Step-by-Step Guide for Active Directory

Federation Services
Microsoft Corporation

Published: November 2005

Author: Nick Pierson

Editor: Jim Becker

Abstract
This guide provides instructions for setting up Active Directory Federation Services
(ADFS) in a small test lab environment. The instructions in this guide should take
approximately three hours to complete. This guide walks you through setup of a claims-
aware application and a Windows NT token–based application on an ADFS-enabled Web
server. It also explains how to configure two federation servers that authenticate and
authorize federated access to both types of applications. No additional downloads are
required; you can simply use the code in this guide to create the claims-aware application
and the Windows NT token–based application.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

© 2005 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Step-by-Step Guide for Active Directory Federation Services................................. ...........1
Abstract.................................................................................................... ...................1

Contents........................................................................................................................ .....4

ADFS Step-by-Step Guide ................................................................ ....................6

About This Guide........................................................................................... .................6
What This Guide Does Not Provide..................................................................... ........6
Requirements............................................................................................... ...............7

Step 1: Preinstallation Tasks ........................................................... ......................7

Set Up the Computers.............................................................................. ......................8
Configure Computer Operating Systems and Network Settings..................................8
Install IIS................................................................................................................. ...10
Install the IIS 6.0 Resource Kit............................................................. .....................10
Install and Configure Active Directory.......................................................... .................10
Install Active Directory............................................................................ ...................10
Create User Accounts and Resource Accounts........................................ .................11
Add Users to the Appropriate Security Groups................................................ ..........12
Join Test Computers to the Appropriate Domains..................................................... .12
Create, Export, and Import Server Authentication Certificates.............................. ........12
Create a Server Authentication Certificate for Each of the Servers...........................13
Export the adfsresource Server Authentication Certificate to a File...........................13
Import the Server Authentication Certificate for adfsresource to adfsweb.................14

Step 2: Installing ADFS and Configuring Local System ................................ .......15

Install the ADFS Web Agents.............................................................................. ..........16
Install the Federation Service.............................................................. .........................17
Assign the Local System Account to the ADFSAppPool Identity................................ ...18
Export the Token-signing Certificate from adfsaccount to a File...................................18

Step 3: Configuring the Web Server ............................................................ ........19

Configure the Web Server for a Windows NT Token-based Application........................ 19
Configure IIS and the ADFS Web Agent.......................................................... ..........20
Configure the Windows NT Token–based Application for Read/Write Access...........21
Configure the Web Server for a Claims-aware Application...........................................22
Create a New Web site in IIS.................................................................................... .22
Configure the stepbystep Web Site........................................................ ...................23
 Assign the adfsweb Server Authentication Certificate to the stepbystep Web Site....24

Step 4: Configuring the Federation Servers .................................... ....................25

Configuring the Federation Service for Trey Research................................ .................26
Configure the Trust Policy............................................................... ..........................27
Create and Map a Group Claim for the Windows NT Token–based Application........27
Create a Group Claim for the Claims-aware Application...........................................28
Add an Active Directory Account Store......................................................... .............29
Add a Windows NT Token–based Application to the Federation Service..................29
Add a Claims-aware Application to the Federation Service.......................................30
Add and Configure an Account Partner.................................................. ...................32
Configuring the Federation Service for A. Datum Corporation......................................34
Configure the Trust Policy............................................................... ..........................35
Create a Group Claim for the Windows NT Token-based Application........................35
Create a Group Claim for the Claims-aware Application...........................................36
Add and Configure an Active Directory Account Store.............................................. .36
Add and Configure a Resource Partner................................................................... ..38

Step 5: Accessing Federated Applications from the Client Computer .................. 41

Configure Browser Settings to Trust the adfsaccount Federation Server......................41
Access the Claims-aware Application........................................................... ................42
Access the Windows NT Token–based Application..................................................... ..42

Appendix A: Creating the Windows NT Token-based Sample Application ...........43

Create the Default.htm File.............................................................................. .............44
Create the Blog.aspx File............................................................................................. .45
Create the Blog.aspx.cs File........................................................................... ..............46
Create the Message.aspx File.................................................................. ....................49
Create the Message.aspx.cs File.............................................................................. ....49
Create the Web.config File................................................................. ..........................51
Create the Blog.txt File.......................................................................... .......................55

Appendix B: Creating the Claims-aware Sample Application ..............................55

Create the Default.aspx File................................................................ .........................56
Create the Web.config File................................................................. ..........................60
Create the Default.aspx.cs File............................................................................ .........63

Appendix C: Using Group Policy to Prevent Certificate Prompts ........................73

Export adfsweb and adfsaccount Certificates to a File.................................................74
Enable Group Policy to Push adfsweb, adfsresource, and adfsaccount Certificates to
the Client Computer.................................................................................................. .74
Run Gpupdate on the Client and Test for Certificate Prompts......................................75
 6

ADFS Step-by-Step Guide

About This Guide

This guide walks you through the process of setting up a working Active Directory
Federation Services (ADFS) environment in a test lab. It explains how to install and test
both a claims-aware application and a Windows NT token–based application. You can
use the test lab environment to evaluate the ADFS technology and assess how it might
be deployed in your organization. As you complete the steps in this guide, you will be
able to:

• Set up four computers (one client, one Web server, and two federation
servers) to participate in ADFS federation between two fictitious companies
(A. Datum Corporation and Trey Research).

• Create two forests to be used as designated account stores for federated

users. Each forest will represent one fictional company.

• Use ADFS to set up a federated trust relationship between both companies.

• Use ADFS to create, populate, and map claims.

• Provide federated access for users in one company to access a claims-

aware application and a Windows NT token–based application that are located at
the other company.

Note
It is important to follow the steps in this guide in order.

What This Guide Does Not Provide

This guide does not provide the following:

• Guidance for setting up and configuring ADFS in a production environment

For information about how to deploy or manage ADFS, look for ADFS planning,
deployment, and operations content on the Windows Server 2003 R2 Roadmap page
on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=45560).

• Instructions for setting up and configuring Microsoft Certificate Services for

use with ADFS.
 7
For information about setting up and configuring Microsoft Certificate Services, see
the Public Key Infrastructure for Windows Server 2003 page on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=19936).

• Instructions for setting up and configuring a federation server proxy

Note
The federation server includes the functionality of the federation server proxy
role. For example, the federation server can perform client authentication,
home realm discovery, and sign-out.

Requirements
To complete the steps in this guide, you must have the following:

• Four test computers

• Microsoft® Windows Server™ 2003 R2 Release Candidate 1 (RC1) (or

later), Enterprise Edition or Datacenter Edition, for federation servers

• Windows Server 2003 R2 RC1 (or later), Standard Edition,

Enterprise Edition, or Datacenter Edition, for ADFS-enabled Web servers

• Internet Information Services (IIS) 6.0 Resource Kit Tools

Step 1: Preinstallation Tasks

Before you install Active Directory Federation Services (ADFS), you set up the four
primary computers that will be used for evaluating the ADFS technology. In this step, you:
• Configure network settings.

• Create two Active Directory™ directory service forests.

• Create necessary user and group accounts.

• Join computers to the appropriate forests.

• Install and configure Internet Information Services (IIS) to work with self-
signed certificates.

• Import and export certificates as shown in the following illustration.

 8

Preinstallation tasks include the following:

• Set Up the Computers

• Install and Configure Active Directory

• Create, Export, and Import Server Authentication Certificates

Administrative Credentials

To perform all of the tasks in this step, log on to each of the four computers with the local
Administrator account. To create accounts in Active Directory, log on with the
Administrator account for the domain.

Set Up the Computers

This section includes the following procedures:

• Configure Computer Operating Systems and Network Settings

• Install IIS

• Install the IIS 6.0 Resource Kit

Configure Computer Operating Systems and Network

Settings
Use the following table to set up the appropriate computer names, operating systems,
and network settings that are required to complete the steps in this guide.

Important
Before you configure your computers with static Internet Protocol (IP) addresses,
it is recommended that you first complete product activation for Microsoft
 9
Windows® XP and Windows Server 2003 R2 while each of your computers still
has Internet connectivity. You may also want to download the IIS 6.0 Resource
Kit application to each computer (excluding the client computer) while it is
connected to the Internet.

Note
Make sure to set both the preferred and alternate Domain Name System (DNS)
server settings on the client. If both types of values are not configured as
specified, the ADFS scenario will not function.

Computer name ADFS Operating IP settings DNS settings

client/server system
role requirement

adfsclient Client Windows XP IP address: Preferred:

with Service
192.168.1.1 192.168.1.3
Pack 2 (SP2)
Subnet mask: Alternate:

255.255.255.0 192.168.1.4

adfsweb Web server Windows IP address: Preferred:

Server 2003
192.168.1.2 192.168.1.4
R2, Standard
Edition or Subnet mask:
Enterprise 255.255.255.0
Edition

adfsaccount Federation Windows IP address: Preferred:

server and Server 2003
192.168.1.3 192.168.1.3
domain R2, Enterprise
controller Edition Subnet mask:

255.255.255.0

adfsresource Federation Windows IP address Preferred:

server and Server 2003
192.168.1.4 192.168.1.4
domain R2, Enterprise
controller Edition Subnet mask:

255.255.255.0
 10

Install IIS
Use the following procedure to install IIS on the adfsweb computer, the adfsresource
computer, and the adfsaccount computer.

To install IIS
1. Click Start, point to Control Panel, and then click Add or Remove
Programs.

2. In Add or Remove Programs, click Add/Remove Windows

Components.

3. In the Windows Components Wizard, select the Application Server

check box, and then click Next.

4. On the Completing the Windows Components Wizard page, click

Finish.

Install the IIS 6.0 Resource Kit

To complete the procedures in this step, you download and install the IIS 6.0 Resource
Kit onto the adfsweb computer, the adfsaccount computer, and the adfsresource
computer. The Resource Kit contains the SelfSSL.exe command-line tool that you use to
create self-signed certificates for testing ADFS. To obtain the IIS 6.0 Resource Kit, see
the Internet Information Services (IIS) 6.0 Resource Kit Tools page on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=36285).

Install and Configure Active Directory

This section includes the following procedures:

• Install Active Directory

• Create User Accounts and Resource Accounts

• Add Users to the Appropriate Security Groups

• Join Test Computers to the Appropriate Domains

Install Active Directory

You can use the Dcpromo tool to create two new Active Directory forests on both of the
federation servers. When you run Dcpromo, use the Active Directory domain names in
the following table.
 11

Note
As a security best practice, domain controllers should not run as both federation
servers and domain controllers in a production environment.

To create a new forest using Dcpromo, use the procedure Create a new forest on the
Windows Server 2003 TechCenter Web site
(http://go.microsoft.com/fwlink/?LinkId=56119).

Note
It is important that you first configure the IP addresses as specified in the
previous table before you attempt to install Active Directory. This helps ensure
that DNS records are configured appropriately.

Computer name Company name Active Directory DNS configuration

domain name

(new forest)

adfsaccount A. Datum adatum.com Install DNS when

Corporation prompted

adfsresource Trey Research treyresearch.net Install DNS when

prompted

Create User Accounts and Resource Accounts

After you set up two forests, you start the Active Directory Users and Computers snap-in
to create some accounts that you can use to test and verify federated access across both
forests. Use the values in the following tables to create test accounts in both forests.
Configure the values in the following table on the adfsaccount computer.

Create: Name User name

Security global group TreyTokenAppUsers N/A

Security global group TreyClaimAppUsers N/A

User Adam Carter adamcar

User Alan Shen alansh

Configure the values in the following table on the adfsresource computer.

 12

Create: Name Other action

Organizational unit (OU) Federated Users N/A

Security Global Group AdatumTokenAppUsers Create this group in the

Federated Users OU

Add Users to the Appropriate Security Groups

While you have the Active Directory Users and Computers snap-in open, add both users
to their respective security groups as specified in the following table. Perform this
operation on the adfsaccount computer.

User Add as a member of

Adam Carter TreyTokenAppUsers

Alan Shen TreyClaimAppUsers

Join Test Computers to the Appropriate Domains

You can use the values in the following table to specify which computers are joined to
which domain. Perform this operation on the adfsclient and adfsweb computers.

Computer name Join to

adfsclient adatum.com

adfsweb treyresearch.net

Create, Export, and Import Server

Authentication Certificates
The most important factor in setting up the Web server and the federation servers is
creating and exporting the required self-signed certificates appropriately. This section
includes the following procedures:

• Create a Server Authentication Certificate for Each of the Servers

• Export the adfsresource Server Authentication Certificate to a File

 13
• Import the Server Authentication Certificate from adfsresource to adfsweb

Note
In a production environment, certificates will be obtained from a certification
authority (CA). For the purposes of the test lab deployment that is covered in this
document, self-signed certificates are used.

Create a Server Authentication Certificate for Each of the

Servers
Run the SelfSSL command from the \Program Files\IIS Resources\SelfSSL directory on
the Web server and on both of the federation server computers. You must perform this
procedure on the federation servers before you install ADFS because the Federation
Service component of ADFS requires a Secure Sockets Layer (SSL) certificate to be
installed on the default Web site in IIS before the Federation Service can be installed.

Note
Although the ADFS Web Agent does not require that a SSL certificate be installed
in IIS when the ADFS Web Agent is installed, an SSL certificate is required when
a Windows NT token–based ADFS Web Agent is enabled.

Computer name Type the following command at the

appropriate computer:

Adfsaccount selfssl /t /n:cn=adfsaccount.adatum.com

/v:365

Adfsresource selfssl /t
/n:cn=adfsresource.treyresearch.net /v:365

Adfsweb selfssl /t /n:cn=adfsweb.treyresearch.net

/v:365

Note
When you see the prompt, select “Y” to replace the SSL settings for site 1.

Export the adfsresource Server Authentication Certificate

to a File
So that successful communication can occur between both the resource partner
federation server and Web server, the Web server must first trust the root of the
 14
federation server. Because self-signed certificates are used, the server authentication
certificate is the root. Therefore, this trust must be established by exporting the resource
partner adfsresource server authentication certificate and then importing the file onto the
adfsweb server. To export the adfsresource server authentication certificate to a file,
perform the following procedure on the adfsresource computer.

To export the adfsresource server authentication certificate to a file

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. In the console tree, double-click ADFSRESOURCE, double-click Web

Sites, right-click Default Web Site, and then click Properties.

3. On the Directory Security tab, click View Certificate, click the Details
tab, and then click Copy to File.

4. On the Welcome to the Certificate Export Wizard page, click Next.

5. On the Export Private Key page, click No, do not export the private
key, and then click Next.

6. On the Export File Format page, click DER encoded binary X.509
(.Cer), and then click Next.

7. On the File to Export page, type C:\adfsresource.cer, and then click

Next.

Note
This certificate must be imported to the adfsweb computer in the next
procedure. Therefore, you should make this file accessible over the
network to that computer.
8. On the Completing the Certificate Export Wizard, click Finish.

9. In the Certificate Export Wizard dialog box, click OK.

Import the Server Authentication Certificate for

adfsresource to adfsweb
Perform the following procedure on the adfsweb computer.

To import the server authentication certificate

1. Click Start, click Run, type mmc, and then click OK.
 15

2. Click File, and then click Add/Remove Snap-in.

3. Click Add, click Certificates, and then click Add.

4. Click Computer account, and then click Next.

5. Click Local computer: (the computer this console is running on),

click Finish, click Close, and then click OK.

6. Double-click the Certificates (Local Computer) folder, double-click the

Trusted Root Certification Authorities folder, right-click Certificates, point
to All Tasks, and then click Import.

7. On the Welcome to the Certificate Import Wizard page, click Next.

8. On the File to Import page, type \\adfsresource\c$\adfsresource.cer,
and then click Next.

Note
You may need to map the network drive to obtain the adfsresource.cer
file. You can also copy the adfsresource.cer file directly from the
adfsresource computer to adfsweb, and then point the wizard to that
location.

9. On the Certificate Store page, click Place all certificates in the

following store, and then click Next.

10. On the Completing the Certificate Import Wizard page, verify that the
information that you provided is accurate, and then click Finish.

Step 2: Installing ADFS and Configuring

Local System
Now that you have configured the computers with Internet Information Services (IIS) and
prerequisite certificates, you are ready to install Active Directory Federation Services
(ADFS) components on each of the servers. This section includes the following
procedures:

• Install the ADFS Web Agents

• Install the Federation Service

• Assign the Local System Account to the ADFSAppPool Identity

 16
• Export the Token-signing Certificate from adfsaccount to a File

Administrative Credentials

To perform all of the procedures in this step, log on to the adfsaccount computer and the
adfsresource computer with the Administrator account for the domain. Log on to the
adfsweb computer with the local Administrator account.

Install the ADFS Web Agents

You can use the following procedure to install both the claims-aware ADFS Web Agent
and the Windows NT token-based ADFS Web Agent on the adfsweb computer.

To install the ADFS Web Agents

1. Click Start, point to Control Panel, and then click Add or Remove
Programs.

2. In Add or Remove Programs, click Add/Remove Windows

Components.

3. In the Windows Components Wizard, click Active Directory Services,

and then click Details.

4. In the Active Directory Services dialog box, click Active Directory

Federation Services (ADFS), and then click Details.

5. In the Active Directory Federation Services (ADFS) dialog box, click

ADFS Web Agents, and then click Details.

6. In the ADFS Web Agents dialog box, select both the Claims-aware
applications check box and the Windows NT token–based applications
check box, and then click OK.

7. In the Active Directory Federation Services (ADFS) dialog box, click

OK.

8. In the Active Directory Services dialog box, click OK.

9. In the Windows Components Wizard, click Next.

10. If you are prompted for the location of installation files, navigate to
R2 installation files\cmpnents\r2, and then click OK.

11. On the Completing the Windows Components Wizard page, click

Finish.
 17

Install the Federation Service

Use the following procedure to install the Federation Service component of ADFS on the
adfsaccount computer and the adfsresource computer. After the Federation Service is
installed on a computer, that computer becomes a federation server.

To install the Federation Service

1. Click Start, point to Control Panel, and then click Add or Remove
Programs.

2. In Add or Remove Programs, click Add/Remove Windows

Components.

3. In the Windows Components Wizard, click Active Directory Services,

and then click Details.

4. In the Active Directory Services dialog box, click Active Directory

Federation Services (ADFS), and then click Details.

5. In the Active Directory Federation Services (ADFS) dialog box, select

the Federation Service check box, and then click OK. If Microsoft
ASP.NET 2.0 was not previously enabled, click Yes to enable it, and then
click OK.

6. In the Active Directory Services dialog box, click OK.

7. In the Windows Components Wizard, click Next.

8. On the Federation Service page, click Create a self-signed token

signing certificate.

9. Under Trust policy, click Create a new trust policy, and then click
Next.

10. If you are prompted for the location of the installation files, navigate to
R2 Installation Folder\cmpnents\r2, and then click OK.

11. On the Completing the Windows Components Wizard page, click

Finish.
 18

Assign the Local System Account to the

ADFSAppPool Identity
Use the following procedure on both the adfsresource computer and the adfsaccount
computer. This step is necessary only in the context of this guide because these
federation servers are also configured as domain controllers.

Note
As a security best practice, domain controllers should not run as both federation
servers and domain controllers, and IIS should not run under the Local System
account in a production environment.

To assign the Local System account to the ADFSAppPool identity

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. In the console tree, double-click adfsresource or adfsaccount, double-

click Application Pools, right-click ADFSAppPool, and then click
Properties.

3. On the Identity tab, click Local System in the menu, and when you see
the prompt Do you wish to run this application pool as Local system?,
click Yes, and then click OK.

Export the Token-signing Certificate from

adfsaccount to a File
Use the following procedure on the adfsaccount computer to export the token-signing
certificate from the adfsaccount computer to a file.

To export the token-signing certificate from adfsaccount to a file

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Right-click Federation Service, and then click Properties.

3. On the General tab, click View.

4. On the Details tab, click Copy to File.

5. On the Welcome to the Certificate Export Wizard page, click Next.

 19

6. On the Export Private Key page, click No, do not export the private
key, and then click Next.

7. On the Export File Format page, click DER encoded binary X.509
(.Cer), and then click Next.

8. On the File to Export page, type C:\adfsaccount_ts.cer, and then click

Next.

Note
The adfsaccount token-signing certificate will be imported to the
adfsresource computer later (see Step 4: Configuring the Federation
Servers) when the Account Partner Wizard prompts you for the Account
Partner Verification Certificate. At that time you access this computer
over the network to obtain this file.

9. On the Completing the Certificate Export Wizard, click Finish.

Step 3: Configuring the Web Server

This step includes instructions for setting up both a Windows NT token–based application
and a claims-aware application on the same Web server (adfsweb). You can follow the
instructions for setting up both applications or for setting up just one application:

• Configure the Web Server for a Windows NT Token–based Application

• Configure the Web Server for a Claims-aware Application

Administrative Credentials

To perform all the tasks in this step, log on to adfsweb with the local Administrator
account.

Configure the Web Server for a Windows NT

Token-based Application
Use the following procedures to configure Internet Information Services (IIS)settings and
to configure access to the Windows NT token–based sample application on the adfsweb
computer.

• Configure IIS and the ADFS Web Agent

 20
• Configure the Windows NT Token-based Application for Read/Write Access

Configure IIS and the ADFS Web Agent

Use the following procedure to configure IIS and the ADFS Web Agent.

To configure IIS and the ADFS Web Agent

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. In the console tree, double-click ADFSWEB, right-click Web Sites, and

then click Properties.

3. On the ADFS Web Agent tab, in Federation Service URL, type

https://adfsresource.treyresearch.net/adfs/fs/FederationServerService.a
smx, and then click OK.

4. In the console tree, right-click Default Web Site, point to New, and then
click Virtual Directory.

5. On the Welcome to the Virtual Directory Creation Wizard page, click

Next.

6. On the Virtual Directory Alias page, in Alias, type tokenapp, and then
click Next.

7. On the Web Site Content Directory page, click Browse, highlight the
c:\inetpub\wwwroot folder, click the Make New Folder button, name the
folder tokenapp, click OK, and then click Next.

Note
Do not use capital letters in the tokenapp folder name. If this folder name
contains capital letters, users must also use capital letters when they
type the address of the Web site.

8. On the Virtual Directory Access Permissions page, select the Read

and Run scripts check boxes, and then click Next.

9. On the You have successfully completed the Virtual Directory

Creation Wizard page, click Finish.

10. Right-click tokenapp, and then click Properties.

11. On the ASP.NET tab, in the ASP.NET version menu, make sure that
2.0.50727 is selected.
 21

12. On the ADFS Web Agent tab, select the Enable the ADFS Web Agent
for Windows NT token-based applications check box, and then click OK
to accept the default values. When you see the prompt that explains that this
will enable anonymous access, click OK.

Note
The value in Return URL on this property page must match precisely
with the Application URL value that you specify when you set up the
application on the Federation Service for Trey Research.

13. Create the seven files that make up the Windows NT token–based
sample application by using the procedures in Appendix A: Creating the
Windows NT Token-based Sample Application. After you create them, copy
the files into the c:\inetpub\wwwroot\tokenapp folder.

Configure the Windows NT Token–based Application for

Read/Write Access
Use the following procedure to configure the Windows NT token–based application for
Read/Write access.

To configure the Windows NT token–based application for Read/Write access

1. Start Windows Explorer.

2. Click the C: folder.

3. Right-click the file named blog.txt, and then click Properties.

4. Click the Security tab, and then click Add.

Note
To perform this step, you should be logged on as a domain administrator
and not as a local administrator.

5. Type adatumtokenappusers, and then click OK.

6. Under Group or user names, highlight adatumtokenappusers, select

the Write check box, and then click OK.
 22

Configure the Web Server for a Claims-aware

Application
Because this guide requires that the Windows NT token–based application use the
default Web site, you must create and configure an additional Web site in IIS for the
sample claims-aware application. To configure the Web server to host a sample claims-
aware application, complete the following tasks on the adfsweb computer:

• Create a New Web Site in IIS

• Configure the stepbystep Web Site

• Assign the adfsweb Server Authentication Certificate to the stepbystep Web

Site

Create a New Web site in IIS

Use the following procedure to create a new Web site in IIS.

To create a new Web site in IIS

1. Click Start, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.

2. In the console tree, double-click ADFSWEB, right-click Web Sites, point

to New, and then click Web Site.

3. On the Welcome to the Web Site Creation Wizard page, click Next.

4. On the Web Site Description page, in Description, type stepbystep,

and then click Next.
5. On the IP Address and Port Settings page, in TCP port this Web site
should use (Default: 80) field, replace 80 with 8080, and then click Next.

6. On the Web Site Home Directory page, click Browse, highlight the
c:\inetpub folder, click Make New Folder, name the folder stepbystep, click
OK, and then click Next.

7. On the Web Site Access Permissions page, make sure that Read is
selected, and then click Next.

8. On the You have successfully completed the Web Site Creation

Wizard page, click Finish.
 23

Configure the stepbystep Web Site

Use the following procedure to configure the stepbystep Web site.

To configure the stepbystep Web site

1. In the Internet Information Services (IIS) Manager snap-in, double-
click ADFSWEB, double-click Web Sites, right-click stepbystep, and then
click Properties.

2. On the Web Site tab, in SSL Port, type 8081.

3. On the ASP.NET tab, in the ASP.NET version menu, make sure that
2.0.50727 is selected.

4. On the Directory Security tab, in the Authentication and access

control section, click Edit.

5. In the Authentication Methods dialog box, clear the Integrated

Windows Authentication check box, click OK, and then click OK again.

6. In the console tree, right-click stepbystep, point to New, and then click
Virtual Directory.

7. On the Welcome to the Virtual Directory Creation Wizard page, click

Next.

8. On the Virtual Directory Alias page, in Alias, type claimapp, and then
click Next.

9. On the Web Site Content Directory page, click Browse, highlight the
c:\inetpub\stepbystep folder, click the Make New Folder button, name the
folder claimapp, click OK, and then click Next.

Note
Do not use capital letters in the claimapp folder name. If this folder name
contains capital letters, users must also use capital letters when they
type the address of the Web site.

10. On the Virtual Directory Access Permissions page, select the Read
and Run scripts check boxes, and then click Next.

11. On the You have successfully completed the Virtual Directory

Creation Wizard page, click Finish.

12. In the console tree, double-click stepbystep, right-click the claimapp

folder, and then click Properties.
 24

Note
To view the new claimapp folder, you may need to refresh IIS.

13. On the Documents tab, verify that default.aspx is in the list. If it is not,
click Add, type default.aspx, click OK, and then click OK again.

Assign the adfsweb Server Authentication Certificate to the

stepbystep Web Site
Use the following procedure to assign the adfsweb server authentication certificate to the
stepbystep Web site.

To assign the adfsweb server authentication certificate to the stepbystep Web

site
1. In Internet Information Services (IIS) Manager, right-click the
stepbystep Web site, and then click Properties.

2. On the Directory Security tab, click Server Certificate.

3. On the Welcome to the Web Server Certificate Wizard page, click

Next.

4. On the Server Certificate page, click Assign an existing certificate,

and then click Next.

5. On the Available Certificates page, click the adfsweb.treyresearch.net

certificate, and then click Next.

6. On the SSL Port page, accept the default (SSL port 8081), and then
click Next.

7. On the Certificate Summary page, verify the details, and then click
Next.

8. On the Completing the Web Server Certificate Wizard page, click

Finish.

9. Create the three files that make up the claims-aware sample application
by using the procedures in Appendix B: Creating the Claims-aware Sample
Application. After you create them, copy the files into the
c:\inetpub\stepbystep\claimapp folder.
 25

Step 4: Configuring the Federation

Servers
Now that you have installed Active Directory Federation Services (ADFS) and you have
configured the Web server for the sample claims-aware and Windows NT token–based
application, you configure the Federation Service on the federation servers for both Trey
Research and A. Datum Corporation. In this step, you:

• Make the Federation Service for Trey Research aware of both the claims-
aware application and the Windows NT token–based application.

• Add account stores and group claims to each Federation Service.

• Configure each of the group claims so that they map to an Active Directory
group in the appropriate forest.

Group claims must be configured differently for each Federation Service, depending on
the type of application that they map to. The following illustration shows how claims are
configured in this step for each Federation Service and application type.
 26

This step consists of the following tasks:

• Configure the Federation Service for Trey Research

• Configure the Federation Service for A. Datum Corporation

Administrative Credentials

To perform all of the tasks in this step, log on to the adfsaccount computer and the
adfsresource computer with the Administrator account for the domain.

Configuring the Federation Service for Trey

Research
• Configure the Trust Policy

• Create and Map a Group Claim for the Windows NT Token-based Application
 27
• Create a Group Claim for the Claims-aware Application

• Add an Active Directory Account Store

• Add and Configure a Windows NT Token-based Application

• Add and Configure a Claims-aware Application

• Add and Configure an Account Partner

Configure the Trust Policy

Use the following procedure on the adfsresource computer to configure the trust policy
for the Federation Service in Trey Research.

To configure the Trey Research trust policy

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. In the console tree, double-click Federation Service, right-click Trust

Policy, and then click Properties.

3. On the General tab, in Federation Service URI, replace

urn:federation:myOrganization with urn:federation:treyresearch

Note
This value is case sensitive.

4. In Federation Service endpoint URL, replace

https://ComputerName/adfs/ls/clientlogon.aspx with
https://adfsresource.treyresearch.net/adfs/ls/.

5. On the Display Name tab, in the Display name for this trust policy
field, type Trey Research (replace any value that may already exist in this
field with Trey Research), and then click OK.

Create and Map a Group Claim for the Windows NT Token–

based Application
Use the following procedures to create and map a group claim that will be used to make
authorization decisions for the Windows NT token–based application on behalf of users in
the adatum.com forest:

• Create a Group Claim for the Windows NT Token–based Application

• Map the Adatum TokenApp Claim to a Global Group

 28
Create a Group Claim for the Windows NT Token–based Application
Use the following procedure to create a group claim for the Windows NT token–based
application.

To create a group claim for the Windows NT token–based application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Organization Claims, point to New, and then
click Organization Claim.

3. In the Create a New Organization Claim dialog box, in Claim name,

type Adatum TokenApp Claim.

4. Ensure that Group claim is selected, and then click OK.

Map Adatum TokenApp Claim to a Global Group

Now that you have created a group claim, use the following procedure to map the claim
to the adatumtokenappusers global group in the local treyresearch.net forest.

To map the Adatum TokenApp Claim to a global group

1. In the Organization Claims folder, right-click the new Adatum
TokenApp Claim, and then click Properties.

2. On the Group Claim Properties page, on the Resource Group tab,

click Map this claim to the following local resource group, click the …
button, type adatumtokenappusers, click OK, and then click OK again.

Create a Group Claim for the Claims-aware Application

Use the following procedure to create a group claim that will be used to make
authorization decisions for the sample claims-aware application on behalf of users in the
adatum.com forest.

To create a group claim for the claims-aware application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

 29

My Organization, right-click Organization Claims, point to New, and then

click Organization Claim.

3. In the Create a New Organization Claim dialog box, in Claim name,

type Adatum ClaimApp Claim.

4. Ensure that Group claim is selected, and then click OK.

Add an Active Directory Account Store

Use the following procedure to add an Active Directory account store to the Federation
Service for Trey Research.

To add an Active Directory account store

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Account Stores, point to New, and then click
Account Store.

3. On the Welcome to the Add Account Store Wizard page, click Next.

4. On the Account Store Type page, ensure that Active Directory is

selected, and then click Next.

5. On the Enable this Account Store page, ensure that the Enable this
account store check box is selected, and then click Next.

6. On the Completing the Add Account Store Wizard page, click Finish.

Add a Windows NT Token–based Application to the

Federation Service
• Add a Windows NT Token–based Application

• Enable the Adatum TokenApp Claim

Add a Windows NT Token–based Application

Use the following procedure on the adfsresource computer to add a Windows NT token–
based application to the Federation Service for Trey Research.
 30

To add a Windows NT token–based application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Applications, point to New, and then click
Application.

3. On the Welcome to the Add Application Wizard page, click Next.

4. On the Application Type page, click Windows NT token–based

application, and then click Next.

5. On the Application Details page, in Application display name, type

Token-based Application.

6. In Application URL, type https://adfsweb.treyresearch.net/tokenapp/,

and then click Next.

7. On the Accepted Identity Claim page, click User principal name

(UPN), and then click Next.

8. On the Enable this Application page, ensure that the Enable this
application check box is selected, and then click Next.

9. On the Completing the Add Application Wizard page, click Finish.

Enable the Adatum TokenApp Claim

Now that the Federation Service recognizes the application, use the following procedure
to enable the Adatum TokenApp Claim group claim for that application.

To enable the Adatum TokenApp Claim

1. In the Applications folder, click Token-based Application.

2. Right-click the Adatum TokenApp Claim group claim, and then click
Enable.

Add a Claims-aware Application to the Federation Service

Use the following procedures on the adfsresource computer to add a claims-aware
application to the Federation Service for Trey Research.

• Add a Claims-aware Application

• Enable the Adatum ClaimApp Claim

 31
Add a Claims-aware Application
Use the following procedure to add a claims-aware application.

To add a claims-aware application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Applications, point to New, and then click
Application.

3. On the Welcome to the Add Application Wizard page, click Next.

4. On the Application Type page, click Claims-aware application, and

then click Next.

5. On the Application Details page, in Application display name, type

Claims-aware Application.

6. In Application URL, type

https://adfsweb.treyresearch.net:8081/claimapp/, and then click Next.

Note
The reference to 8081 in the Application URL is necessary to route SSL
traffic to port 8081 because the default Web site is using the default SSL
port (443).

7. On the Accepted Identity Claims page, click User principal name

(UPN), and then click Next.

8. On the Enable this Application page, ensure that the Enable this
application check box is selected, and then click Next.
9. On the Completing the Add Application Wizard page, click Finish.

Enable the Adatum ClaimApp Claim

Now that the Federation Service recognizes the application, use the following procedure
to enable the Adatum ClaimApp Claim group claim for that application.

To enable the Adatum ClaimApp group claim

1. In the Applications folder, click Adatum ClaimApp.

2. Right-click the Adatum ClaimApp Claim group claim, and then click
 32

Enable.

Add and Configure an Account Partner

Use the following procedures on the adfsresource computer to add the account partner
for A. Datum Corporation to the Federation Service for Trey Research.

• Add an Account Partner

• Create an Incoming Group Claim Mapping for the Windows NT Token–based

Application

• Create an Incoming Group Claim Mapping for the Claims-aware Application

Add an Account Partner

Adding an account partner represents the configuration of the relationship between
A. Datum Corporation and Trey Research. This relationship is established by an out-of-
band exchange of a public key. This key is the establishment of trust between the two
companies so that Trey Research can validate the tokens that A. Datum Corporation
sends. Use the following procedure to add an account partner.

To add an account partner

1. Click Start, point to All Programs, point to Administrative Tools, and
then Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, right-click Account Partners, point to New, and
then click Account Partner.

3. On the Welcome to the Add Account Partner Wizard page, click Next.

4. On the Import Policy File page, ensure that No is selected, and then
click Next.

5. On the Account Partner Details page, in Display name, type A. Datum

Corporation.

6. In Federation Service URI, type urn:federation:adatum.

Note
This value is case sensitive.

7. In Federation Service endpoint URL, type

https://adfsaccount.adatum.com/adfs/ls/, and then click Next.
 33

8. On the Account Partner Verification Certificate page, click Browse,

type \\adfsaccount\c$, click Open, click adfsaccount_ts.cer, and then click
Next.

Note
You may need to map the network drive to obtain the adfsaccount_ts.cer
file. The account partner verification certificate is the token-signing
certificate that was exported from the adfsaccount computer in Step 2:
Installing ADFS and Configuring Local System.

9. On the Federation Scenario page, click Federated Web SSO, and then
click Next.
10. On the Account Partner Identity Claims page, select the UPN Claim
check box, and then click Next.

11. On the Accepted UPN Suffixes page, type adatum.com, click Add,
and then click Next.

12. On the Enable this Account Partner page, ensure that the Enable this
account partner check box is selected, and then click Next.

13. On the Completing the Add Account Partner Wizard page, click
Finish.

Create an Incoming Group Claim Mapping for the Windows NT

Token–based Application
Incoming group claim mappings are used to transform group claims that are sent by an
account partner into claims that can be used by the resource partner to make
authorization decisions. Use the following procedure to create an incoming group claim
mapping for the Windows NT token–based application.

To create an incoming group claim mapping for the Windows NT token–based

application
1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, double-click Account Partners, right-click A.
Datum Corporation, point to New, and then click Incoming Group Claim
Mapping.

3. In the Create a New Incoming Group Claim Mapping dialog box, in

 34

Incoming group claim name, type TokenAppMapping.

Note
This value is case sensitive. It must match exactly with the value that is
specified in the outgoing group claim mapping in the account partner
organization.

4. In Organization group claim, select the Adatum TokenApp Claim

group claim, and then click OK.

Create an Incoming Group Claim Mapping for the Claims-aware

Application
Use the following procedure to create an incoming group claim mapping for the sample
claims-aware application.

To create an incoming group claim mapping for the claims-aware application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, double-click Account Partners, right-click
A. Datum Corporation, point to New, and then click Incoming Group
Claim Mapping.

3. In the Create a New Incoming Group Claim Mapping dialog box, in

Incoming group claim name, type ClaimAppMapping.

Note
This value is case sensitive. It must match exactly with the value that is
specified in the outgoing group claim mapping in the account partner
organization.

4. In Organization group claim, select the Adatum ClaimApp Claim

group claim, and then click OK.

Configuring the Federation Service for A.

Datum Corporation
• Configure the Trust Policy

• Create a Group Claim for the Windows NT Token-based Application

 35
• Create a Group Claim for the Claims-aware Application

• Add and Configure an Active Directory Account Store

• Add a Resource Partner

Configure the Trust Policy

Use the following procedure on the adfsaccount computer to configure the trust policy for
the Federation Service for A. Datum Corporation.

To configure the trust policy

1. Click Start, select Programs, point to Administrative Tools, and then
click Active Directory Federation Services.

2. In the console tree, double-click Federation Service, right-click Trust

Policy, and then click Properties.

3. On the General tab, in Federation Service URI, replace

urn:federation:myOrganization with urn:federation:adatum.

Note
This value is case sensitive.

4. In Federation Service endpoint URL, replace

https://ComputerName/adfs/ls/clientlogon.aspx with
https://adfsaccount.adatum.com/adfs/ls/.

5. On the Display Name tab, in the Display name for this trust policy
field, type A. Datum (replace any value that may already exist in this field
with A. Datum), and then click OK.

Create a Group Claim for the Windows NT Token-based

Application
Use the following procedure to create a group claim that will be used to authenticate to
the treyresearch.net forest.

To create a group claim for the Windows NT token-based application

1. Click Start, select Programs, point to Administrative Tools, and then
click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

 36

My Organization, right-click Organization Claims, point to New, and then

click Organization Claim.

3. In the Create a New Organization Claim dialog box, in Claim name,

type Trey TokenApp Claim.

4. Ensure that Group claim is selected, and then click OK.

Create a Group Claim for the Claims-aware Application

Use the following procedure to create a group claim that will be used to authenticate to
the treyresearch.net forest.

To create a group claim for the claims-aware application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Organization Claims, point to New, and then
click Organization Claim.

3. In the Create a New Organization Claim dialog box, in Claim name,

type Trey ClaimApp Claim.

4. Ensure that Group claim is selected, and then click OK.

Add and Configure an Active Directory Account Store

Use the following procedures to add an Active Directory account store to the Federation
Service for A. Datum Corporation.

• Add an Active Directory Account Store

• Map a Global Group to the Group Claim for the Windows NT Token-based
Application

• Map a Global Group to the Group Claim for the Claims-aware Application

Add an Active Directory Account Store

Use the following procedure to add an Active Directory account store.

To add an Active Directory account store

1. Click Start, select Programs, point to Administrative Tools, and then
 37

click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, right-click Account Stores, point to New, and then click
Account Store.

3. On the Welcome to the Add Account Store Wizard page, click Next.

4. On the Account Store Type page, ensure that Active Directory is

selected, and then click Next.

Note
You can have only one Active Directory store that is associated with a
Federation Service. If the Active Directory option is not available, it is
because an Active Directory store has already been created for this
Federation Service.

5. On the Enable this Account Store page, ensure that the Enable this
account store check box is selected, and then click Next.

6. On the Completing the Add Account Store Wizard page, click Finish.

Map a Global Group to the Group Claim for the Windows NT Token–
based Application
Use the following procedure to map an Active Directory global group to the
Trey TokenApp Claim group claim.

To map a global group to the group claim for the Windows NT token–based
application
1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, double-click Account Stores, right-click Active
Directory, point to New, and then click Group Claim Extraction.

3. In the Create a New Group Claim Extraction dialog box, click Add,
type treytokenappusers, and then click OK.

4. Ensure that the Map to this Organization Claim menu displays

Trey TokenApp Claim, and then click OK.
 38
Map a Global Group to the Group Claim for the Claims-aware
Application
Use the following procedure to map an Active Directory global group to the
Trey ClaimApp Claim group claim.

To map a global group to the group claim for the claims-aware application
1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

My Organization, double-click Account Stores, right-click Active
Directory, point to New, and then click Group Claim Extraction.

3. In the Create a New Group Claim Extraction dialog box, click Add,
type treyclaimappusers, and then click OK.

4. Ensure that the Map to this Organization Claim menu displays

Trey ClaimApp Claim, and then click OK.

Add and Configure a Resource Partner

Use the following procedures to add a resource partner to the Federation Service in
A. Datum Corporation.

• Add a Resource Partner

• Create an Outgoing Group Claim Mapping for the Windows NT Token–based

Application

• Create an Outgoing Group Claim Mapping for the Claims-aware Application

Add a resource partner

Use the following procedure to add a resource partner.

Add a resource partner

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, right-click Resource Partners, point to New, and
then click Resource Partner.

3. On the Welcome to the Add Resource Partner Wizard page, click

 39

Next.

4. On the Import Policy File page, ensure that No is selected, and then
click Next.

5. On the Resource Partner Details page, in Display name, type Trey

Research.

6. In Federation Service URI, type urn:federation:treyresearch.

Note
This value is case sensitive.

7. In Federation Service endpoint URL, type

https://adfsresource.treyresearch.net/adfs/ls/, and then click Next.

8. On the Federation Scenario page, click Federated Web SSO, and then
click Next.

9. On the Resource Partner Identity Claims page, select the UPN Claim
check box, and then click Next.

10. On the Select UPN Suffix page, click Replace all UPN domain
suffixes with the following, and then type adatum.com.

11. On the Enable this Resource Partner page, ensure that the Enable
this resource partner check box is selected, and then click Next.

12. On the Completing the Add Resource Partner Wizard page, click
Finish.

Create an Outgoing Group Claim Mapping for the Windows NT

Token-based Application
Outgoing group claim mappings are used to transform group claims before they are sent
to resource partners. Use the following procedure to create an outgoing group claim
mapping for the Windows NT token–based application.

To create an outgoing group claim mapping for the Windows NT token–based

application
1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, double-click Resource Partners, right-click Trey
Research, point to New, and then click Outgoing Group Claim Mapping.
 40

3. In the Create a New Outgoing Group Claim Mapping dialog box, in

Organization group claims, click Trey TokenApp Claim.

4. In Outgoing group claim name, type TokenAppMapping, and then

click OK.

Note
This value is case sensitive. It must match exactly with the value that is
specified in the incoming group claim mapping in the resource partner
organization.

Create an Outgoing Group Claim Mapping for the Claims-aware

Application
Use the following procedure to create an outgoing group claim mapping for the sample
claims-aware application.

To create an outgoing group claim mapping for the claims-aware application

1. Click Start, point to All Programs, point to Administrative Tools, and
then click Active Directory Federation Services.

2. Double-click Federation Service, double-click Trust Policy, double-click

Partner Organizations, double-click Resource Partners, right-click Trey
Research, point to New, and then click Outgoing Group Claim Mapping.

3. In the Create a New Outgoing Group Claim Mapping dialog box, in

Organization group claims, click Trey ClaimApp Claim.

4. In Outgoing group claim name, type ClaimAppMapping, and then

click OK.

Note
This value is case sensitive. It must match exactly with the value that is
specified in the incoming group claim mapping in the resource partner
organization.
 41

Step 5: Accessing Federated

Applications from the Client Computer
This step includes the following tasks:

• Configure Browser Settings to Trust the adfsaccount Federation Server

• Access the Claims-aware Application

• Access the Windows NT Token–based Application

Administrative Credentials
To perform the tasks in this step, it is not necessary to log on with administrative
credentials to the client computer. In other words, if users Alansh or Adamcar are logged
on to the client, they can access both Web-based applications, without being added to
any of the local administrator groups (for example, Power Users, Administrators) for the
adfsclient computer.

Configure Browser Settings to Trust the

adfsaccount Federation Server
Use the following procedure to manually configure each user's Internet Explorer settings
so that the browser settings will trust the adfsaccount federation server. You complete this
procedure twice, once while logged on as Alansh and a second time while logged on as
Adamcar.

To configure browser settings to trust the adfsaccount federation server

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. On the Security tab, click the Local intranet icon, and then click Sites.

4. Click Advanced, and in Add this Web site to the zone, type
https://adfsaccount.adatum.com, and then click Add.

5. Click OK three times.

 42

Access the Claims-aware Application

Use the following procedure to access the sample claims-aware application from a client
that is authorized for that application.

To access the claims-aware application

1. Log on to the adfsclient computer as Alansh.

2. Open a browser window, and then navigate to

https://adfsweb.treyresearch.net:8081/claimapp/.

Note
You will be prompted twice (in the Security Alert dialog box) for
certificate information. You can install each certificate by clicking View
Certificate and then clicking Install, or you can click Yes each time that
you are prompted. Each of these Security Alert prompts displays the
message "The security certificate was issued by a company you have
not chosen to trust." This is expected behavior because self-signed
certificates are used for the purposes of this guide.

3. When you are prompted for your home realm, click A. Datum, and then
click Submit.

Note
You will be prompted one more time for a certificate.

4. At this point the Claims-aware Sample Application appears in the

browser. You can see which claims were sent to the Web server in the
SingleSignOnIdentity.SecurityPropertyCollection section of the sample
application.

5. Log off as Alansh, and then log on as Adamcar. Repeat steps 2 through 4
of this procedure. Compare the difference between Adam's passed claims
and Alan's passed claims.

Access the Windows NT Token–based

Application
Use the following procedure to access the Windows NT token–based application from a
client that is authorized for that application.
 43

To access the Windows NT token–based application

1. Log on to the adfsclient computer as Adamcar.

2. Open a browser window, and then navigate to

https://adfsweb.treyresearch.net/tokenapp/.

Note
If you did not install the certificates from the previous procedures, you will
be prompted twice (in the Security Alert dialog box) for certificate
information. You can install each certificate by clicking View Certificate
and clicking Install, or you can click Yes each time that you are
prompted.

3. When you are prompted for your home realm, click A. Datum, and then
click Submit.

Note
If you did not install the certificate from the previous procedure, you will
be prompted one more time for a certificate.

4. At this point you should see the Windows NT token–based sample

application. You should have both Read and Write access to the blog.

5. Log off as Adamcar, and then log on as Alansh. Repeat steps 2 through 4
of this procedure. Notice that Alan can read blog messages, but he does not
have access rights to submit a blog message.

Appendix A: Creating the Windows NT

Token-based Sample Application
To test token-based authorization using Active Directory Federation Services (ADFS) you
need a Windows NT token-based application. This section includes instructions for
setting up a sample Windows NT token-based application on your Web server. By using
this sample Windows NT token-based application and the supporting instructions in Step
3: Configuring the Web Server together, you can complete the Web server setup process
and prepare the application for testing from the client computer.

This application is made up of the following seven files:

• Default.htm
 44
• Blog.aspx

• Blog.aspx.cs

• Message.aspx

• Message.aspx.cs

• Web.config

• Blog.txt

For this application to function correctly, you must use the following procedures to create
each of the required files in order. After you create them, move the files to the
C:\inetpub\wwwroot\tokenapp directory on the adfsweb computer.
• Create the Default.htm File

• Create the Blog.aspx File

• Create the Blog.aspx.cs File

• Create the Message.aspx File

• Create the Message.aspx.cs File

• Create the Web.config File

• Create the Blog.txt File

Create the Default.htm File

Use the following procedure to create the default.htm file.

To create the default.htm file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head>

<title>Windows NT token-based Sample Application</title>

</head>

<body>
 45

<b><font size="4">Windows NT token-based Sample Application</font></b>

<p><a href="message.aspx">Read blog</a>

<br />

<a href="blog.aspx">Write blog</a>

</p>

</body>

</html>

3. Save the Notepad file as default.htm in the c:\inetpub\wwwroot\tokenapp

directory.

Create the Blog.aspx File

Use the following procedure to create the blog.aspx file.

To create the blog.aspx file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<%@ Page language="c#" Inherits="CHWWebApp.WebForm1"

CodeFile="blog.aspx.cs" %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<HTML>

<HEAD>

<title>Write Blog Message</title>

<meta name="GENERATOR" Content="Microsoft FrontPage 6.0">

<meta name="CODE_LANGUAGE" Content="C#">

<meta name="vs_defaultClientScript" content="JavaScript">

<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">

</HEAD>

<body>

<form id="Form1" method="post" runat="server">

 46

<asp:TextBox ID="TextBox1" runat="server" Height="146px"

Width="451px"></asp:TextBox>

<br />

<asp:Button ID="Button2" runat="server"

OnClick="Button2_Click" Text="Submit Message" />

<asp:Label ID="Label1" runat="server"></asp:Label>

</form>

</body>

</HTML>

3. Save the Notepad file as blog.aspx in the c:\inetpub\wwwroot\tokenapp

directory.

Create the Blog.aspx.cs File

Use the following procedure to create the blog.aspx.cs file.

To create the blog.aspx.cs file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

using System;

using System.IO;

using System.Collections;

using System.ComponentModel;

using System.Data;

using System.Drawing;

using System.Web;

using System.Web.SessionState;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.HtmlControls;

using System.Web.Security.SingleSignOn;
 47

using System.Threading;

using System.Security.Principal;

namespace CHWWebApp

/// <summary>

/// Summary description for WebForm1.

/// </summary>

public partial class WebForm1 : System.Web.UI.Page

#region Web Form Designer generated code

override protected void OnInit(EventArgs e)

//

// CODEGEN: This call is required by the ASP.NET Web Form Designer.

//

InitializeComponent();

base.OnInit(e);

/// <summary>

/// Required method for Designer support - do not modify

/// the contents of this method with the code editor.

/// </summary>

private void InitializeComponent()

{
 48

#endregion

protected void Button2_Click(object sender, EventArgs e)

try

using (StreamWriter sw = new StreamWriter("c:\\blog.txt"))

sw.Write(this.TextBox1.Text.ToString());

this.Label1.Text = "Note successfully saved by " +

WindowsIdentity.GetCurrent().Name + " @ " + System.DateTime.Now.ToString();

catch (System.Exception exception)

this.Label1.Text = "Note could not be written to file " +

exception.Message.ToString();

this.Label1.Text = this.Label1.Text + " " +

WindowsIdentity.GetCurrent().Name;

3. Save the Notepad file as blog.aspx.cs in the

c:\inetpub\wwwroot\tokenapp directory.
 49

Create the Message.aspx File

Use the following procedure to create the message.aspx file.

To create the message.aspx file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="message.aspx.cs"

Inherits="message" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Read Blog Message</title>

</head>

<body>

<form id="form1" runat="server">

<div>

</div>

</form>

</body>

</html>

3. Save the Notepad file as message.aspx in the

c:\inetpub\wwwroot\tokenapp directory.

Create the Message.aspx.cs File

Use the following procedure to create the message.aspx.cs file.
 50

To create the message.aspx.cs file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

using System;

using System.Data;

using System.Configuration;

using System.Collections;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.IO;

public partial class message : System.Web.UI.Page

protected void Page_Load(object sender, EventArgs e)

try

using (StreamReader sr = new StreamReader("c:\\blog.txt"))

string oneLine;

Response.Write("Message in blog contains the following

text: <HR>");

while((oneLine = sr.ReadLine()) != null)

Response.Write(oneLine);
 51

Response.Write("<BR>");

catch (Exception myException)

Response.Write("The file containing the blog message could not

be read. Check to make sure the blog.txt file is created in the root of C:
on the Web server. Error message:");

Response.Write("<BR>");

Response.Write(myException.Message);

3. Save the Notepad file as message.aspx.cs in the

c:\inetpub\wwwroot\tokenapp directory.

Create the Web.config File

Use the following procedure to create the web.config file.

To create the web.config file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<?xml version="1.0"?>

<configuration>

<system.web>

<!-- DYNAMIC DEBUG COMPILATION

Set compilation debug="true" to enable ASPX debugging.

Otherwise, setting this value to
 52

false will improve runtime performance of this application.

Set compilation debug="true" to insert debugging symbols (.pdb

information)

into the compiled page. Because this creates a larger file that
executes

more slowly, you should set this value to true only when
debugging and to

false at all other times. For more information, refer to the

documentation about

debugging ASP.NET files.

-->

<compilation defaultLanguage="c#" debug="true">

<compilers>

<compiler language="c#" type="Microsoft.CSharp.CSharpCodeProvider, System,

Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"
extension=".cs" compilerOptions="/d:DEBUG;TRACE"/></compilers>

<assemblies>

<add assembly="System.Web.Security.SingleSignOn, Version=1.0.0.0,

Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/></assemblies></compilation>

<!-- CUSTOM ERROR MESSAGES

Set customErrors mode="On" or "RemoteOnly" to enable custom

error messages, "Off" to disable.

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.

"Off" Always display detailed ASP.NET error information.

"RemoteOnly" Display custom (friendly) messages only to users

not running

on the local Web server. This setting is recommended for

security purposes, so

that you do not display application detail information to

 53

remote clients.

-->

<customErrors mode="RemoteOnly"/>

<!-- AUTHENTICATION

This section sets the authentication policies of the

application. Possible modes are "Windows",

"Forms", "Passport" and "None"

"None" No authentication is performed.

"Windows" IIS performs authentication (Basic, Digest, or

Integrated Windows) according to

its settings for the application. Anonymous access must be

disabled in IIS.

"Forms" You provide a custom form (Web page) for users to enter
their credentials, and then

you authenticate them in your application. A user credential

token is stored in a cookie.

"Passport" Authentication is performed via a centralized

authentication service provided

by Microsoft that offers a single logon and core profile

services for member sites.

-->

<identity impersonate="true"/>

<authentication mode="Windows"/>

<!-- AUTHORIZATION

This section sets the authorization policies of the application.

You can allow or deny access

to application resources by user or role. Wildcards: "*" mean

everyone, "?" means anonymous

(unauthenticated) users.

-->
 54

<authorization>

<allow users="*"/>

<!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<deny users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

-->

</authorization>

<!-- APPLICATION-LEVEL TRACE LOGGING

Application-level tracing enables trace log output for every

page within an application.

Set trace enabled="true" to enable application trace logging.

If pageOutput="true", the

trace information will be displayed at the bottom of each page.

Otherwise, you can view the

application trace log by browsing the "trace.axd" page from your

web application

root.

-->

<trace enabled="false" requestLimit="10" pageOutput="false"

traceMode="SortByTime" localOnly="true"/>

<!-- SESSION STATE SETTINGS

By default ASP.NET uses cookies to identify which requests

belong to a particular session.

If cookies are not available, a session can be tracked by adding

a session identifier to the URL.

To disable cookies, set sessionState cookieless="true".

-->

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424"

sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
 55

cookieless="false" timeout="20"/>

<!-- GLOBALIZATION

This section sets the globalization settings of the application.

-->

<globalization requestEncoding="utf-8" responseEncoding="utf-8"/>

</system.web>

</configuration>

3. Save the Notepad file as web.config in the c:\inetpub\wwwroot\tokenapp

directory.

Create the Blog.txt File

The blog.txt file contains the text for the Windows NT token–based sample application.
For the application to function correctly, this empty file must be created in the root of C:
on the Web server. The blog.txt file is used to assign Read/Write access. Use the
following procedure to create the blog.txt file.

To create the blog.txt file

1. On the adfsweb computer, start Windows Explorer.

2. Click the C: folder.

3. On the File menu, point to New, and then click Text Document.

4. Name the file blog.txt

Appendix B: Creating the Claims-aware

Sample Application
You can use the claims-aware application that is provided in this appendix to test which
claims a Federation Service sends in Active Directory Federation Services (ADFS)
security tokens. This section includes instructions for setting up a sample claims-aware
application on your Web server. By using this sample claims-aware application and the
supporting instructions in Step 3: Configuring the Web Server together, you can prepare
 56
the application for testing on the client computer and complete the Web server setup
process.

The sample claims-aware application is made up of the following three files:

• Default.aspx

• Web.config

• Default.aspx.cs

For this application to function correctly, you must use the following procedures to create
each of the required files in order. After you create them, move the files to the
C:\inetpub\stepbystep\claimapp directory on the adfsweb computer.
• Create the Default.aspx File

• Create the Web.config File

• Create the Default.aspx.cs File

Create the Default.aspx File

Use the following procedure to create the default.aspx file.

To create the default.aspx file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"

Inherits="_Default" %>

<%@ OutputCache Location="None" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head>

<meta http-equiv="Content-Language" content="en-us">

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<title>Claims-aware Sample Application</title>

 57

<style>

<!--

.pagetitle { font-family: Verdana; font-size: 18pt; font-weight: bold;}

.propertyTable td { border: 1px solid; padding: 0px 4px 0px 4px}

.propertyTable th { border: 1px solid; padding: 0px 4px 0px 4px; font-
weight: bold; background-color: #cccccc ; text-align: left }

.propertyTable { border-collapse: collapse;}

td.l{ width: 200px }

tr.s{ background-color: #eeeeee }

.banner { margin-bottom: 18px }

.propertyHead { margin-top: 18px; font-size: 12pt; font-family: Arial;

font-weight: bold; margin-top: 18}

.abbrev { color: #0066FF; font-style: italic }

-->

</style>

</head>

<body>

<form ID="Form1" runat=server>

<div class=banner>

<div class=pagetitle>SSO Sample</div>

[ <asp:HyperLink ID=SignOutUrl runat=server>Sign Out</asp:HyperLink> | <a

href="<%=Context.Request.Url.GetLeftPart(UriPartial.Path)%>">Refresh
without viewstate data</a>]

</div>

<div class=propertyHead>Page Information</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table runat=server ID=PageTable CssClass=propertyTable>

 58

<asp:TableHeaderRow>

<asp:TableHeaderCell>Name</asp:TableHeaderCell>

<asp:TableHeaderCell>Value</asp:TableHeaderCell>

<asp:TableHeaderCell>Type</asp:TableHeaderCell>

</asp:TableHeaderRow>

</asp:Table>

</div>

<div class=propertyHead>User.Identity</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table CssClass="propertyTable" ID=IdentityTable runat=server>

<asp:TableHeaderRow>

<asp:TableHeaderCell>Name</asp:TableHeaderCell>

<asp:TableHeaderCell>Value</asp:TableHeaderCell>

<asp:TableHeaderCell>Type</asp:TableHeaderCell>

</asp:TableHeaderRow>

</asp:Table>

</div>

<div class=propertyHead>(IIdentity)User.Identity</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table CssClass="propertyTable" ID=BaseIdentityTable runat=server>

<asp:TableHeaderRow>

<asp:TableHeaderCell>Name</asp:TableHeaderCell>

<asp:TableHeaderCell>Value</asp:TableHeaderCell>

<asp:TableHeaderCell>Type</asp:TableHeaderCell>

</asp:TableHeaderRow>

</asp:Table>
 59

</div>

<div class=propertyHead>(SingleSignOnIdentity)User.Identity</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table CssClass="propertyTable" ID=SSOIdentityTable runat=server>

<asp:TableHeaderRow>

<asp:TableHeaderCell>Name</asp:TableHeaderCell>

<asp:TableHeaderCell>Value</asp:TableHeaderCell>

<asp:TableHeaderCell>Type</asp:TableHeaderCell>

</asp:TableHeaderRow>

</asp:Table>

</div>

<div
class=propertyHead>SingleSignOnIdentity.SecurityPropertyCollection</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table CssClass="propertyTable" ID=SecurityPropertyTable runat=server>

<asp:TableHeaderRow>

<asp:TableHeaderCell>Uri</asp:TableHeaderCell>

<asp:TableHeaderCell>Claim Type</asp:TableHeaderCell>

<asp:TableHeaderCell>Claim Value</asp:TableHeaderCell>

</asp:TableHeaderRow>

</asp:Table>

</div>

<div class=propertyHead>(IPrincipal)User.IsInRole(...)</div>

<div style="padding-left: 10px; padding-top: 10px">

<asp:Table CssClass="propertyTable" ID=RolesTable runat=server>

</asp:Table>
 60

<div style="padding-top: 10px">

<table>

<tr><td>Roles to check (semicolon separated):</td></tr>

<tr><td><asp:TextBox ID=Roles Columns=55 runat=server/></td><td

align=right><asp:Button UseSubmitBehavior=true ID=GetRoles runat=server
Text="Check Roles" OnClick="GoGetRoles"/></td></tr>

</table>

</div>

</div>

</form>

</body>

</html>

3. Save the Notepad file as default.aspx in the

c:\inetpub\stepbystep\claimapp directory.

Create the Web.config File

Use the following procedure to create the web.config file.

To create the web.config file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<configSections>

<sectionGroup name="system.web">

<section name="websso"

type="System.Web.Security.SingleSignOn.WebSsoConfigurati
 61

onHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null" />

</sectionGroup>

</configSections>

<system.web>

<sessionState mode="Off" />

<compilation defaultLanguage="c#" debug="true">

<assemblies>

<add assembly="System.Web.Security.SingleSignOn, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null"/>

<add assembly="System.Web.Security.SingleSignOn.ClaimTransforms,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35,
Custom=null"/>

</assemblies>

</compilation>

<customErrors mode="Off"/>

<authentication mode="None" />

<httpModules>

<add

name="Identity Federation Services Application Authentication

Module"

type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
 62

</httpModules>

<websso>

<authenticationrequired />

<eventloglevel>55</eventloglevel>

<auditsuccess>2</auditsuccess>

<urls>

<returnurl>https://adfsweb.treyresearch.net:8081/claimapp/</returnurl
>

</urls>

<cookies writecookies="true">

<path>/claimapp</path>

<lifetime>240</lifetime>

</cookies>

<fs>https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.a
smx</fs>

</websso>

</system.web>

<system.diagnostics>

<switches>

<add name="WebSsoDebugLevel" value="0" /> <!-- Change to 255 to enable full

debug logging -->

</switches>

<trace autoflush="true" indentsize="3">

<listeners>

<add name="LSLogListener"
type="System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener,
 63

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null"

initializeData="c:\logdir\claimapp.log" />

</listeners>

</trace>

</system.diagnostics>

</configuration>

3. Save the Notepad file as web.config in the c:\inetpub\stepbystep\claimapp

directory.

Create the Default.aspx.cs File

Use the following procedure to create the default.aspx.cs file.

To create the default.aspx.cs file

1. Start Notepad.

2. Copy and paste the following code into a new Notepad file:

using System;

using System.Data;

using System.Collections.Generic;

using System.Configuration;

using System.Reflection;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Web.UI.HtmlControls;

using System.Security;
 64

using System.Security.Principal;

using System.Web.Security.SingleSignOn;

using System.Web.Security.SingleSignOn.Authorization;

public partial class _Default : System.Web.UI.Page

const string NullValue = "<span class=\"abbrev\" title=\"Null

Reference, or not applicable\"><b>null</b></span>";

static Dictionary<string, string> s_abbreviationMap;

static _Default()

s_abbreviationMap = new Dictionary<string, string>();

//

// Add any abbreviations here. Make sure that prefixes of

// replacements occur *after* the longer replacement key.

//

s_abbreviationMap.Add("System.Web.Security.SingleSignOn.Authorizat
ion", "SSO.Auth");

s_abbreviationMap.Add("System.Web.Security.SingleSignOn", "SSO");

s_abbreviationMap.Add("System", "S");

protected void Page_Load(object sender, EventArgs e)

SingleSignOnIdentity ssoId = User.Identity as SingleSignOnIdentity;

 65

//

// Get some property tables initialized.

//

PagePropertyLoad();

IdentityLoad();

BaseIdentityLoad();

SSOIdentityLoad(ssoId);

SecurityPropertyTableLoad(ssoId);

//

// Filling in the roles table

// requires a peek at the viewstate

// since we have a text box driving this.

//

if (!IsPostBack)

UpdateRolesTable(new string[] { });

else

GoGetRoles(null, null);

//

// Get the right links for SSO

//

if (ssoId == null)

{
 66

SignOutUrl.Text = "Single Sign On isn't installed...";

SignOutUrl.Enabled = false;

else

if (ssoId.IsAuthenticated == false)

SignOutUrl.Text = "Sign In (you aren't authenticated)";

SignOutUrl.NavigateUrl = ssoId.SignInUrl;

else

SignOutUrl.NavigateUrl = ssoId.SignOutUrl;

void SecurityPropertyTableLoad(SingleSignOnIdentity ssoId)

Table t = SecurityPropertyTable;

if (ssoId == null)

AddNullValueRow(t);

return;

//

// Go through each of the security properties provided.

//
 67

bool alternating = false;

foreach (SecurityProperty securityProperty in

ssoId.SecurityPropertyCollection)

t.Rows.Add(CreateRow(securityProperty.Uri,
securityProperty.Name, securityProperty.Value, alternating));

alternating = !alternating;

void UpdateRolesTable(string[] roles)

Table t = RolesTable;

t.Rows.Clear();

bool alternating = false;

foreach (string s in roles)

string role = s.Trim();

t.Rows.Add(CreatePropertyRow(role, User.IsInRole(role),
alternating));

alternating = !alternating;

void IdentityLoad()

{
 68

Table propertyTable = IdentityTable;

if (User.Identity == null)

AddNullValueRow(propertyTable);

else

propertyTable.Rows.Add(CreatePropertyRow("Type name",
User.Identity.GetType().FullName));

void SSOIdentityLoad(SingleSignOnIdentity ssoId)

Table propertyTable = SSOIdentityTable;

if (ssoId != null)

PropertyInfo[] props =
ssoId.GetType().GetProperties(BindingFlags.Instance | BindingFlags.Public
| BindingFlags.DeclaredOnly);

AddPropertyRows(propertyTable, ssoId, props);

else

AddNullValueRow(propertyTable);

}
 69

void PagePropertyLoad()

Table propertyTable = PageTable;

string leftSidePath = Request.Url.GetLeftPart(UriPartial.Path);

propertyTable.Rows.Add(CreatePropertyRow("Simplified Path",
leftSidePath));

void BaseIdentityLoad()

Table propertyTable = BaseIdentityTable;

IIdentity identity = User.Identity;

if (identity != null)

PropertyInfo[] props =
typeof(IIdentity).GetProperties(BindingFlags.Instance |
BindingFlags.Public | BindingFlags.DeclaredOnly);

AddPropertyRows(propertyTable, identity, props);

else

AddNullValueRow(propertyTable);

}
 70

void AddNullValueRow(Table table)

TableCell cell = new TableCell();

cell.Text = NullValue;

TableRow row = new TableRow();

row.CssClass = "s";

row.Cells.Add(cell);

table.Rows.Clear();

table.Rows.Add(row);

void AddPropertyRows(Table propertyTable, object obj, PropertyInfo[]

props)

bool alternating = false;

foreach (PropertyInfo p in props)

string name = p.Name;

object val = p.GetValue(obj, null);

propertyTable.Rows.Add(CreatePropertyRow(name, val,
alternating));

alternating = !alternating;

}
 71

TableRow CreatePropertyRow(string propertyName, object propertyValue)

return CreatePropertyRow(propertyName, propertyValue, false);

TableRow CreatePropertyRow(string propertyName, object value, bool

alternating)

if (value == null)

return CreateRow(propertyName, null, null, alternating);

else

return CreateRow(propertyName, value.ToString(),

value.GetType().FullName , alternating);

TableRow CreateRow(string s1, string s2, string s3, bool alternating)

TableCell first = new TableCell();

first.CssClass = "l";

first.Text = Abbreviate(s1);

TableCell second = new TableCell();

second.Text = Abbreviate(s2);

TableCell third = new TableCell();

third.Text = Abbreviate(s3);

TableRow row = new TableRow();

if (alternating)
 72

row.CssClass = "s";

row.Cells.Add(first);

row.Cells.Add(second);

row.Cells.Add(third);

return row;

private string Abbreviate(string s)

if (s == null)

return NullValue;

string retVal = s;

foreach (KeyValuePair<string, string> pair in s_abbreviationMap)

//

// We only get one replacement per abbreviation call.

// First one wins.

//

if (retVal.IndexOf(pair.Key) != -1)

string replacedValue = string.Format("<span

class=\"abbrev\" title=\"{0}\">{1}</span>", pair.Key, pair.Value);

retVal = retVal.Replace(pair.Key, replacedValue);

break;

return retVal;
 73

//

// ASP.NET server side callback

//

protected void GoGetRoles(object sender, EventArgs ea)

string[] roles = Roles.Text.Split(';');

UpdateRolesTable(roles);

3. Save the file as default.aspx.cs in the c:\inetpub\stepbystep\claimapp

directory.

Appendix C: Using Group Policy to

Prevent Certificate Prompts
Now that you have verified that users in the adatum.com forest can access the federated
applications successfully, you can use the following procedures to try to optimize the user
experience by preventing certificate prompts that users see when they access the
federated applications:

• Export adfsweb and adfsaccount Certificates to a File

• Enable Group Policy to Push adfsweb, adfsresource, and adfsaccount

Certificates to the Client Computer

• Run Gpupdate on the Client and Test for Certificate Prompts

Note
The procedures in this appendix are optional.
 74

Export adfsweb and adfsaccount Certificates

to a File
Use the following procedure to export the server authentication certificates for adfsweb
and adfsaccount to .cer files. The adfsresource server authentication certificate was
exported to a .cer file in Step 1. It is not necessary to export it again. In the next
procedure, you import these certificates into domain-wide Group Policy for the
adatum.com forest.

To export adfsweb and adfsaccount certificates to a file

1. On the adfsweb computer, click Start, point to Administrative Tools,
and then click Internet Information Services (IIS) Manager.

2. In the console tree, double-click adfsweb, double-click Web Sites, right-

click Default Web Site, and then click Properties.

3. On the Directory Security tab, click View Certificate, click the Details
tab, and then click Copy to File.

4. On the Welcome to the Certificate Export Wizard page, click Next.

5. On the Export Private Key page, click No, do not export the private
key, and then click Next.

6. On the Export File Format page, click DER encoded binary X.509
(.Cer), and then click Next.

7. On the File to Export page, type C:\adfsweb.cer, and then click Next.

8. On the Completing the Certificate Export Wizard, click Finish.

9. Repeat steps 1 through 8 on the adfsaccount computer. In step 7, save

the file as C:\adfsaccount.cer.

Enable Group Policy to Push adfsweb,

adfsresource, and adfsaccount Certificates to
the Client Computer
After the certificates have been exported, enable Group Policy to push the adfsweb,
adfsresource, and adfsaccount certificates to the adfsclient computer in the adatum.com
domain. Use the following procedure to import the certificates into the domain
Group Policy of adatum.com.
 75

To enable Group Policy to push adfsweb, adfsresource, and adfsaccount

certificates to client computers
1. On the adfsaccount computer, click Start, point to Administrative Tools,
and then click Domain Security Policy.

2. In the console tree, double-click Public Key Policies, right-click Trusted

Root Certification Authorities, and then click Import.

3. On the Welcome to the Certificate Import Wizard page, click Next.

4. On the File to Import page, type \\adfsresource\c$\adfsresource.cer,

and then click Next.

Note
You can also copy the adfsresource.cer file directly from the
adfsresource computer to adfsweb and then point the wizard to that
location.

5. On the Certificate Store page, click Place all certificates in the

following store, and then click Next.

6. On the Completing the Certificate Import Wizard page, verify that the
information that you provided is accurate, and then click Finish.

7. Repeat steps 2 through 6 for the certificates on

\\adfsweb\c$\adfsweb.cer and \\adfsaccount\c$\adfsaccount.cer.

Run Gpupdate on the Client and Test for

Certificate Prompts
On the adfsclient computer, open a command prompt, type gpupdate, and then press
ENTER. This action pulls the adfsweb, adfsresource, and adfsaccount certificates down
from adatum.com Group Policy to the client computer.

To view or remove these certificates from the client, open a browser window. On the
Tools menu, click Internet Options. On the Content tab, click Certificates, and then
click the Trusted Root Certification Authorities tab.