Appendix A - Reviewing AD FS Requirements. Applies To: Windows Server 2. So that the organizational partners in your Active Directory Federation Services (AD FS) deployment can collaborate successfully, you must first make sure that your corporate network infrastructure is configured to support AD FS requirements for accounts, name resolution, and certificates. AD FS has the following types of requirements: Tip. You can find additional AD FS resource links at the AD FS Content Map page on the Microsoft Tech. Net Wiki. This page is managed by members of the AD FS Community and is monitored on a regular basis by the AD FS Product Team. Hardware requirements. · We are pleased to introduce App Service Certificate (ASC) which allows App Service customers to create, manage and consume certificates seamlessly in Azure.The following minimum and recommended hardware requirements apply to the federation server and federation server proxy computers. Hardware requirement. Minimum requirement. Recommended requirement. CPU speed. Single- core, 1 gigahertz (GHz)Quad- core, 2 GHz. RAM1 GB4 GBDisk space. · Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate. If you. Secure Sockets Layer (SSL) is the most widely used protocol for implementing cryptography on the Web. SSL uses a combination of cryptographic processes to provide. MB1. 00 MBSoftware requirements. AD FS relies on server functionality that is built into the Windows Server® 2. Note. The Federation Service and Federation Service Proxy role services cannot coexist on the same computer. Certificate requirements. Certificates play the most critical role in securing communications between federation servers, federation server proxies, claims- aware applications, and Web clients. The requirements for certificates vary, depending on whether you are setting up a federation server or federation server proxy computer, as described in this section. Federation server certificates. Federation servers require the certificates in the following table. Certificate type. Description. What you need to know before deploying. Secure Sockets Layer (SSL) certificate. This is a standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers and clients. This certificate must be bound to the Default Web Site in Internet Information Services (IIS) for a Federation Server or a Federation Server Proxy. For a Federation Server Proxy, the binding must be configured in IIS prior to running the Federation Server Proxy Configuration Wizard successfully. Recommendation: Because this certificate must be trusted by clients of AD FS, use a server authentication certificate that is issued by a public (third- party) certification authority (CA), for example, Veri. Sign. Tip: The Subject name of this certificate is used to represent the Federation Service name for each instance of AD FS that you deploy. For this reason, you may want to consider choosing a Subject name on any new CA- issued certificates that best represents the name of your company or organization to partners. Service communication certificate. This certificate enables WCF message security for securing communications between federation servers. By default, the SSL certificate is used as the service communications certificate. This can be changed using the AD FS Management console. Token- signing certificate. This is a standard X5. The token- signing certificate must contain a private key, and it should chain to a trusted root in the Federation Service. By default, AD FS creates a self- signed certificate. However, you can change this later to a CA- issued certificate by using the AD FS Management snap- in, depending on the needs of your organization. Token- decryption certificate. This is a standard SSL certificate that is used to decrypt any incoming tokens that are encrypted by a partner federation server. It is also published in federation metadata. By default, AD FS creates a self- signed certificate. However, you can change this later to a CA- issued certificate by using the AD FS Management snap- in, depending on the needs of your organization. Caution. Certificates that are used for token- signing and token- decrypting are critical to the stability of the Federation Service. Because a loss or unplanned removal of any certificates that are configured for this purpose can disrupt service, you should back up any certificates that are configured for this purpose. For more information about the certificates that federation servers use, see Certificate Requirements for Federation Servers. Federation server proxy certificates. Federation server proxies require the certificates in the following table. Certificate type. Description. What you need to know before deploying. Server authentication certificate. This is a standard Secure Sockets Layer (SSL) certificate that is used for securing communications between a federation server proxy and Internet client computers. This certificate must be bound to the Default Web Site in Internet Information Services (IIS) before you can run the AD FS Federation Server Proxy Configuration Wizard successfully. Recommendation: Because this certificate must be trusted by clients of AD FS, use a server authentication certificate that is issued by a public (third- party) certification authority (CA), for example, Veri. Sign. Tip: The Subject name of this certificate is used to represent the Federation Service name for each instance of AD FS that you deploy. For this reason, you may want to consider choosing a Subject name that best represents the name of your company or organization to partners. For more information about the certificates that federation server proxies use, see Certificate Requirements for Federation Server Proxies. Browser requirements. Although any current Web browser with Java. Script capability can be made to work as an AD FS client, the Web pages that are provided by default have been tested only against Internet Explorer versions 7. Mozilla Firefox 3. Safari 3. 1 on Windows. Java. Script must be enabled, and cookies must be enabled for browser- based sign- in and sign- out to work correctly. The AD FS product team at Microsoft successfully tested the browser and operating system configurations in the following table. Browser. Windows 7. Windows Vista. Internet Explorer 7. XXInternet Explorer 8. XXInternet Explorer 9. XNot Tested. Fire. Fox 3. 0. XXSafari 3. XXNote. AD FS supports both the 3. Cookies. AD FS creates session- based and persistent cookies that must be stored on client computers to provide sign- in, sign- out, single sign- on (SSO), and other functionality. Therefore, the client browser must be configured to accept cookies. Cookies that are used for authentication are always Secure Hypertext Transfer Protocol (HTTPS) session cookies that are written for the originating server. If the client browser is not configured to allow these cookies, AD FS cannot function correctly. Persistent cookies are used to preserve user selection of the claims provider. You can disable them by using a configuration setting in the configuration file for the AD FS sign- in pages. Support for TLS/SSL is required for security reasons. Network requirements. Configuring the following network services appropriately is critical for successful deployment of AD FS in your organization. TCP/IP network connectivity. For AD FS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the AD FS Web Agent. DNSThe primary network service that is critical to the operation of AD FS, other than Active Directory Domain Services (AD DS), is Domain Name System (DNS). When DNS is deployed, users can use friendly computer names that are easy to remember to connect to computers and other resources on IP networks. Windows Server 2. DNS for name resolution instead of the Windows Internet Name Service (WINS) Net. BIOS name resolution that was used in Windows NT 4. It is still possible to use WINS for applications that require it. However, AD DS and AD FS require DNS name resolution. The process of configuring DNS to support AD FS varies, depending on whether: Your organization already has an existing DNS infrastructure. In most scenarios, DNS is already configured throughout your network so that Web browser clients in your corporate network have access to the Internet. Because Internet access and name resolution are requirements of AD FS, this infrastructure is assumed to be in place for your AD FS deployment. You intend to add a federated server to your corporate network. For the purpose of authenticating users in the corporate network, internal DNS servers in the corporate network forest must be configured to return the CNAME of the internal server that is running the Federation Service.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |