Three weeks ago I performed a session about ADFS on polish conference – Microsoft Technology Summit 2005. In this session I used my ADFS lab to show working example of federated Windows SharePoint Services and ASP .NET claim aware application (application is really big word for my application :), this was only few pages with text). I get back to this lab because yesterday I was helping my friend who was also building ADFS. In my case it took me about an 1,5 hour to get working ADFS lab (most of this time I was looking at progress bars), in my friend case it took us few hours to get the environment to the point in which it was working, mainly because we had to find few glitches in a setup he made following the ADFS step-by-step document published for Windows 2003 R2 RC0. That pushed me to make few notes about creating such lab which You can read below:
- Certificates: certs are really important because all ADFS trusts between organisations are based on PKI, and transport layer security for claims in ADFS v1 is based on SSL. Step by Step document is showing how to generate certs using SelfSSL.exe utility but my recommendation is to setup quickly (it will take you only few minutes) standalone CA on one of Your machine and use it as certificate source. Why? Thera are some minor issues with SelfSSL produced certs (there is a workaround for it) used with IIS server in this version of R2, that's one reason, and the second is that this is more "real world" scenario. If you are using SelfSSL or CA You have to remember few things:
- For each ADFS server You need Server Authentication Certificate.
- For each ADFS Proxy (if You are using it) You need Client Authentication Certificate
- For each IIS server which is involved in ADFS communication You need standard SSL certificate for web server. Remember that CN in the certificate must match FQDN of the IIS web site for which it is generated.
- If You are using CA as a certificate source You have to install root CA cert and current CRL on each machine.
- Server Authentication Certificates and Client Authentication Certificate (If You are using Federation Server Proxy on separated host) has to be installed in Local Machine certificate store. If You are using CA web page to get certificate there is an option which tell that it has to be installed in Local Machine store. You can also select this during an import or just open MMC.EXE with Certificates snap-in for Local Machine and import the certificate.
- Step by step documentation tells you to install WSS and .NET application on the same IP address and use different SSL port – my suggestion is to assign secondary address to the web server and bind each application web site to separated address. Why? once again, this is more real world scenario and If You will show it to somebody it will look more natural.
- I don't know why but auditing part is missing from the lab documentation in this version. I think that auditing of ADFS is very useful to understand how it is working and for troubleshooting purposes. My recommendation is to turn on ADFS auditing by enabling "Audit object access" in Audit policy for ADFS server (depending on Your configuration this has to be done in GPO on OU level in which ADFS server resides or If You have ADFS on DC it has to be enabled in "Domain controllers security policy". Select auditing for success and failures and ADFS related event will show up in Security log on Your ADFS Server.
- Case sensitivity: few values which are used in configuration are case sensitive so You have to be very careful when using them. This is the case with Federation Services URL which is specified in each partner configuration and also with the names of Outgoing and Incoming claims. If you have a problem with getting ADFS working – double check it.
- If You are testing ADFS suing IE from the Windows 2003 or Windows XP which is a domain member and You are logged on as a domain user, but You are still getting dialog box asking You to provide credentials just go to Tools -> Internet Options -> Security in IE, and for Internet zone and Trusted Sites zone use "Custom level" button, go to "User authentication" and check if you have automatic logon with current credential option set. Of course, this should not be used for Internet zone in real world scenario in any case. If You want to avoid setting this in internet zone just add Your ADFS account server URL to Your trusted sites list.
Setting up ADFS trust is not very complicated task but You have to be very careful about few things because when something is failing there are many things to check. Stay calm and just check every component of your lab. OK, that's all. I hope it makes sense. Have a fun in ADFS world.