174
00

Adfs2 Share Point Federated Collaboration Step by Step Guide

  • Upload
    hanzo

  • View
    181

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Adfs2 Share Point Federated Collaboration Step by Step Guide

00

Page 2: Adfs2 Share Point Federated Collaboration Step by Step Guide

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0

Page 3: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 4: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 5: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 6: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 7: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 8: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 9: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 10: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 11: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 12: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 13: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 14: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 15: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 16: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 17: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 18: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 19: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 20: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 21: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 22: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 23: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 24: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 25: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 26: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 27: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 28: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 29: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 30: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 31: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 32: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 33: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 34: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 35: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 36: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 37: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 38: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 39: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 40: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 41: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 42: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 43: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 44: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 45: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 46: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 47: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 48: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 49: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 50: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 51: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 52: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 53: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 54: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 55: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 56: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 57: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 58: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 59: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 60: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 61: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 62: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 63: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 64: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 65: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 66: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 67: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 68: Adfs2 Share Point Federated Collaboration Step by Step Guide
Page 69: Adfs2 Share Point Federated Collaboration Step by Step Guide

Microsoft Corporation

Published: May 2010

Author: Tariq Sharif, Brad Mahugh

Editor: Jim Becker

Technical reviewers: Stuart Kwan, James Wong

AbstractThis guide provides instructions for using Active Directory Federation Services (AD FS) 2.0 in a

small test lab environment. The purpose is to demonstrate how two fictitious companies can

collaborate on documents using a federated trust that provides claims-based access using

AD FS 2.0. The instructions in this guide should take approximately 90 minutes to complete.

Page 70: Adfs2 Share Point Federated Collaboration Step by Step Guide

This document is provided "as-is". Information and views expressed in this document, including

URL and other Internet Web site references, may change without notice. You bear the risk of

using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real

association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any

Microsoft product. You may copy and use this document for your internal, reference purposes.

You may modify this document for your internal, reference purposes.

© 2010 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,

Windows Server, and Windows Vista are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries. All other trademarks are

property of their respective owners.

Page 71: Adfs2 Share Point Federated Collaboration Step by Step Guide

Contents

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS

2.0............................................................................................................................................... 4

About this guide........................................................................................................................... 4

Scenario Overview.......................................................................................................................... 5

Preinstallation Tasks.....................................................................................................................11

Download and extract VMs........................................................................................................11

Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso

federation server........................................................................................................................ 14

Step 2: Add the Domain Admins group as Administrator for the SharePoint site..........................15

Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site..............19

Step 4: Add new roles to the SharePoint site................................................................................24

Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation

server........................................................................................................................................ 33

Step 6: Configure Fabrikam to federate and issue tokens to Contoso..........................................41

Step 7: Access the SharePoint site...............................................................................................48

Step 8: Configure the Contoso federation server to get values from a SQL data store.................50

Step 9: Configure AD RMS for digitally protecting documents......................................................61

Step 10: Configure a SharePoint document library for stronger authentication............................87

Step 11: Configure AD FS 2.0 on ContosoSrv01 to deny tokens to users....................................90

Page 72: Adfs2 Share Point Federated Collaboration Step by Step Guide

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0

This guide walks you through setup of a small test lab environment that you can use to evaluate

the next generation of Microsoft® federated identity technologies. This guide is intended for

information technology (IT) professionals and system architects who want to implement secure

collaboration between organizations using Microsoft Office SharePoint® Server 2007 and

Active Directory® Federation Services (AD FS) 2.0. This guide provides a quick demonstration of

the features, functionality, and interoperability capabilities of AD FS 2.0 and Windows® Identity

Foundation (WIF). The instructions in this guide should take approximately 90 minutes or less to

complete.

About this guideThis guide provides instructions for setting up federated identity technologies in a small test lab

with virtual servers and a Hyper-V™-enabled host server computer running the Windows

Server® 2008 R2 operating system. The purpose of this guide is to describe a solution that uses

the federated identity capabilities of Windows-based federated identity technologies to meet the

demands of a fictional business-to-business (B2B) scenario with the following requirements:

Two companies have a business partner relationship. One of the companies, Contoso

Pharmaceuticals, wants to give access to a SharePoint site that it hosts to some of the

employees of the other company, Fabrikam. Traditionally, this might have required administrators

at Contoso to create new Active Directory user accounts to provide the required access for the

Fabrikam partner employees. Another potential consequence of the SharePoint-based

collaboration is that the SharePoint site itself requires configuration so that participating users of

both companies can have the appropriate level of site access.

To maximize your chances of completing the objectives of this guide successfully, it is important

that you do all of the following:

Complete the steps in this guide in the order in which they are presented.

Use the exact computer, user, group, company, claim, and domain names that this guide

specifies.

Any modifications that you make to the configuration details in this guide may affect or

limit your chances of setting up this lab successfully the first time.

Microsoft has tested this guide successfully using Windows Server 2008 Hyper-V virtualization

technology.

Important

Page 73: Adfs2 Share Point Federated Collaboration Step by Step Guide

The instructions in this guide should take approximately 90 minutes or less to complete. Your time

to complete the steps in this guide may vary, depending on whether you have to set up a

computer that is suitable for hosting the virtual lab environment.

Scenario Overview

This section includes background information about the fictional companies in this document. It

also identifies their business goals and briefly describes the technologies that are used to achieve

these goals.

About the fictional companiesThe following fictional companies and their business needs are used in this guide:

Contoso Pharmaceuticals: An international pharmaceutical supply company that

specializes in manufacturing prescription drugs for its health management organization

(HMOs) customers inside and outside the United States. In a strategic effort to meet the drug-

ordering demands of its customers, the IT department at Contoso has been given the task of

developing and deploying a secure, Internet-accessible, SharePoint application that must

also provide multiple levels of access for various internal users (Contoso employees) and

external partner users at Fabrikam. To minimize the costs that are associated with

maintaining the SharePoint application, the IT department must also make sure that the

application does not have to use and maintain an additional account store so that internal and

external users can access the application.

Fabrikam: A manufacturer of cost-efficient, wholesale pharmaceutical and chemical

manufacturing supplies that is known worldwide for providing low-price supplies to drug

manufacturers. Although sales have been accelerating consistently year after year for this

company, there is a noticeable increase in errors in the inventory that has caused returns,

reshipments, or adjustments to their key business partners such as Contoso. So that

Fabrikam can maintain its strong partnership and achieve its goals for a high level of service

with Contoso, Fabrikam decides to partner closely with Contoso for the purpose of completing

an upcoming drug trial audit process for a new medication that Contoso currently has under

development. To accomplish this goal, some Fabrikam employees need varying levels of

access to the SharePoint site at Contoso.

About the lab configurationTo facilitate the partnership between the two companies and to enable managed, claims-based

access (CBA) to the SharePoint site, the following federation configuration is used.

Page 74: Adfs2 Share Point Federated Collaboration Step by Step Guide

About the fictional employeesThe fictional employees in the following table are used throughout the scenario in this document.

You will log on to the test lab virtual machines to simulate the various federated identity and

claims-based access scenarios in this guide and test different levels of access to the SharePoint

application.

Page 75: Adfs2 Share Point Federated Collaboration Step by Step Guide

Employee Role Company

Daniel Weisman Drug Trial Administrator Contoso Pharmaceuticals

Frank Miller Drug Trial Process Auditor Fabrikam Suppliers

About the scenarioFor this scenario, Microsoft Office SharePoint Server 2007 is the application of choice to facilitate

the business partnership between the two companies, Contoso Pharmaceuticals and Fabrikam

Suppliers. For SharePoint site access, Microsoft Office SharePoint Server 2007 requires roles

and or user’s user names so that it can grant access to its resources. In many enterprise

SharePoint deployments today, customers such as Contoso and Fabrikam use Active Directory or

Active Directory Domain Services (AD DS) to obtain the role and user information that is

necessary to manage and authorize access to the SharePoint Web site. In this scenario, we are

going to configure Microsoft Office SharePoint Server 2007 to obtain the role and user

information from AD FS 2.0 instead of from Active Directory data for authorization purposes.

Next, we will use AD FS 2.0 in the Contoso domain to control which roles are sent to Microsoft

Office SharePoint Server. We will also configure a second AD FS 2.0 instance in the Fabrikam

domain, to establish a federated trust relationship between the Fabrikam and Contoso domains.

After this trust is established across the domains, we will also configure AD FS 2.0 in the Contoso

domain to use an alternative external database as the source of the role information that it uses

for SharePoint authorization. For this part of the scenario demonstration, the database that we

use will be a Microsoft SQL Server® database.

The following tables briefly describe each step in this scenario, identify the user experience at

that step in the scenario, and provide a link to the location in this guide for the instructions for

completing that step. The entire guide includes eight steps.

Using AD FS 2.0 to provide role and user access to the SharePoint site

In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0

instead of Active Directory or AD DS for obtaining role and user information. In addition, we

configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint

site.

Steps Step title Description

Step 1 Set Microsoft Office

SharePoint Server 2007 to

accept tokens from the

Contoso federation server

For Contoso Pharmaceuticals, this

step demonstrates:

The IT pro experience for

configuring Microsoft

Office SharePoint Server 2007 to

Page 76: Adfs2 Share Point Federated Collaboration Step by Step Guide

Steps Step title Description

use AD FS 2.0 as a centralized

authentication provider.

Step 2 Add the Domain Admins

group as Administrator for

the SharePoint site

For Contoso Pharmaceuticals, this

step demonstrates:

The IT pro experience of giving

access to the SharePoint site

based on the role information that

AD FS 2.0 provides.

Step 3 Configure the Contoso

federation server to issue

tokens to the SharePoint site

For Contoso Pharmaceuticals, this

step demonstrates:

The IT pro experience that is

necessary to add a new relying

party (the SharePoint site) to an

existing AD FS 2.0 deployment

and to issue tokens with specific

claims in it.

Step 4 Add new roles to the

SharePoint site

For Contoso Pharmaceuticals, this

step demonstrates:

The IT pro experience of giving

access to a SharePoint site by

using claims that AD FS 2.0

issues.

Establishing a federated trust between two companies by using AD FS 2.0

In steps 5 through 7, we configure AD FS 2.0 to establish a federated trust relationship between

the two companies. We also configure AD FS 2.0 to determine which roles are sent to the

SharePoint server. After configuring these updates, we will then verify the authorization changes

for both administrators and visitors to the site.

Steps Step title Description

Step 5 Configure the Contoso

federation server to accept

tokens from the Fabrikam

federation server

For Contoso Pharmaceuticals,

this step demonstrates:

The IT pro experience of

configuring a federation

server at Contoso to

establish one side of the

Page 77: Adfs2 Share Point Federated Collaboration Step by Step Guide

Steps Step title Description

federated trust by enabling it

to accept tokens from a

partner federation server at

Fabrikam.

Step 6 Configure Fabrikam to

federate and issue tokens to

Contoso

For Fabrikam Suppliers, this step

demonstrates:

The IT pro experience of

configuring a federation

server at Fabrikam to

establish the other side of the

federated trust by enabling it

to issue tokens to a partner

server at Contoso.

Step 7 Access the SharePoint site This step demonstrates:

The client-side experience

when a user tries to access a

federated resource from a

Web browser or a rich client

application, such as Microsoft

Office Word.

Using a SQL Server database as an alternative to using Active Directory or AD DS as a data store

In the next step, step 8, we reconfigure AD FS 2.0 to use a Microsoft SQL Server database as an

alternate data store to the Active Directory data store that we used in the previous configurations.

Steps Step title Description

Step 8 Configure the Contoso

federation server to get role

values from a Structured

Query Language (SQL) data

store

For Contoso Pharmaceuticals,

this scenario demonstrates:

The IT pro experience for

providing claims-based

identity to users in which the

values of the claims come

from a SQL Server data store

instead of an Active Directory

database.

Page 78: Adfs2 Share Point Federated Collaboration Step by Step Guide

Protecting documents and libraries using Active Directory Rights Management Services

In the next step, step 9, we reconfigure AD FS 2.0 and the SharePoint site to use Active Directory

Rights Management Services (AD RMS) for digital rights management of documents. In step 10,

we configure a second document library that requires stronger authentication type to access.

Steps Step title Description

Step 9 Configure AD RMS for digitally

protecting documents

For Contoso Pharmaceuticals,

this scenario demonstrates:

The IT pro experience for

configuring AD RMS to use

the ADFS Web agent and

AD FS 2.0 for federated

identity support.

For Fabrikam, this scenario

demonstrates:

The client computer

modifications to enable the

federated support for

AD RMS and the end user

experience of opening and

browsing protected

documents.

Step 10 Configure a SharePoint

document library that requires

stronger authentication

For Contoso Pharmaceuticals,

this scenario demonstrates:

Creation of a new document

library.

Modification of the

web.config file of the site so

that it requires a stronger set

of credentials to access the

library.

Step 11 Configure AD FS 2.0 to permit

only specific users

For Contoso Pharmaceuticals,

this scenario demonstrates:

Creation of rules in

AD FS 2.0 so that only users

in a specific rule get a token

for the SharePoint server

and others are denied.

Page 79: Adfs2 Share Point Federated Collaboration Step by Step Guide

Preinstallation Tasks

Before you install AD FS 2.0 to attempt this scenario, you must first set up four virtual machine

(VM) computers that you will use to evaluate AD FS 2.0 in your lab environment.

The following sections assume that you are working with the hands-on lab VM images

that are provided for download on the Microsoft Web site. We recommend downloading

the images if your intent is to evaluate the scenario and AD FS 2.0 technology in the

shortest possible time frame. If you have more time and prefer to do so, you can build

your own VM lab images for each of the four computers. This requires considerably more

time to install and configure all the necessary software. For more information, see How to

Set Up the AD   FS   2.0 VM Lab Environment (http://go.microsoft.com/fwlink/?

LinkId=179632).

Preinstallation tasks include the following:

Download and extract VMs

Create a new virtual network

Import and start virtual machines

Administrative credentials

To perform all the tasks in this guide, log on to the virtual server computer—and to each of the

four VMs that you create on it—with the local Administrator account for each computer. Where

applicable, user passwords for accounts that are preconfigured as part of the VM images are

provided.

Download and extract VMsTo utilize the downloadable VM images that are referenced in this guide, you should

import and then and run them using a host server computer running Microsoft Hyper-V™

under Windows Server® 2008 R2.

For the purposes of this step by step guide, if you did not create your own set of VMs, download

the following files from the Microsoft Download Center (http://go.microsoft.com/fwlink/?

LinkId=148506).

ContosoSrv01.zip

ContosoSrv02.zip

FabrikamSrv01.zip

FabrikamSrv02.zip

WS2008R2Fullx64Ent.zip

Note Note

Page 80: Adfs2 Share Point Federated Collaboration Step by Step Guide

When the download is complete, extract the contents of the .zip files to a folder where the VMs

will reside; for example, extract the folder, ContosoSrv01, which is located in the

ContosoSrv01.zip file to c:\VM\. Repeat the step for Contososrv02, FabrikamSrv01, and

FabrikamSrv02.

For configuring the VMs using the images from the Microsoft Download Center, you will

need 100 GB of available disk space on the computer that you use to host the four VMs

that are referenced in this guide.

WS2008R2Fullx64Ent.zip file contains the base VHD that must be copied to the virtual hard disks

folder of each one of the VMs. For example, for ContosoSrv01, copy the extracted

WS2008R2Fullx64Ent.vhd from WS2008R2Fullx64Ent.zip to c:\VM\ContosoSrv01\Virtual Hard

Disks\ folder. Repeat the same step for ContosoSrv02, FabrikamSrv01, and FabrikamSrv02.

Create a new virtual networkAll the VM images (for server computers as well as client computers) are preconfigured to use a

virtual private network (VPN) interface. The following procedure explains how to re-create this

network in Hyper-V to support the use of the VM images in your own test lab environment.

1. On the host computer, open Hyper-V Manager.

To open Hyper-V Manager, on the Start menu, point to Administrative Tools, and then

click Hyper-V Manager.

2. In Hyper-V Manager, on the Action menu, click Virtual Network Manager.

3. In Virtual Network Manager, click Internal for the type of virtual network that you want to

create, and then click Add.

4. In New Virtual Network, for Name type Internal-Network, verify that for Type the

Internal only option is selected, and then click OK.

Note that the network name is case sensitive and should be entered exactly as provided

above. All four VMs will need to use this network, which will be a "local only" interface. All

four VM images should already be IP configured as described in the following section.

Import and start virtual machinesThe downloadable virtual machine (VM) images that are referred to in this guide that are

made available on the Microsoft Download Center can only be imported and run on a

host server computer that is running Microsoft Hyper-V on Windows Server 2008 R2.

The following table describes what is installed, along with the appropriate names and RAM

settings to use for best results when you import the four VMs with Hyper-V.

Note To create the virtual network for the AD FS 2.0 VM lab environment

Note

Page 81: Adfs2 Share Point Federated Collaboration Step by Step Guide

VM Name RAM Software installed IP configuration

CONTOSOSRV01 1.5 GB Operating system:

Windows

Server 2008 R2

Enterprise

Roles: AD DS, AD CS,

DNS, AD RMS

10.0.0.1/8

(AD DS, DNS,

AD CS)

10.0.0.20/8

(AD FS 2.0)

10.0.0.30/8 (AD RMS)

FABRIKAMSRV01 1.5 GB Operating system:

Windows

Server 2008 R2

Enterprise

Roles: AD DS, AD CS,

DNS

10.0.0.101/8

(AD DS, DNS,

AD CS)

10.0.0.120/8

(AD FS 2.0)

CONTOSOSRV02 1.5 GB Operating system:

Windows

Server 2008 R2

Enterprise

Applications: Microsoft

Office SharePoint

Server 2007 SP1

10.0.0.2/8 (internal)

10.0.0.40/8 (external)

FABRIKAMSRV02 1.5 GB Operating system:

Windows

Server 2008 R2

Enterprise

Applications: Microsoft

Office Professional

2007

10.0.0.110/8

1. In Hyper-V Manager, on the Action menu, click Import Virtual Machine.

2. In the Import Virtual Machine dialog box, click Browse.

3. In the Select Folder dialog box, browse and locate the named folder for the VM that you

want to import.

For example, to import the CONTOSOSRV01 VM, navigate to c:\VM and select

ContosoSrv01 folder and click Select Folder.

4. For the Settings, keep Move or restore the virtual machine setting selected.

5. Click Import to begin importing the VM.

To import the AD FS 2.0 lab VMs

Page 82: Adfs2 Share Point Federated Collaboration Step by Step Guide

Repeat steps 1 through 4 for all named VMs in the previous table. We recommend that you not

start all four VMs at the same time. Instead, it’s preferable for performance reasons to start each

VM by itself. When the VM is turned on and running, start another VM. Also, the order in which

you start VMs by using Hyper-V Manager is important. For best results, start the four VMs one at

a time in the following order: CONTOSOSVR01, FABRIKAMSRV01, CONTOSOSRV02,

FABRIKAMSRV02.

If, after turning the VM on and logging in, you are prompted to restart the VM, choose to restart.

Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso federation server

In this step, we reconfigure the SharePoint site that is installed on CONTOSOSRV02 so that it

can accept tokens from AD FS 2.0:

Configure the SharePoint site with a custom Role and Membership provider. The SharePoint

site application code calls this Role and Membership provider to validate a user and role

information and also get user information at invite and access time, such as the user name

and what roles the user belongs to.

Configure the SharePoint site to trust the Contoso Federation Service and accept security

tokens from it.

1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Click Start, All Programs, click Microsoft Federation Extensions for SharePoint, and

then click Federation Utility for SharePoint 3.0.

3. For the Administrator Configuration file location, browse to c:\inetpub\wwwroot\

wss\VirtualDirectories\37101 and select web.config, and then click Next.

Note

SharePoint creates the administrator configuration folder with random number. In

this case, it was created in folder 37101. It might be different for you.

4. For the Application configuration location, browse to c:\inetpub\wwwroot\wss\

VirtualDirectories\docs.contoso.com443, and then select web.config.

5. For the application URI, type https://docs.contoso.com.

6. For SharePoint Security Zone for the Application, select Extranet, and then click

Next.

7. For STS WS-Federation metadata document location, type

To configure the SharePoint site to trust and use the Contoso federation server

Page 83: Adfs2 Share Point Federated Collaboration Step by Step Guide

https://sts1.contoso.com, and then click Next.

8. On the next screen, keep Disable certificate chain validation, and then click Next.

9. On the next screen, keep the No encryption option selected, and then click Next.

10. Click Next again, and then click Finish. After you click Finish, it will take few minutes to

configure.

11. Click OK when the SharePoint site is fully configured.

Step 2: Add the Domain Admins group as Administrator for the SharePoint site

In this step, we grant full access to the SharePoint site to users who belong to the

Domain Admins group.

1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration.

3. On the Central Administration (http://contososrv02:37101) page, click the Application

Management tab.

4. On the Application Management page, click Policy for Web application.

To add the Domain Admins group to the Administrators group for the SharePoint site

Page 84: Adfs2 Share Point Federated Collaboration Step by Step Guide

On the next page, we change to the SharePoint site that we are actually configuring.

5. Click the Web Application drop-down list, and then click Change Web Application.

6. In the Select Web Application window that pops up, click Sharepoint:80 for the site to

be configured.

Page 85: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. On the Policy for Web Application page, click Add Users.

8. In the Zones drop-down list, select the Extranet zone to which we will add users, and

then click Next.

Page 86: Adfs2 Share Point Federated Collaboration Step by Step Guide

9. On the next page, we add the Domain Admins role. In the Users text box, type

Role#Domain Admins. To give Domain Admins Full Control permissions, select the

check box for Full Control, and then click Finish.

Note

The Role# prefix tells the custom Role provider that Domain Admins is a role. If

you add Domain Admins without this prefix, Domain Admins are treated as users.

10. On the next page, you see the Domain Admins role added with full control of the site.

Page 87: Adfs2 Share Point Federated Collaboration Step by Step Guide

Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site

In this step, we configure the federation server in the Contoso domain to issue tokens to the

SharePoint site. That is, we add the SharePoint site as the relying party. We also configure the

Contoso federation server to use Active Directory as the source of role and user information.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative

Tools, and then click AD FS 2.0 Management.

3. After the snap-in is loaded, in the right pane, Required: Add a trusted relying party.

To add the SharePoint site as a relying party for the Contoso federation server

Page 88: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to

begin adding the SharePoint site as a relying party.

Page 89: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. On the Select Data Source page, keep the default option selected, and then type the

following URL:

https://docs.contoso.com/_LAYOUTS/images/443/federationmetadata/2007-06/

federationmetadata.xml.

This is the location where the SharePoint federation metadata file is located, which was

produced when we ran the tool on the ContosoSrv02 server.

Page 90: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. Click Next to go to the Specify Display Name page, where you can enter a display

name for the SharePoint site. Type SharePoint Docs Site on Contoso, and then click

Next.

7. On the Choose Issuance Authorization Rules, keep the default option selected, and

then click Next.

8. Click Next, and then click Close to finish adding the SharePoint site as a relying party

and start the Rules Editor to configure which claims will be sent to the SharePoint site.

Now that we have added the SharePoint Site as a relying party, we configure the claims to send

to it.

1. In the Rules Editor, click Add Rule.

To configure the claims to be sent to the SharePoint site

Page 91: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. In the Select Rule Template page, keep the default option Send LDAP Attributes as

Claims selected, and then click Next.

3. On the Configuration Rule page, type Outgoing Name and Role Claim for

SharePoint in the Claim rule Name field. For the Attribute store, select

Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the

outgoing Name claim, Token-Groups – Unqualified Names for the Role claim, and E-

Mail-Addresses for the outgoing E-mail Address claim, and then click Finish.

Page 92: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. Click OK to close the Rules Editor.

Step 4: Add new roles to the SharePoint site

Now we add a few new roles to the SharePoint site that will have restricted access. We add a role

called DrugTrial1Admins that will have administrator access to site. We then add another role

called DrugTrial1Auditors that will have visitor access to the SharePoint site. We do this by

accessing the SharePoint site as an Administrator. The Administrator account belongs to the

Domain Admins Role/Group, and it has full access to the SharePoint site.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Navigate to the SharePoint site by going to https://docs.contoso.com/. The site redirects

To add the DrugTrial1Admins role with administrator access to the SharePoint site

Page 93: Adfs2 Share Point Federated Collaboration Step by Step Guide

you to the STS login page (as shown below) and asks you to authenticate to the STS.

3. Sign in to the SharePoint site using the administrator credentials by typing Contoso\

administrator for the user name and demo!23 for the password.

4. Back on the SharePoint site, on the Site Actions menu, click Site Settings, and then

click People And Groups.

Page 94: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. To add a group to the Home Owners group, click the Home Owners link in the Groups

pane.

Page 95: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the next page, click New, and then click Add Users.

Page 96: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. In Users/Groups, type Role#DrugTrial1Admins, and then click OK.

Page 97: Adfs2 Share Point Federated Collaboration Step by Step Guide

On the next page, you see Role#DrugTrial1Admins as a member of the Home Owners group.

1. In the browser window that you opened to the SharePoint administration site previously,

under Groups, click Home Visitors.

To add the DrugTrial1Auditors role with visitor access to the SharePoint site

Page 98: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. On the next page, click New, and then click Add Users.

Page 99: Adfs2 Share Point Federated Collaboration Step by Step Guide

3. In the input box, type Role#DrugTrial1Auditors, and then click OK.

4. Role#DrugTrial1Auditors appears in the Home Visitors group.

1. Close the browser window, reopen Internet Explorer, and navigate to

https://docs.contoso.com.

2. On the STS sign in page, sign in using DanielW's credentials (Username: contoso\

danielw, Password: demo!23), who is a member of DrugTrial1Admins group.

To verify that the new roles are working when you access the SharePoint site

Page 100: Adfs2 Share Point Federated Collaboration Step by Step Guide

3. The STS logs you in and redirects you back to Docs.contoso.com with a token that

contains the role of DrugTrial1Admins. The user name that you logged on with

([email protected]) will appear in the SharePoint site, and you will have full access

to the SharePoint site because the user belongs to a group (DrugTrial1Admins) that has

full access to the site.

Page 101: Adfs2 Share Point Federated Collaboration Step by Step Guide

Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation server

In this step, we configure the federation server at Contoso to trust the federation server at

Fabrikam and accept security authorizations from it. To this we add a claims provider trust for the

Fabrikam federation server at the Contoso federation server. We also configure the federation

server at Contoso to accept claims only if the values presented meet with certain restrictions.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Open the AD FS 2.0 Management console.

On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.

3. After the AD FS 2.0 console is loaded, expand Trust Relationships. Click Claims

Provider Trust, and then, in the Actions pane, click Add Claims Provider Trust.

4. The Add Identity Provider Wizard opens. Click Start to begin the wizard.

5. On the Choose Data Source page, click Import identity provider configuration from

federation metadata on the network. For Federation metadata URL or host name,

type sts2.fabrikam.com, and then click Next.

To add the Fabrikam federation server as a claims provider at the Contoso federation server

Page 102: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the next page, type a name for the identity provider (Fabrikam Identity Provider),

and then click Next.

Page 103: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. Click Next on the screen that appears, and then click Close when the wizard finishes

saving the policy.

When the wizard exits, the Rules Editor opens and we can specify which claims (and the

values for those claims) to accept from the Fabrikam federation server. In the Rules

Editor, we are going to add two new rules. In the first rule, we will only pass through the

email claim if it ends with "@fabrikam". For the second rule, we will only pass through the

Role claim if it has a value of "DrugTrial1Auditors".

1. In the Rules Editor, click Add Rule.

2. In the Select Rule Template window, click Pass Through or Filter an Incoming Claim

for the Claim rule template, and then click Next.

To configure the claims acceptance policy for the Fabrikam identity provider

Page 104: Adfs2 Share Point Federated Collaboration Step by Step Guide

3. For the Claim rule name, type Email Filter. For the Incoming Claim Type, select E-

Mail Address, and then click Pass through only claims values that match a specific

email suffix value. For Email suffix value, type fabrikam.com, as shown in the

following illustration, and then click Finish.

Page 105: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. For the second rule, click Add Rule.

5. In the Select Rule Template window, select Pass Through or Filter an Incoming Claim

for the Claim rule template, and then click Next.

6. For the Claim rule name, type Role Filter. For the Incoming Claim Type, select Role,

and then click Pass through only a specific claims value. For Incoming claim value,

type DrugTrial1Auditors, as shown in the following illustration, and then click Finish.

7. Click OK to exit the claims editor.

Page 106: Adfs2 Share Point Federated Collaboration Step by Step Guide

We now go back and update the relying party policy of Contoso that specifies how to transfer the

incoming claims to the outgoing claims.

1. In the AD FS 2.0 Management console, in the console tree, expand Trust Relationships,

and then click Relying Party Trusts.

2. In the details pane, click SharePoint Docs Site on Contoso.

3. On the Action menu, click Edit Claim Rules.

To update the claims issuance policy for the SharePoint site on the Contoso federation server

Page 107: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. In the Rules Editor, we add two new rules. In the first rule, we are just going to pass

through the Role claim. Click Add Rule.

5. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim

for Claim rule template, and then click Next.

6. For the Claim rule name, type Role pass through, select Role for Incoming claim

type, and then click Finish. Click Yes in the dialog box that appears.

Page 108: Adfs2 Share Point Federated Collaboration Step by Step Guide

We now add the second rule to transform the incoming e-mail claim, from Fabrikam, to a

name claim that the SharePoint site is expecting.

7. Click Add Rule.

8. On the Select Rule Template page, click Transform an Incoming Claim for Claim rule

template, and then click Next.

9. For the Claim rule name, type Email to Name transform, for Incoming claim type,

select E-Mail Address, and for Outgoing claim type, select Name. Keep the default

options selected, and click Finish. Click Yes in the dialog box that appears.

Page 109: Adfs2 Share Point Federated Collaboration Step by Step Guide

10. Click OK to exit the Rules Editor.

Step 6: Configure Fabrikam to federate and issue tokens to Contoso

In this step, we configure the federation server at Fabrikam to issue tokens to the federation

server at Contoso to enable federation; that is, we add the Contoso federation server as a relying

party on the Fabrikam federation server. We also configure the claims that the federation server

at Fabrikam should send to the federation server at Contoso.

1. Log on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator with "demo!23"

as the user password.

To add the Contoso federation server as a relying party on the Fabrikam federation server

Page 110: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative

Tools, and then click AD FS 2.0 Management.

3. After the snap-in is loaded, in the right pane, click the link Required: Add a trusted

relying party.

4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to

begin adding the SharePoint site as a relying party.

Page 111: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. On the Select Data Source page, keep the default option selected, click Import data

about the relying party published online or on a local network, type

sts1.contoso.com, and then click Next.

Page 112: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the Specify Display Name page, type Contoso STS for a display name, and click

Next.

7. Complete the rest of the wizard with the default options selected. Click Close at the end

to start the Rules Editor.

1. In the Rules Editor, click Add Rule.

2. In the Select Rule Template page, keep the default option Send LDAP Attributes as

Claims selected, and then click Next.

3. On the Configuration Rule page, type Outgoing Email address claim in the Claim

rule Name field. For the Attribute store, select Active Directory. In the LDAP Attribute

column, select E-Mail-Addresses for the outgoing E-Mail Address claim, and then click

Finish.

To configure claims for the Contoso federation server relying party

Page 113: Adfs2 Share Point Federated Collaboration Step by Step Guide

Add another rule so that Role claim is sent only if the user belongs to the

DrugTrial1Auditors group and the value for that claim is going to be DrugTrial1Auditors.

To add this rule:

4. Click Add Rule.

5. In the drop-down menu, select Send Group Membership as a Claim, and then click

Next.

6. For the Claim rule name, type Send Role Claim.

7. Then, click Browse, type DrugTrial1Auditors, click Check Names, and then click OK.

8. For the outgoing claim type, select Role and for outgoing claim value, type

DrugTrial1Auditors, and then click Finish.

Page 114: Adfs2 Share Point Federated Collaboration Step by Step Guide

9. Click OK to close the Rules Editor.

1. Remain logged on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator.

2. Open Internet Explorer (make sure no other instances of Internet Explorer were already

open), and navigate to the docs site at https://docs.contoso.com, which redirects you to

the STS login page.

3. At the Contoso STS sign-in page, select Fabrikam Identity Provider from the drop-down

list, and then click Continue to Sign In.

To verify that the Fabrikam identity provider is working properly

Page 115: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. On the Fabrikam sign-in page, sign in using the credentials of Frank Miller with the

username fabrikam\frankm and password demo!23.

Page 116: Adfs2 Share Point Federated Collaboration Step by Step Guide

After you are signed in, you will be redirected to the SharePoint site with read-only access to the

site. This is because the group, DrugTrial1Auditors, that FrankM belongs to, has visitor-only

access to the site.

Step 7: Access the SharePoint site

In this step, we access the SharePoint site that is hosted in the Contoso domain from a client

computer in the Fabrikam domain. We attempt to:

1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\frankm with "demo!23" as the user

password.

2. Open Internet Explorer, and then browse to https://docs.contoso.com.

3. The first thing you will see is the Contoso Server Sign-in page with the drop-down list of

Identity Providers. This step is called Home Real Discovery. From the drop-down list, choose

Fabrikam Identity Provider, and then click Continue to Sign In.

Page 117: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. After you select the button, you navigate to the Fabrikam federation server sign-in pages,

where the Frank will be authenticated using Windows Integrated Authentication. Frank will not

be prompted for credentials.

5. After Frank is authenticated, he will be redirected back to the Contoso STS sign-in pages.

Wehn the Contoso STS verifies that Frank is indeed from Fabrikam, he will be further

redirected to the SharePoint server and have visitor access to the site.

Accessing a document that is present at the SharePoint site directly from Microsoft

Office Word requires Microsoft Office Service Pack 2 (SP2) and Windows Vista®

SP2. Also, for Group Policy changes to take effect from the changes we made in the

previous step, restart the FABRIKAMCLT01 VM before you continue with this step.

Note

Page 118: Adfs2 Share Point Federated Collaboration Step by Step Guide

1.

Note

Accessing a document that is present at a federated SharePoint site directly from

Microsoft Office Word requires Microsoft Office Service Pack 2 (SP2) and

KB969413.

Log on to the FABRIKAMSRV02 computer as user "frankm" with "demo!23" as the user

password.

2. Open Microsoft Office Word.

3. Click the Word Office button, and then click Open.

4. Type the URL of the document that is located on the SharePoint site as follows:

https://docs.contoso.com/Docs/Documents/Contoso%20-%20Statement%20of

%20General%20Terms.docx

5. You should see the same browser experience that you saw when accessing the

SharePoint site using Internet Explorer. After you select your identity provider, you will be

authenticated and the document will be downloaded directly from the federate SharePoint

site.

Step 8: Configure the Contoso federation server to get values from a SQL data store

In this step, we configure the Contoso federation server to pull role information from a SQL

database (HOL Doctors Role) based on the e-mail address for each user. In this database, we

have three tables for sourcing the roles that we want to use here. We use the e-mail address of

the user who is trying to access the SharePoint site, and we use that e-mail address to look up in

the database what role the user should have.

Table 1(dbo.URT) contains a list of e-mail addresses of doctors, the role that they have, and the

drug trial that they belong to.

Table 2(dbo.TS) contains information about which SharePoint site belongs to which drug trial.

To open a document directly from the SharePoint site using Microsoft Office Word

Page 119: Adfs2 Share Point Federated Collaboration Step by Step Guide

Table 3(dbo.RS) maps the roles in the database to the roles in the Contoso SharePoint site.

To begin using these roles, we must first add these roles to the SharePoint site and give them the

correct access permissions.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"

as the user password.

2. Navigate to the SharePoint site by going to https://docs.contoso.com/.

3. The site redirects you to the STS login page and asks you to authenticate to the STS. On

the STS login page, click Sign in using your account at this identity provider, and

then click Sign In. On the next page, sign in using the credentials of administrator as

username contoso\administrator and password demo!23.

4. On the SharePoint site, click Site Actions, click Site Setting, and then click People and

Groups.

5. To add the sp_admins group, in the left pane, click Home Owners, click New, and then

click Add Users.

To provide access for the SQL-based roles to the SharePoint site

Page 120: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the new screen, type Role#sp_admin in the text box, and then click OK.

7. Delete the previously added administrator role. Select the Role#DrugTrial1Admins

check box. On the Actions menu, click Remove Users from Group, and then click OK

in the confirmation dialog box.

Page 121: Adfs2 Share Point Federated Collaboration Step by Step Guide

8. To add the sp_visitor, under Groups, click Home Visitors, click New, and then click Add

Users.

Page 122: Adfs2 Share Point Federated Collaboration Step by Step Guide

9. On the next screen, type Role#sp_visitor in the text box, and then click OK.

10. Delete the previously added role. Select Role#DrugTrial1Auditors. In the Actions pane,

click Remove Users from Group, and then click OK in the confirmation dialog box.

Now, we update the Contoso federation server to also pull role claim values from the SQL

database on this computer.

1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as CONTOSO\

Administrator with "demo!23" as the user password.

2. Open the AD FS 2.0 Management console (if it is not still open).

On the Start menu, click All Programs, point to Administrative Tools, and then click

AD FS 2.0 Management.

3. In the console tree, expand Trust Relationships, and then click Attribute Stores.

4. In the Actions pane, click Add Attribute Store.

To add a local SQL database as an attribute store for the Contoso federation server

Page 123: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. Clicking the link opens the Add an Attribute Store dialog box. Type HOL Doctors Role

as the display name. For Attribute Store Type, select SQL, type the following

connection string, and then click OK to finish. For your convenience, this command is in a

text file on the desktop, called DataBase Connect:

Data Source=CONTOSOSRV01;Initial Catalog=HOL Doctors Role;Integrated Security=True

Now that we have connected to the database, we must update the SharePoint rules in the

Contoso federation server regarding where to get role claim values:

Page 124: Adfs2 Share Point Federated Collaboration Step by Step Guide

1. In the console tree of the AD FS 2.0 Management console, under AD FS 2.0 and Trust

Relationships, click Relying Party Trusts. In the Replying Party Trusts list, click

SharePoint Docs Site on Contoso, and then in the Actions pane, click Edit Claim

Rules.

2. The Rules Editor opens. To create a new custom rule, click Add Rule.

3. In the new window that appears, click Send Claims Using a Custom Rule, and then

click Next.

4. In the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The

custom rule is presented here. For the Claim rule name, type Trial Lookup and for

Custom rule, type the following, and then click Finish. (For convenience, this role is

saved in a file called Custom Rule1 on the desktop. You can copy and paste it from

there.)

=> add(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query = "select

trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =

"https://docs.contoso.com/");

To update policy to pull role claim values from the SQL attribute store

Page 125: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. Add a second custom rule. In this rule, we use the previously queried trial information

with the user’s e-mail address and discover which role the user belongs to. To add

another custom rule, click Add Rule, and then select Send Claims Using a Custom

Rule, and then click Next. For Claim rule name, type User Role and for Custom rule,

type the following presented here. (For convenience, this role is saved in a file called

Custom Rule2 on the desktop. You can copy and paste it from there.)

c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"] =>

add(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"),

query = "select role from dbo.URT where dbo.URT.Trial = {1} and

dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);

Page 126: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. Now we create a third custom rule. In the third rule, we use a previously queried role

claim to query the SharePoint role claim and assign the value to the outgoing role claim.

To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,

and then click Next. For Claim rule name, type SharePoint Role and for Custom rule,

type the following presented here. (For convenience, this role is saved in a file called

Custom Rule3 on the desktop. You can copy and paste it from there.)

c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"] =>

issue(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "select

dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param = c.Value);

Page 127: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. Click OK to save these new rules and exit the Rules Editor.

Page 128: Adfs2 Share Point Federated Collaboration Step by Step Guide

Now that the issuance rules are in place to pull claims from the SQL-based attribute store, we can

test the new policy by accessing the SharePoint site. First, we access the site from within

Contoso.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\administrator with "demo!23"

as the user password.

To verify revisions in access policy to the SharePoint site from within Contoso

Page 129: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. Navigate to https://docs.contoso.com. (Make sure that you opened a new browser

window and that there were no browser windows already open.)

3. When you are redirected to the STS login page, you will see sts1.contoso.com in the

drop-down menu. Click Continue to Sign In.

4. On the Username and password logon page, type the following information, and then

click Sign In. If you are prompted to save credentials, click No.

Username: contoso\danielw

Password: demo!23

5. When you are logged in to the site, you see that Daniel has full access to the SharePoint

site because he belongs to the Admin group in the SQL database. The Admin group

maps to the sp_admin group on the SharePoint site with full site access.

Now that you have verified that Daniel from the Contoso domain has write access, try logging in

to the SharePoint site from a computer in the Fabrikam domain with Frank’s account.

1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\frankm with "demo!23" as the

user password.

2. When you are logged in, open Internet Explorer, and navigate to

https://docs.contoso.com.

Because of the Auto Card policy changes that we implemented earlier, your Fabrikam

Information Card will be automatically selected and used to sign you in to the Contoso

SharePoint site. You will be logged into the site with read-only access. This is because

the user FrankM belongs to the Auditors group, that group maps to the sp_visitor group

on the SharePoint site, and that group has read-only access to the site.

Step 9: Configure AD RMS for digitally protecting documents

In this step, we configure Active Directory Rights Management Services (AD RMS) for use in

protecting selected documents that are stored in the documents library on the SharePoint site. As

part of the setup for this lab, the AD RMS role is already installed on the CONTOSOSRV01 VM.

In this step, you add role services and the Active Directory Federation Services (AD FS) Web

Agent to enable AD RMS to support this scenario configuration.

Install the AD FS Web AgentYou can use the Add Roles Wizard to add the AD FS Web agent on the CONTOSOSRV01 VM.

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"

To verify revisions in access policy to the SharePoint site from within FabrikamTo install the AD FS Web agent on ContosoSrv01

Page 130: Adfs2 Share Point Federated Collaboration Step by Step Guide

as the user password.

2. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server

Manager, and then, in the right pane, click Add Roles.

3. On the next page, click Active Directory Federation Services, and then click Next.

4. On the next page that appears, click Next.

Page 131: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. On the next page that appears, click AD FS Web Agent. Select only the Claims-aware

Agent check box, and then click Next.

6. On the next page, click Install, and then click Close after the installation is complete.

Now we need to add a Role Service for AD RMS.

Install AD RMS Role Services

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with

"demo!23" as the user password.

2. Open Server Manager and start the Add Roles Wizard

To start the Add Roles Wizard, click Start, click Administrative Tools, and then click

Server Manager.

3. In the Roles section, scroll down to Active Directory Rights Management Services,

and then click Add Role Services.

To install AD RMS Role Services on ContosoSrv01

Page 132: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. When the wizard opens, select Identity Federation Support, and then click Next.

Page 133: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. Type the federation server name. In this case, type sts1.contoso.com, and then click

Validate.

6. After the name is validated, click Next.

7. On the next page, click Install.

8. After the installation is complete, click Close.

Now that we added all the roles and services, we have to turn AD RMS on for federation.

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with

"demo!23" as the user password.

2. Open the Active Directory Rights Management Services console .

3. To open the Active Directory Rights Management Services console, click Start, click

Administrative Tools, and then click Active Directory Rights Management Services.

The Active Directory Rights Management Services snap-in should appear in Microsoft

Management Console (Mmc.exe).

4. Click Yes in the dialog box that appears.

To enable federation support for the AD RMS role

Page 134: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. In the console tree, expand the server name (contososrv01), expand Trust Policies,

right-click Federated Identity Support, and then click Enable Federated Identity

Support.

Page 135: Adfs2 Share Point Federated Collaboration Step by Step Guide

Because AD RMS is running under a service account (adrmssrvc), we must ensure that this

account has privileges to write to security audit logs.

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with

"demo!23" as the user password.

2. Open the Group Policy Management snap-in. Click Start, point to Administrative Tools,

and then click Group Policy Management.

3. In the console tree, expand Forest: Contoso.com, expand Domains, expand

Contoso.com, expand Group Policy Objects, right-click Default Domain Controllers

Policy, and then click Edit.

The Group Policy Management Editor opens.

To allow the AD RMS service account to write to security audit logs

Page 136: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. In the console tree, expand Computer Configuration, expand Policies, expand

Windows Settings, expand Security Settings, expand Local Policies, and then click

User Rights Assignment.

5. In the details pane, double-click Generate security audits.

The Generate security audits Properties dialog box appears.

6. Click Add user or groups, and then click Browse.

7. In the Select Objects dialog box, type adrmssrvc, click Check Names, click OK, and

then click OK again.

The Generate security audits Properties dialog box should appear as shown in the

following screen shot.

Page 137: Adfs2 Share Point Federated Collaboration Step by Step Guide

8. Click OK to exit the dialog box.

So that the changes can take effect, do the following:

Click Start, right-click Command Prompt, and then click Run as Administrator.

At the command prompt, type iisreset, and then press ENTER. After the command runs, type

exit, and then press ENTER to close the command prompt window.

We are now ready to integrate AD RMS with AD FS 2.0. In AD FS 2.0 we are going to add two

relying parties. One relying party is for the AD RMS certificate service, and the other is for the

AD RMS licensing service.

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.

To add a relying party for the AD RMS certificate service

Page 138: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. Open the AD FS 2.0 Management console.

On the Start menu, click All Programs, point to Administrative Tools, and then click

AD FS 2.0 Management.

3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add

Relying Party Trust.

When the Add Relying Party Wizard opens, click Start.

4. On the Select Data Source page, click Enter data about the relying party manually,

and then click Next.

5. On the Specify Display Name page, in Display name, type AD RMS Certification

Service, and then click Next.

6. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click

Next.

Page 139: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. On the Configure URL page, for WS-Federation Passive URL, type

https://adrms.contoso.com/_wmcs/certificationexternal/, and then click Next.

8. On the Configure Identifiers page, click Next.

9. On Choose Issuance Authorization Rules page, keep the default option, Permit all

users to access this relying party, selected and click Next.

10. On the next page, click Next.

11. On the Finish page, click Close.

This opens the Rules Editor. The AD RMS Licensing Service is expecting the e-mail

address of the user.

Now, we create two rules. In the first rule, we take the e-mail address for the user from the

Lightweight Directory Access Protocol (LDAP) attribute store and send it as an AD FS e-mail

address claim. In the second rule, we take the incoming e-mail claim from Fabrikam and convert

that also into an AD FS e-mail claim.

Page 140: Adfs2 Share Point Federated Collaboration Step by Step Guide

1. In the Rules Editor, click Add Rule. In the new window that appears, select Send LDAP

Attributes as Claims, and then click Next.

2. For the Claim rule name, type Email as AD FS 1.x Email. For Attribute store, select

Active Directory. In LDAP attribute, select E-Mail-Addresses; and in Outgoing Claim

Type, select AD FS 1.x E-Mail Address. Click Finish.

3. For the second rule, click Add Rule. In the new window that appears, select Transform

an Incoming Claim, and then click Next.

4. For the Claim rule name, type Transform incoming Email to AD FS 1.x Email. For

Incoming claim type, select E-Mail Address; and in Outgoing claim type, select

AD FS 1.x E-Mail Address and then click Finish. Click Yes in the dialog box that

appears.

To update policy to process e-mail claims for the AD RMS Licensing Service

Page 141: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. For the third rule, click Add Rule. In the new window that appears, select Transform an

Incoming Claim, and then click Next.

6. For the Claim rule name, type Transform AD FS 1.x Email to Name Identifier. For

Incoming claim type, select AD FS 1.x E-Mail Address; and in Outgoing claim type,

select Name ID, and in Outgoing name ID format, select Email, and then click Finish.

Click Yes in the dialog box that appears.

Page 142: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. Click OK to exit the Rules Editor.

To add the AD RMS Licensing Service, repeat the same steps that you completed to add the

certification service, except give it a friendly name of AD RMS Licensing Service and enter the

URL as https://adrms.contoso.com/_wmcs/licensingexternal/.

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.

2. Open the AD FS 2.0 Management console.

On the Start menu, point to Administrative Tools, and then click AD FS 2.0

Management.

3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add

Relying Party Trust.

4. When the Add Relying Party Wizard opens, click Start.

5. On the Select Data Source page, click Enter data about the relying party manually,

and then click Next.

To add a relying party for the AD RMS Licensing Service

Page 143: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the Specify Display Name page, in Display name, type AD RMS Licensing

Service, and then click Next.

7. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click

Next.

8. On the Configure URL page, in WS-Federation Passive URL, type

https://adrms.contoso.com/_wmcs/licensingexternal/, and then click Next.

9. On the Configure Identifiers page, click Next.

10. On Choose Issuance Authorization Rules page, keep the default option Permit all

users to access this relying party selected, and then click Next.

11. Click Next, and then click Close.

Clicking Close starts the Rules Editor.

As in the previous step, add three rules:

1. In the first rule, send out the E-Mail Address as AD FS 1.x e-email claim, and create it from

the LDAP attribute store.

Page 144: Adfs2 Share Point Federated Collaboration Step by Step Guide

2. In the second rule, transform the incoming E-mail claim to outgoing AD FS 1.x E Mail address

claim shown above.

3. For the third rule, transform the AD FS 1.x E Mail claim to Name ID email claim as shown

above.

Now that we have configured AD RMS server with AD FS 2.0 server, we have to configure

AD RMS to work with SharePoint.

1. Log on to ContosoSrv01 with Administrator credentials.

2. Open Windows Explorer and navigate to the folder where Internet Information Services

was installed. By default, the folder path is c:\Inetpub\wwwroot\_wmcs\Certification.

3. Right-click the ServerCertification.asmx file, and then click Properties.

4. On the Security tab, click Edit. In the dialog box that appears, click Add.

5. In the Enter the object names to select field, type AD RMS Service Group, and then

click OK.

6. In the Permissions lists for AD RMS Service Group, select the Allow check box for

both Read and Read & Execute permissions.

To configure AD RMS service for the SharePoint site

Page 145: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. To add ContosoSrv02 server to permissions list, click Add.

8. Click Object Types, select the Computers check box, and then click OK.

9. Type ContosoSrv02 and click OK.

10. Click Start, and then click Command Prompt.

11. Type iisreset, and then press ENTER.

12. Click OK and then OK again to close the Properties dialog box.

Before we try out the scenario, we must do one more thing. We must make changes to the

SharePoint site so that any document leaving a document library should be automatically rights

protected for the user who is downloading it. Also, we must make sure that the SharePoint server

is aware of where the AD RMS server is located.

First, to configure the SharePoint server where the AD RMS server is located, we log in to the

SharePoint central administration Web site.

Page 146: Adfs2 Share Point Federated Collaboration Step by Step Guide

1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with the

password "demo!23".

2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration. In the

Central Administration site, click Operations under Central Administration.

3. On the Operations page, under Security Configuration, click Information Rights

Management.

To configure the SharePoint server to use AD RMS to automatically rights-protect the document in the library

Page 147: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. On the Information Rights Management page, verify that the Use the default RMS

server specified in Active Directory option is selected and that there are no warnings

around it.

Page 148: Adfs2 Share Point Federated Collaboration Step by Step Guide

5. Click OK to save your changes.

Now that we have configured AD RMS to work with the SharePoint server on CONTOSOSRV02,

we will configure one of the document libraries on the SharePoint site at https://docs.contoso.com

to be rights-protected. The level of protection will be configured in such a way that any document

that is downloaded from the protected document library will be restricted based on the e-mail

address of the user who is downloading it.

1. Remain logged on to the CONTOSOSRV02 computer as CONTOSO\Administrator, and

close any previously opened browser windows.

2. Open a new Internet Explorer window, browse to http://docs.contoso.com, and then sign

in using administrator credentials.

3. After you are authenticated with the Contoso STS, you are back at the SharePoint site.

Click the Document Center link in the top right side of the site, as shown in the following

screen shot.

To configure AD RMS-based protection on a document library on the SharePoint site

Page 149: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. On the Document Center page, click the Documents link in the left column. This is the

document library that we are going to protect with AD RMS.

5. On the Documents page, click Settings, and then click Document Library Settings.

6. On the Customize Documents page, click Information Rights Management.

Page 150: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. On the Information Rights Management Settings page, select the Restrict

permission to documents in this library on download check box. In Permission

policy title, type Contoso Confidential Document, and in Permission policy

description, type Federated Document as shown in the following screen shot. Click OK

when you are finished making these changes.

Page 151: Adfs2 Share Point Federated Collaboration Step by Step Guide

At this point, we have successfully configured the SharePoint site with AD RMS. We have also

configured one of the document libraries to automatically use Information Rights Management

when a user downloads a document from the site.

In the RMS scenario, the token between the AD FS server in Fabrikam domain and AD FS server

in Contoso domain is chunked and transferred using HTTP headers. There is a limitation in the

Wininet stack. It times out after certain number of redirects and the encrypted token between the

two servers takes more than five redirects. To demonstrate this scenario, we will have to disable

token encryption between the servers. This is safe to do because the channel over which the

token is transferred is protected by SSL encryption.

1. Log on to FabrikamSrv01 server with administrator credentials.

2. Open the AD FS 2.0 Management console: click Start, click Administrative Tools, and

then click AD FS 2.0 Management.

3. In the left-hand column, under AD FS 2.0, double-click Trust Relationships, and then

click Relying Party Trusts.

To disable the token encryption between Fabrikam and Contoso AD FS 2.0 servers

Page 152: Adfs2 Share Point Federated Collaboration Step by Step Guide

4. In Relying Party Trusts, right-click Contoso STS, and then click Properties.

5. In the Properties dialog box, on the Monitoring tab, clear Monitor this relying party’s

federation metadata for changes, and then click Apply.

Page 153: Adfs2 Share Point Federated Collaboration Step by Step Guide

6. On the Encryption tab, click Remove. In the dialog box that appears, click Yes, and then

press OK.

We now need to make some changes to keys in the Windows registry on the Fabrikam client

computer (FABRIKAMSRV02) so that the AD RMS client knows how to find the identity provider

that it will use to authenticate with the AD RMS server at Contoso Pharmaceuticals

(CONTOSOSRV01) based on the e-mail address of the user that is download the document.

1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\Administrator with "demo!23"

for the password.

2. Open the Registry Editor. Click Start, click Run, type regedit, and then click OK.

Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft key,

and then select it.

To configure the Fabrikam client computer to be able to find and use the Contoso AD RMS server

Page 154: Adfs2 Share Point Federated Collaboration Step by Step Guide

Note

For a 32-bit operating system, you can skip the Wow6432node part of the

registry key path.

3. On the Edit menu, point to New, and then click Key to create a new registry key. Name

the new key MSDRM.

4. Under the MSDRM key, create a new key.

With MSDRM selected, on the Edit menu, point to New, and then click Key to create a

new registry key. Name the new key federation.

5. Under the federation key, create a new value of String (REG_SZ) type. For the Name,

use FederationHomeRealm, and for Value use

http://sts2.fabrikam.com/adfs/services/trust. The result should look like the following

screen shot.

1. Log off the FABRIKAMSRV02 computer as FABRIKAM\Administrator.

2. Log back on as FABRIKAM\frankm with "demo!23" as the password.

3. Open a new Internet Explorer window, browse to http://docs.contoso.com, and sign in to

the site.

4. After you are signed in at the SharePoint site, navigate to the Documents library that we

protected in the previous procedure.

5. In the Documents library page, click the link to the Contoso – Statement of General

Terms document.

6. Observe the document as it opens in Microsoft Office Word. In Word, click View

Permissions to show that the document is rights protected and cannot be edited, copied,

printed, saved, accessed programmatically, or otherwise fully controlled by the user

(FrankM). This is because in the SharePoint library settings we did not give anyone

permissions to perform these actions on the document when we modified the security

settings previously in this step.

To have a Fabrikam user test AD RMS protection for protected document library on the Contoso SharePoint site

Page 155: Adfs2 Share Point Federated Collaboration Step by Step Guide

Step 10: Configure a SharePoint document library for stronger authentication

In this step, we create a new SharePoint site that contains confidential information. We will set up

this site so that users who access it must authenticate with their smart cards. To simulate

authentication with smart cards we will use a software-based X.509 certificate protected by a PIN

(1@234abcd). To achieve this scenario, we will integrate a sample library that handles requests

for strong credentials built with Windows Identity Foundation. The library is built from the sample

(http://go.microsoft.com/fwlink/?LinkId=179918).

1. Logon to CONTOSOSRV02 with domain administrator credentials.

2. Browse to https://docs.contoso.com and authenticate as CONTOSO\Administrator with

password “demo!23”.

3. Click the Site Actions tab.

4. Click the Create Site link.

5. For site settings, enter the corresponding values for the following fields and leave rest of

the settings as default:

To create a new SharePoint site

Page 156: Adfs2 Share Point Federated Collaboration Step by Step Guide

Title Confidential

Description Contains confidential documents

URL Name confidential

Select a template Document Workspace

6. Click the Create button.

7. After creating the new site, close the browser.

Now we will integrate the sample claims authorization library located in “C:\StepUpAuthentication”

with SharePoint.

If you are using the VMs that were pre-created a sample dll has been created and placed

in the folder.

1. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then click

OK.

2. At the command prompt, type cd “c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\bin”,

and press ENTER.

3. Type gacutil.exe /i c:\ StepUpAuthentication\ClaimsAuthorization.dll /f. This adds the

assembly into the GAC.

4. Now we need to edit the web.config of docs.contoso.com SharePoint site. Type cd c:\

inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443 and press ENTER.

5. Type notepad.exe web.config.

6. Locate the element <assemblies> (it is located under

<configuration>/<system.web>/<compilation>). Add the following line:

<add assembly="ClaimsAuthorization, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=400a0b56d39a55eb"/>

7. Locate the element <httpModules> (it is located under <configuration>/<system.web>).

Add the following two lines immediately after all other <add> elements (just before the line

with the end tag </httpModules>).

<add name="ClaimsAuthorizationModule"

type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel,

Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="StepUpAuthenticationModule"

type="ClaimsAuthorization.StepUpAuthenticationModule, ClaimsAuthorization,

Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>

Now, we will author the policy that would only grant access to Confidential site to users who

have authenticated with the X.509 certificate.

Note

Page 157: Adfs2 Share Point Federated Collaboration Step by Step Guide

8. In Notepad, locate the element <service> under

<configuration>/<microsoft.identityModel>. Add the following lines immediately after the

line with the tag <service>.

<claimsAuthorizationManager

type="ClaimsAuthorization.CustomClaimsAuthorizationManager">

<strongAuthenticationTypes>

<authenticationType

type="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/>

<authenticationType

type="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/

tlsclient"/>

</strongAuthenticationTypes>

<authorization>

<policy path="/confidential" >

<allow claimType="*" strongAuthentication="true"/>

</policy>

<policy path="/" >

<allow claimType="*"/>

</policy>

</authorization>

</claimsAuthorizationManager>

9. Save the changes to web.config. In the menu of Notepad, click File, then click Save. Close

Notepad.

1. Log on to the FabrikamSrv02 computer as FABRIKAM\frankm with “demo!23” as the

user’s password.

2. Browse to https://docs.contoso.com.

3. Select Fabrikam from the drop-down list at the Contoso sign-in page and click the

Continue to Sign In button.

4. At the Fabrikam sign in page, type the user name as fabrikam\frankm and the password

as demo!23, and then click Sign In.

5. Once logged into the site, click the Confidential tab to access the confidential site.

6. Because you need to authenticate with a smart card you will see the PIN prompt dialog

box. Select the radio button Grant Permission, and type 1@234abcd as the certificate’s

PIN.

To use the stronger authentication type to access the SharePoint site

Page 158: Adfs2 Share Point Federated Collaboration Step by Step Guide

7. You are now authenticated with a smart card and can log in to Confidential site.

Step 11: Configure AD FS 2.0 on ContosoSrv01 to deny tokens to users

In this step, we will configure AD FS 2.0 on contososrv01 so that it does not issue tokens for

SharePoint server to users who do not belong to either the Domain Admins, sp_visitor, or

sp_admin groups.

1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as CONTOSO\

Administrator with "demo!23" as the user password.

2. Open the AD FS 2.0 Server Management Console (if it is not still open).

3. On the Start menu, click All Programs, point to Administrative Tools, and then click

AD FS 2.0 Management.

4. In the console tree, double-click Trust Relationships, and then click Claim Provider

Trusts.

5. In the Claims Provider Trusts column, click Active Directory, and then click Edit Claim

Rules in the right-hand column.

6. In the Rule Editor, click Add Rule and in the wizard, click Next.

7. For the Claim rule name, type Email and Role claim lookup, for Attribute store, select

Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the

outgoing E-mail Address claim, and Token-Groups – Unqualified Names for the Role

claim, and then click Finish. Click OK to exit the Rules Editor.

8. In the console tree, double-click Trust Relationships, and then click Relying Party

Trusts. In the Replying Party Trusts list, click SharePoint Docs Site on Contoso, and

then in the Actions pane, click Edit Claim Rules.

9. In the Rules Editor, select the top-most rule in the list, and then click Remove Rule. Click

Yes in the dialog box that appears.

10. Click the Issuance Authorization Rules tab, select the only single item in the list, and

then delete it by clicking Remove Rule.

11. Now we are going to add three rules to query the role information from the SQL

database, based on the e-mail address. The rules are custom rules, and they are the

same rules that we added in the previous section. For the first rule, click Add Rule. In the

wizard that appears, select Send Claims Using a Custom Rule, and then click Next. In

the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The custom

rule is presented here. For the Claim rule name, type Trial Lookup, and for Custom

To configure AD FS 2.0 to authorize users only in certain roles

Page 159: Adfs2 Share Point Federated Collaboration Step by Step Guide

rule, type the following, and then click Finish. (For convenience, this role is saved in a

file called Custom Rule1 on the desktop. You can copy and paste it from there.)

=> add(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query =

"select trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =

"https://docs.contoso.com/");

12. Add a second custom rule. In this rule, we use the previously queried trial information

with the user’s e-mail address and discover which role the user belongs to. To add

another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and

then click Next. For Claim rule name, type User Role, and for Custom rule, type the

following, and then click Finish. (For convenience, this role is saved in a file called

Custom Rule2 on the desktop. You can copy and paste it from there.)

c1:[Type ==

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

&& c2:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"]

=> add(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"

), query = "select role from dbo.URT where dbo.URT.Trial = {1} and

dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);

13. Now we create a third custom rule. In the third rule, we use a previously queried role

claim to query the SharePoint role claim and assign the value to the outgoing role claim.

To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,

and then click Next. For Claim rule name, type SharePoint Role, and for Custom rule,

type the following, and then click Finish. (For convenience, this role is saved in a file

called Custom Rule3 on the desktop. You can copy and paste it from there.)

c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"]

=> issue(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query =

"select dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param =

c.Value);

14. Now that we have gathered all the role information, we will place three new rules. In each

rule, we will check to see if the role value is one of domain_admins, sp_visitor or

sp_admin. For the first rule, click Add Rule. In the wizard page that appears, keep the

default option, Permit or Deny Users Based on an Incoming Claim, and then click

Next. On the next page, for Claim rule name, type Permit Domain Admins, for

Incoming claim type, select Role in the drop-down menu, and for Incoming claim

Page 160: Adfs2 Share Point Federated Collaboration Step by Step Guide

value, type Domain Admins, and then click Finish.

15. For the other two rules, repeat the instructions in step 14 with Claim rule name as

Permit sp_visitor and Permit sp_admin and an Incoming claim value of sp_visitor

and sp_admin.

To try out this scenario, log on to ContosoSrv01 and navigate to https://docs.contoso.com. Sign in

as either contoso\administrator or contoso\danielw at the Contoso sign-in page. You will have

access to the SharePoint site. This is because contoso\administrator belongs to Domain Admins

group in AD DS and danielw maps to sp_admin group, based on the information in the SQL

database.

Try accessing the https://docs.contoso.com from the FabrikamSrv01 computer as fabrikam\

frankm. You will see that Frankm has access to the SharePoint site because frankm’s e-mail

address maps to the sp_visitor role in the SQL database. Now try accessing the

https://docs.contoso.com site as fabrikam\alices. You will see access denied for Alice at the

Contoso AD FS Web site because Alice’s account does not map to any role values for which we

just added rules.

Page 161: Adfs2 Share Point Federated Collaboration Step by Step Guide

Congratulations! This concludes our walkthrough of federated document collaboration using

Microsoft Office SharePoint Server 2007 with AD FS 2.0.