Adfs2 Share Point Federated Collaboration Step by Step Guide

Embed Size (px)

Text of Adfs2 Share Point Federated Collaboration Step by Step Guide

00

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0

Microsoft Corporation Published: May 2010 Author: Tariq Sharif, Brad Mahugh Editor: Jim Becker Technical reviewers: Stuart Kwan, James Wong

AbstractThis guide provides instructions for using Active Directory Federation Services (AD FS) 2.0 in a small test lab environment. The purpose is to demonstrate how two fictitious companies can collaborate on documents using a federated trust that provides claims-based access using AD FS 2.0. The instructions in this guide should take approximately 90 minutes to complete.

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2010 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

ContentsFederated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0....................................................................................................................................2 Contents........................................................................................................................................71 Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0..............................................................................................................................................72 About this guide.........................................................................................................................72 Scenario Overview........................................................................................................................73 Preinstallation Tasks.....................................................................................................................79 Download and extract VMs........................................................................................................79 Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso federation server........................................................................................................................82 Step 2: Add the Domain Admins group as Administrator for the SharePoint site..........................83 Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site..............87 Step 4: Add new roles to the SharePoint site................................................................................92 Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation server.......................................................................................................................................101 Step 6: Configure Fabrikam to federate and issue tokens to Contoso........................................109 Step 7: Access the SharePoint site.............................................................................................116 Step 8: Configure the Contoso federation server to get values from a SQL data store...............118 Step 9: Configure AD RMS for digitally protecting documents....................................................128 Step 10: Configure a SharePoint document library for stronger authentication...........................155 Step 11: Configure AD FS 2.0 on ContosoSrv01 to deny tokens to users...................................158

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0This guide walks you through setup of a small test lab environment that you can use to evaluate the next generation of Microsoft federated identity technologies. This guide is intended for information technology (IT) professionals and system architects who want to implement secure collaboration between organizations using Microsoft Office SharePoint Server 2007 and Active Directory Federation Services (AD FS) 2.0. This guide provides a quick demonstration of the features, functionality, and interoperability capabilities of AD FS 2.0 and Windows Identity Foundation (WIF). The instructions in this guide should take approximately 90 minutes or less to complete.

About this guideThis guide provides instructions for setting up federated identity technologies in a small test lab with virtual servers and a Hyper-V-enabled host server computer running the Windows Server 2008 R2 operating system. The purpose of this guide is to describe a solution that uses the federated identity capabilities of Windows-based federated identity technologies to meet the demands of a fictional business-to-business (B2B) scenario with the following requirements: Two companies have a business partner relationship. One of the companies, Contoso Pharmaceuticals, wants to give access to a SharePoint site that it hosts to some of the employees of the other company, Fabrikam. Traditionally, this might have required administrators at Contoso to create new Active Directory user accounts to provide the required access for the Fabrikam partner employees. Another potential consequence of the SharePoint-based collaboration is that the SharePoint site itself requires configuration so that participating users of both companies can have the appropriate level of site access. To maximize your chances of completing the objectives of this guide successfully, it is important that you do all of the following: Complete the steps in this guide in the order in which they are presented. Use the exact computer, user, group, company, claim, and domain names that this guide specifies. Important Any modifications that you make to the configuration details in this guide may affect or limit your chances of setting up this lab successfully the first time. Microsoft has tested this guide successfully using Windows Server 2008 Hyper-V virtualization technology.

The instructions in this guide should take approximately 90 minutes or less to complete. Your time to complete the steps in this guide may vary, depending on whether you have to set up a computer that is suitable for hosting the virtual lab environment.

Scenario OverviewThis section includes background information about the fictional companies in this document. It also identifies their business goals and briefly describes the technologies that are used to achieve these goals.

About the fictional companiesThe following fictional companies and their business needs are used in this guide: Contoso Pharmaceuticals: An international pharmaceutical supply company that specializes in manufacturing prescription drugs for its health management organization (HMOs) customers inside and outside the United States. In a strategic effort to meet the drugordering demands of its customers, the IT department at Contoso has been given the task of developing and deploying a secure, Internet-accessible, SharePoint application that must also provide multiple levels of access for various internal users (Contoso employees) and external partner users at Fabrikam. To minimize the costs that are associated with maintaining the SharePoint application, the IT department must also make sure that the application does not have to use and maintain an additional account store so that internal and external users can access the application. Fabrikam: A manufacturer of cost-efficient, wholesale pharmaceutical and chemical manufacturing supplies that is known worldwide for providing low-price supplies to drug manufacturers. Although sales have been accelerating consistently year after year for this company, there is a noticeable increase in errors in the inventory that has caused returns, reshipments, or adjustments to their key business partners such as Contoso. So that Fabrikam can maintain its strong partnership and achieve its goals for a high level of service with Contoso, Fabrikam decides to partner closely with Contoso for the purpose of completing an upcoming drug trial audit process for a new medication that Contoso currently has under development. To accomplish this goal, some Fabrikam employees need varying levels of access to the SharePoint site at Contoso.

About the lab configurationTo facilitate the partnership between the two companies and to enable managed, claims-based access (CBA) to the SharePoint site, the following federation configuration is used.

About the fictional employeesThe fictional employees in the following table are used throughout the scenario in this document. You will log on to the test lab virtual machines to simulate the various federated identity and claims-based access scenarios in this guide and test different levels of access to the SharePoint application.Employee Role Company

Employee

Role

Company

Frank Miller

Drug Trial Process Auditor

Fabrikam Suppliers

About the scenarioFor this scenario, Microsoft Office SharePoint Server 2007 is the application of choice to facilitate the business partnership between the two companies, Contoso Pharmaceuticals and Fabrikam Suppliers. For SharePoint site access, Microsoft Office SharePoint Server 2007