.NET Framework 3.5 on ContosoSrv02

1. Log on to ContosoSrv02 with domain Administrator credentials.

2. Click Start, click Administrative Tools, click Server Manager, and then in the console tree

click Features.

3. In the details pane, click Add Features

4. In the Select Features page, select .NET Framework 3.5.1 Features.

5. Click Add Required Features in the message box that appears.

6. Click Next, and then click Install.

7. When the installation finishes, click Close to exit the wizard.

Install Microsoft Office SharePoint Server 2007

Note Before you can proceed with installation of Office SharePoint Server 2007 SP1, complete the

steps to create an installation package for Windows Server 2008 R2, on the Microsoft SharePoint

Team Blog (http://go.microsoft.com/fwlink/?LinkId=179787).

To install Microsoft Office SharePoint Server 2007 SP1

1. Run setup.exe for Office SharePoint Server 2007. After you start the installation process,

you have to enter a valid product identification key code.

2. After you enter the product identification key code, click Continue. The next screen is the

licensing agreement screen.

For product IDs to use in trial activation of this product, see Microsoft Office




SharePoint Server 2007 Trial Version (x64)


3. Select the I accept the terms of this agreement check box, and then click Continue. On

the next screen, you can select the type of installation.

4. Click Advanced.

5. For Server Type, keep the default selection of Stand-alone.

6. Click Install Now, and continue until you complete the installation process.

7. If you see the prompt “Program Compatibility Assistant”, click Run program.

Configure Microsoft Office SharePoint Server 2007 After the SharePoint installation process is complete, you can run through the SharePoint

Products and Technologies (SPPT) Configuration Wizard. Use this wizard to commit the initial

configuration options for your new SharePoint farm.

To configure the SharePoint farm using the SPPT wizard

Start the SPPT wizard, and on the Welcome page, click Next.

You should see a message informing you that certain services (IIS, SharePoint

Administration, SharePoint Timer) are going to be stopped. Click Yes. After the

installation is complete, click Finish.

Extend the default SharePoint application to docs.contoso.com

To extend the default SharePoint application to support docs.contoso.com

1. Start the SharePoint Central administration site: click Start, and then click SharePoint 3.0

Central Administration.

2. In the Central Administration site, click Application Management

3. In the SharePoint Web Application Management section of the page, click Create or

extend Web application.

4. On the next page, click Extend an existing Web application.

5. In the Web Application drop-down list, select Change Web Application, and then click

SharePoint-80.

6. Keep the selection for Create a new IIS web site and for the description type

docs.contoso.com, and then select the following options:


For port type: 443

For Host Headers type: docs.contoso.com

For Use Secure Socket Layer (SSL): Yes

For Zone: Extranet

7. Click OK.

Set the SSL certificate for docs.contoso.com

To set the SSL certificate for docs.contoso.com

1. Open IIS Manager

To open IIS manager, click Start, point to Administrative Tools, and then click IIS

Manager.

2. In the console tree, expand CONTOSOSRV02 and Sites, and then click SharePoint -

docs.contoso.com443.

3. In the Action pane, click Bindings.

4. In the Site Bindings dialog box, select the top row, and then click Edit.

5. In the Edit Site Binding dialog box, select the docs.contoso.com certificate in the SSL

certificate drop-down list.

6. Click OK, and then click Close.

Upload Sample Documents to docs.contoso.com

To upload sample documents to docs.contoso.com

1. Log on to CONTOSOSRV01 as CONTOSO\Administrator using the password "demo!23".

2. Open Internet Explorer, and then navigate to the site https://docs.contoso.com

3. At the site, click Document Center.

4. In the left pane, click Documents.

5. In the middle pane, click Upload.

6. In the next page, click Browse. Navigate to and select the Contoso-Statement of

General Terms.docx document.

Note



7. Click OK.

8. When the next page appears, click Check In.

Step 7: Install and configure Windows claims-aware identity software

Before you can evaluate the federated document collaboration scenarios that this guide

enables setup for, you must first install all Windows software programs that are necessary for

creating a claims-based identity solution on the appropriate VM computers in the test lab

environment. You must also perform several steps to configure both Federation Services

before you begin walking through the scenarios.


Install and configure AD FS 2.0 on ContosoSrv01

Install and configure AD FS 2.0 on FabrikamSrv01

Customize the AD FS 2.0 Sign-in pages

Install and configure WIF and SharePoint support software on ContosoSrv02

Install and configure the Desktop Experience feature on FabrikamSrv02

Install and configure Microsoft Office 2007 on FabrikamSrv02

Install and configure AD FS 2.0 on ContosoSrv01

To install and configure AD FS 2.0 on ContosoSrv01

1. Log on to ContosoSrv01 as CONTOSO\Administrator using the assigned password

("demo!23").

2. Locate the AdfsSetup.exe installable package that you downloaded, and then

double-click it.

3. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.

4. On the End-User License Agreement page, read the license terms. If you agree to

them, select the I accept the terms in the License Agreement check box, and then

click Next.

5. On the Server Role page, select Federation server, and then click Next.

6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.

Note: The wizard may ask you to restart the computer. If so, click Finish to restart the

computer. After the computer is restarted, log in as contoso\administrator user. On

the Start menu, click All Programs, point to Administrative Tools, and then click

AD FS 2.0 Management.

7. Completing the wizard should open the AD FS 2.0 Management console.

If you do not see the AD FS 2.0 Management console, on the Start menu, click All

Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

8. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0

Federation Server Configuration Wizard.

9. On the Welcome page, select Create a new Federation Service, and then click Next.

10. On the Select Stand-Alone or Farm Deployment page, select New federation server

farm, and then click Next.

11. On the Specify the Federation Service Name page, type sts1.contoso.com as the

federation service name, and then click Next

12. On the Specify a Service Account page, click Browse, type CONTOSO\adfssrvc, and

then click OK.

13. In Password, type p@ssw0rd, and then click Next.

14. On the Ready to Apply Settings page, review the settings, and then click Next.

15. On the Results page, click Close.

Install and configure AD FS 2.0 on FabrikamSrv01

To install and configure AD FS 2.0 on FabrikamSrv01

1. Log on to FABRIKAMSRV01 as FABRIKAM\Administrator using the assigned password

("demo!23").

2. Locate the AdfsSetup.exe installable package that you downloaded, and then

double-click it.

3. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.

4. On the End-User License Agreement page, read the license terms. If you agree to

them, select the I accept the terms in the License Agreement check box, and then

click Next.

5. On the Server Role page, click Federation server, and then click Next.

6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.

7. Note: The wizard may ask you to restart the computer. If so, click Finish to restart the

computer. After the computer is restarted, log in as FABRIKAM\administrator user.

On the Start menu, click All Programs, point to Administrative Tools, and then click

AD FS 2.0 Management.

8. Completing the wizard should open the AD FS 2.0 Management console.

If you do not see the AD FS 2.0 Management console, on the Start menu, click All

Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

9. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0

Federation Server Configuration Wizard.

10. On the Welcome page, select Create a new Federation Service, and then click Next.

11. On the Select Stand-Alone or Farm Deployment page, select New federation server

farm, and then click Next.

12. On the Specify the Federation Service Name page, the federation service name

should appear as sts2.fabrikam.com. Click Next

13. On the Specify a Service Account page, click Browse, type FABRIKAM\adfssrvc, and

then click OK.

14. In Password type p@ssw0rd, and then click Next.

15. On the Ready to Apply Settings page, review the settings, and then click Next.

16. On the Results page, click Close.

Customize the AD FS 2.0 sign-in pages Next, you customize the AD FS 2.0 sign-in pages with a custom logo and set the

authentication type to support Username/Password type authentication.

To customize the AD FS 2.0 sign-in pages

1. Log in to Contososrv01 as CONTOSO\Administrator using the assigned password

("demo!23").

2. Navigate to the folder c:\inetpub\adfs\ls.

3. Copy the Contoso_logo.png file to this folder.

Note



4. Open the file web.config.

5. In the <appSettings> section, replace logo.png with contoso_logo.png, and

uncomment that line.

6. In the <authenticationTypes> section, move the line <add name=”Forms” … /> to

the top of the list.. Save the changes, and close the file.

For changes on fabrikamsrv01, follow the steps above, except replace contoso_logo.png with

fabrikam_logo.png.

Install and configure the WIF and SharePoint support software on ContosoSrv02

To install WIF and SharePoint support software on ContosoSrv02

1. Log on to ContosoSrv02 as CONTOSO\Administrator using the assigned password

("demo!23").

2. Install the following programs, and accept their default settings in the installation:

Windows Identity Foundation (Windows6.1-KB974405-x64.msu)

Microsoft-Federation-Extension-For-Sharepoint3.0 (Microsoft-Federation-

Extensions-For-SharePoint3.0.msi)

Windows Identity Foundation SDK (WindowsIdentityFoundation-SDK.msi)

Install and configure the Desktop Experience feature on FabrikamSrv02 Before you install the Office component on FabrikamSrv02, the Desktop Experience feature





must be installed to provide for a typical Windows desktop environment when you are

working with the Windows Server 2008 R2 operating system in the VMs.

To install and configure Desktop Experience on FabrikamSrv02

1. Log on to FabrikamSrv02 as FABRIKAM\Administrator using the assigned password

("demo!23").

2. Click Start, click Administrative Tools, click Server Manager, and then, in the left

pane, click Features.

3. On the right pane, click Add Features

4. On the Select Features page, click Desktop Experience.

5. Click Add Required Features in the message box that appears.

6. Click Next, and then click Install.

7. After the installation finishes, click Close to exit the wizard.

Restart the computer if you are prompted.

Install and configure Microsoft Office 2007 on FabrikamSrv02

To install WindowsMicrosoft Office 2007 on FabrikamSrv02

1. Log on to FabrikamSrv02 with FABRIKAM\Administrator credentials.

2. Install the following programs, and accept their default settings in the installation:

Microsoft Office 2007

2007 Microsoft Office Suite Service Pack 2 (SP2)

2007 Office system hotfix package kb969413

Step 8: Configure ContosoSrv02 and FabrikamSrv02 for the step-up authentication scenario

In the step-up authentication scenario, users are authenticated with a smart card. To

simulate authentication with a smart card, we use a software-based, X.509 client certificate

and protect it using a PIN. This certificate is available for enrollment by default in

Active Directory Certificate Services (AD CS), which acts as the CA for the domain.

To request a certificate from the CA and set the private key PIN

1. Log on to a client computer (FabrikamSrv02 or ContosoSrv02) as one of the users

(FABRIKAM\frankm or CONTOSO\danielw) with “demo!23” as the user’s password.

2. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then

click OK.

3. At the command prompt, type mmc, and then press ENTER. This command opens

theMicrosoft Management Console (MMC).

4. In the MMC, click File, and then click Add/Remove Snap-in.

5. In the Available snap-ins list, click Certificates, and then click Add.

6. In the prompt, leave My user account selected, and then click Finish.

7. Click OK. This action adds the snap-in for certificate enrollment.

8. In the console tree, right-click Personal, click All Tasks, and then click Request New

Certificate. The Certificate Enrollment window opens.

9. In the Certificate Enrollment window, click Next twice.

10. In the list, select the User check box, expand Details, and then click Properties. The

Certificate Properties dialog box opens.

11. Click the Private Key tab.

12. Expand Key options, and select the Strong private key protection check box.

Selecting this setting prompts you to select a PIN for the certificate during enrollment.

13. Click OK. The Certificate Properties dialog box closes.

14. Click Enroll. A dialog box opens prompting you to select the security level for using

the certificate.

15. Click Set Security Level. In the dialog box, click High, and then click Next.

16. Type 1@234abcd as a PIN for the certificate in the Password field and in the

Confirm field. Click Finish.

17. Click OK.

18. Click Finish in the Certificate Enrollment window.

19. Close the console. (You can click No when you are prompted to save console

settings.)

On ContosoSrv02 we have to register the .dll that will be needed to perform the step-up

authentication scenario. We will use Gacutil.exe to register that dll. To obtain GacUtil.exe,

download and install the .NET Framework 2.0 Software Development Kit (SDK) (x64)


(http://go.microsoft.com/fwlink/?LinkId=179799) with default settings.