Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness.
Download ReportTranscript Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors, publisher and distributor assume will not be liable for errors or omissions, or for damages resulting from the use of the information presented and contained herein Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer STS ST User User trusts website and STS via SSL certificates Certificate path validated and CRL checked RP CNG certificates are not supported STS-IP Name of STS Endpoint of STS for logon STS claims offered STS Certificate to sign tokens (private key) Name of STS Endpoint of STS for logon STS claims offered STS Certificate to validate tokens (public key) WAP ADFS Copied to certificate store Used to create Certificate Trust List (CTL) Uses certificate authentication Self-signed certificate Copied during WAP configuration uses supplied credentials AD FS configuration store SLL Termination between possible Impact Client and WAP Yes/No Breaks Workplace join and client SSL authentication WAP and AD FS No Breaks proxy trust with AD FS WAP and published server Yes No impact on WAP/ADFS functionality adfs-p Proxy-p partner.xtseminars.com ISP DNS Internet Client adfs1 Client2 Proxy example.com srv1 dc1 Claims-aware app Our user AD FS STS Active Directory App trusts STS Browse app Not authenticated Redirected to STS Return security token Send Token Return cookies and page Authenticate Query for user attributes %2f decodes to / Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z Your Claims-aware app Partner user Your AD FS STS App trusts STS Browse app Partner AD FS STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Redirected to your STS Return new ST Send Token Return cookies and page Process token Authenticate C l a AD Deny i m Logon s Username, user & group SIDs Token authentication Issued claims P i p e l STS i Username user & group SIDs n e Claims WAP Publish applications and services to the Internet ADFS Web application Pass-through Claims-aware web application KCD Users are authenticated and authorized before gaining access to the corporate network Kerberos constrained delegation AD FS preauthentication Web application with Windows Authentication Simple Web Token (Microsoft, Google, Yahoo) JSON Web Tokens (JWT) Firewall The WAP computer account must be configured for constrained delegation with protocol transition to the SPN of the web application WAP AD FS preauthentication required DC The SPN for the application must be registered on the service account running the application Web application using Windows Authentication (Kerberos) John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://developer.microsoft.com http://aka.ms/enterprise mobilitysuite http://aka.ms/microsoftintune http://aka.ms/configmgr http://aka.ms/hi http://aka.ms/aip http://aka.ms/virtualdesktop