Download   Report
  1. No category

H S U AD FS 2.0

HOW TO SET UP THE AD FS 2.0 VM LAB ENVIRONMENT
FOR FEDERATED COLLABORATION
Microsoft Corporation
Published: May 2010
Version: 1.0
Authors: Brad Mahugh, Tariq Sharif
Editor: Jim Becker
Abstract
This guide walks you through the setup of a small test lab environment that you can use to
evaluate the next generation of Microsoft® federated identity technologies, Active Directory®
Federation Services (AD FS) version 2.0. This document is intended for information technology
(IT) professionals and application developers who want to create a lab environment specifically
for use with the Federated Document Collaboration Using Microsoft
Office SharePoint® Server 2007 and AD FS 2.0 guide, which demonstrates the implementation
and evaluation of an end-to-end, claims-based, identity federation solution. The instructions in
this guide should take approximately four hours to complete.
Contents
HOW TO SET UP THE AD FS 2.0 VM LAB ENVIRONMENT FOR FEDERATED COLLABORATION ..................... 1
About this guide ........................................................................................................................... 6
What this guide does not provide ............................................................................................ 7
Requirements ........................................................................................................................... 7
About the lab environment ...................................................................................................... 8
Step 1: Create and configure VMs using Hyper-V Manager.......................................................... 10
Make or obtain base hard drive image files .............................................................................. 10
Create a differencing disk for each VM...................................................................................... 10
Create the VMs .......................................................................................................................... 11
Step 2: Download and install prerequisite software ..................................................................... 13
Step 3: Reconfigure the IP and DNS settings for all VMs .............................................................. 15
Create a new virtual network .................................................................................................... 15
Configure static IP and DNS settings for each VM ..................................................................... 16
Change the names of the computers ..................................................................................... 17
Step 4: Install and configure AD DS ............................................................................................... 18
Install and configure AD DS ........................................................................................................ 18
Install AD DS............................................................................................................................ 18
Join the client computer to the Contoso domain ................................................................... 19
Create accounts ...................................................................................................................... 19
Create accounts in the Contoso domain ............................................................................. 20
Create accounts in the Fabrikam domain ........................................................................... 21
Configure DNS zones for services .............................................................................................. 21
Configure DNS service records for Contoso ........................................................................... 22
Configure zones for the Contoso.com domain ................................................................... 22
Create host (A) resource records for the Contoso.com domain ......................................... 22
Configure zones for Fabrikam.com domain ........................................................................ 23
Create host (A) resource records for the Fabrikam.com domain ....................................... 23
Step 5: Install and Configure IIS, Certificates, and Group Policy ................................................... 23
Disable Internet Explorer Enhanced Security Configuration ..................................................... 24
Configure Group Policy .............................................................................................................. 25
Push Internet Explorer settings to computers in the Contoso domain .................................. 25
Push Internet Explorer settings to computers in the Fabrikam domain ................................ 26
Refresh Group Policy .............................................................................................................. 27
Configure certificates ................................................................................................................. 27
Install AD CS ............................................................................................................................ 27
Disable CRL Extension ............................................................................................................. 28
Configure certificate templates .............................................................................................. 29
Create a shared certificate for AD RMS and AD FS 2.0 on ContosoSrv01 .............................. 30
Create a certificate for AD FS 2.0 on Fabrikam.com............................................................... 31
Configure the Default Web Site on FabrikamSrv01 with the new server authentication
certificate ............................................................................................................................ 32
Export and import Root CA certificates ..................................................................................... 33
Export both Root CA certificates ............................................................................................ 33
Import both Root CA certificates ............................................................................................ 34
Refresh Group Policy .............................................................................................................. 35
Install and configure AD RMS as a root cluster ...................................................................... 35
Install SQL Server 2008 Standard SP1 ..................................................................................... 37
Create the HOL Doctors Role database on ContosoSrv01 ...................................................... 38
Step 6: Install and configure the SharePoint site on ContosoSrv02 .............................................. 38
Create an SSL certificate for the SharePoint site .................................................................... 39
Install .NET Framework 3.5 on ContosoSrv02 ........................................................................ 40
Install Microsoft Office SharePoint Server 2007 .................................................................... 40
Configure Microsoft Office SharePoint Server 2007 .............................................................. 41
Extend the default SharePoint application to docs.contoso.com .......................................... 41
Set the SSL certificate for docs.contoso.com ......................................................................... 42
Upload Sample Documents to docs.contoso.com.................................................................. 42
Step 7: Install and configure Windows claims-aware identity software ....................................... 43
Install and configure AD FS 2.0 on ContosoSrv01 .................................................................. 43
Install and configure AD FS 2.0 on FabrikamSrv01 ................................................................. 44
Customize the AD FS 2.0 sign-in pages ................................................................................... 46
Install and configure the WIF and SharePoint support software on ContosoSrv02............... 46
Install and configure the Desktop Experience feature on FabrikamSrv02 ............................. 46
Install and configure Microsoft Office 2007 on FabrikamSrv02 ............................................. 47
Step 8: Configure ContosoSrv02 and FabrikamSrv02 for the step-up authentication scenario ... 47
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and
other Internet Web site references, is subject to change without notice. The entire risk of the
use or the results from the use of this document remains with the user. Unless otherwise noted,
the example companies, organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility
of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
This document is intended for developers and system architects who are interested in
completing the walkthrough demonstration of the features, functionality, and interoperability
capabilities of Active Directory® Federation Services (AD FS) version 2.0 and Windows® Identity
Foundation (WIF),
About this guide
This guide provides instructions for setting up federated identity technologies in a small test lab
with servers running the Windows Server® 2008 operating system. It explains how to install and
configure all settings and prerequisite software necessary to create the four virtual machine
(VM) images that you need to have available so that you can complete all the steps in the
following guide:

Federated Document Collaboration with Microsoft Office SharePoint Server 2007 and AD FS 2.0
(http://go.microsoft.com/fwlink/?LinkId=148503).
While you can download VM images that are preconfigured for trial use, this guide assists you if
you choose to make the images yourself. The overall goal of this guide is to give you a good
understanding of the base configuration requirements necessary to deploy and enable
federated identity technologies in your environment.
To maximize your chances of completing the objectives of this guide successfully, it is important
that you do all of the following:
 Complete the steps in this guide in the order in which they are presented.
 Use the exact IP addresses that this guide specifies.
 Use the exact computer, user, group, company, claim, and domain names that this guide
specifies.
Important
Any modifications that you make to the configuration details in this guide may affect or
limit your chances of setting up this lab successfully on the first try.
Note
Microsoft has tested this guide successfully with the Windows Server 2008 Hyper-V™
virtualization technology product.
The instructions in this guide take approximately four hours to complete.
What this guide does not provide
This guide does not provide the following information:
 Guidance for setting up and configuring AD FS 2.0 for federation in a production
environment
 Instructions for setting up and configuring a federation server proxy

Instructions for setting up the test lab computer (Hardware and software requirements are
listed in the following section, however.)

Instructions for making your own base virtual hard drive (.vhd) images.
Requirements
To complete all the steps in this guide, you must have a virtual test lab computer where you can
configure four virtual machines (VMs) running the following operating systems:
Windows Server 2008 R2 Enterprise for the four virtual servers.
Your virtual test lab computer must be able to meet the minimum requirements in the following
table.
Processor
64-bit quad core with 2.0 gigahertz (GHz) or higher CPU speed
Operating system
Windows Server 2008 Enterprise R2
Memory
8 gigabytes (GB) of RAM or higher
Disk drive
100 GB or more of free available space
Additional software
The following server role must be added: Microsoft® Hyper-V
Other devices
CD-ROM or ROM drive
High resolution monitor (1024x768)
Keyboard and Microsoft mouse or compatible pointing device
Administrative credentials
To perform all the tasks in this guide, use the local Administrator account for each computer,
unless instructed otherwise. To create accounts in Active Directory Domain Services (AD DS), log
on with the Administrator account for the domain. For example, when you create user accounts
for Contoso Pharmaceuticals, use the CONTOSO\Administrator account.
About the lab environment
For the virtual test lab environment, create four VMs. You can use each of the VMs that you
create and configure later to accomplish scenario tasks in which you implement and evaluate a
claims-based, federated identity solution, as described in Federated Document Collaboration with
Microsoft Office SharePoint Server 2007 and AD FS 2.0
(http://go.microsoft.com/fwlink/?LinkId=148503) guide. To set up the test lab to accomplish the
goals in that guide, follow the steps in order as described in the following tables to establish a
working test lab environment.
Steps
Step title
Description
Step 1
Create and configure
VMs using Hyper-V
Manager
This step demonstrates the information technology (IT)
pro experience for creating a virtual test lab
environment for the purpose of evaluating federated
identity technologies.
Step 2
Download prerequisite
software
This step provides details about the software
dependencies and applications that are required for
updating each of the virtual servers and the virtual client
so that you can use them to support the AD FS 2.0 test
lab environment that you will need to emulate a
business-to-business (B2B) federated identity
configuration.
Step 3
Reconfigure the IP and
DNS settings for all
VMs.
This step demonstrates the network changes involved in
reconfiguring network settings for the VMs to move
from VM setup to the settings that are required for the
private network that you will need for the virtual test
lab.
Step 4
Install and configure
Active Directory
Domain Services
(AD DS)
This step demonstrates the underlying configuration
requirements for installing and configuring AD DS to be
used by two separate companies that are involved in a
B2B scenario.
Step 5
Install and configure
IIS, certificates, and
Group Policy
This step demonstrates the underlying configuration
requirements for installing and configuring Internet
Information Services (IIS), Active Directory Certificate
Services (AD CS), and Group Policy for both of the
companies involved in a B2B scenario.
Step 6
Install and configure
the SharePoint Site on
ContosoSrv02
This step demonstrates the underlying configuration
requirements for installing and configuring Microsoft
Office SharePoint Server® 2007 for document
collaboration needs in a B2B scenario.
Step 7
Install and configure
Windows claims-based
identity software
This step demonstrates the underlying configuration
requirements for installing and configuring AD FS 2.0
and related technologies for federation service in both
of the companies involved in a B2B scenario.
Step 8
Configure
ContosoSrv02 and
FabrikamSrv02 for
step-up authentication
scenario
This step demonstrates the underlying configuration
requirements for configuring step-up authentication.
Step 1: Create and configure VMs using Hyper-V
Manager
Before you install AD FS 2.0 and other claims-aware technologies, you must first set up the four
VM computers that you will use to implement and evaluate a federated identity solution.
Make or obtain base hard drive image files
We recommend that you start by making or obtaining two virtual hard disk (.vhd) base image
files. These files are a clean-installed drive VHD image snapshot of the two Windows operating
systems listed earlier in the Requirements section for the three virtual servers and the virtual
client.
Before you proceed to the next step, make a folder (for example, D:\LabVhdFiles) that you will
use for the remainder of this step, and copy your base .vhd files to it. Ensure that the Read-only
attribute is set for each file.
Tip
If you do not already have clean-installed Windows Server 2008 R2 virtual hard drive
images, you can download and use the base evaluation .vhd files to build the base VMs
for this lab. The files are available on the Microsoft Web site at Windows Server 2008 R2
Virtual Hard Drive Images (http://go.microsoft.com/fwlink/?LinkId=179734).
Create a differencing disk for each VM
In Hyper-V, a differencing disk drive is a .vhd file that functions as the "child" drive in a parentchild relationship with the "parent" (or base) virtual hard drive. The advantage of this
configuration is you can make changes to the data or operating system that are stored as
differences and that only modify the "child" differencing drive. Your "parent" drive is left intact
and unmodified. If, later, you choose to revert to the original state and start over with a new
differencing drive, you can do so easily.
To create a differencing disk for each VM
1. On the virtual test lab computer, open Hyper-V Manager.
To open Hyper-V Manager, click Start, point to Administrative Tools, and then click
Hyper-V Manager.
2. On the Action menu, point to New, and then click Hard Disk.
3. When the New Virtual Hard Disk Wizard appears, click Next.
4. On the Choose Disk Type page, click Differencing, and then click Next.
5. On the Specify Name and Location page, do the following, and then click Next:
a. In Name, type machine_name.vhd where machine_name is the name of the VM
that you are creating a differencing disk for. For example, start with
"CONTOSOSRV01.vhd".
b. In Location, browse to the location where you copied the base .vhd images for the
virtual server or client differencing disk drive in the previous section. For example, if
the path you used there was D:\LabVhdFiles, select that path here.
6. On the Configure Disk page, in Location, click Browse to locate the appropriate base
.vhd image in the path that was used in the previous step, and then click Next.
For example, if you are creating a virtual hard drive for CONTOSOSRV01 and also using
the downloaded base .vhd image, follow the instructions provided in the download page
here: Windows Server 2008 R2 Evaluation Virtual Hard Drive Images for Hyper-V (180 Days)
(http://go.microsoft.com/fwlink/?LinkId=179736).
7. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
8. Repeat this procedure three more times to make differencing drives for all four VMs
before moving on to the next part of the process.
For example, after you run this procedure the first time to make a drive for
CONTOSOSRV01, repeat the process and create drives for the other three VMs that you
will use in the lab environment. Be sure to select the corresponding base .vhd file for
each of the other two server VMs and the client VM.
Create the VMs
After you create the four differencing drives—one for each of the four VMs that you will set
up—you are ready to create the four VMs. The following table contains the settings to use in
Hyper-V when you create each of these VMs.
.
VM Name
RAM (in MB)
CONTOSOSRV01
1536
FABRIKAMSRV01
1536
CONTOSOSRV02
1536
FABRIKAMSRV02
1536
To create the VMs
1. On the virtual test lab computer, open Hyper-V Manager.
To open Hyper-V Manager, click Start, point to Administrative Tools, and then click
Hyper-V Manager.
2. On the Action menu, point to New, and then click Virtual Machine.
3. When the New Virtual Machine Wizard appears, click Next.
4. On the Specify Name and Location page, do the following, and then click Next.
a. In Name, type the name of the VM that you are creating as the name of the VM. For
example, start with "CONTOSOSRV01".
b. In Location, use the default location.
5. On the Assign Memory page, in Memory, enter the corresponding number from the
RAM column (in MB) as provided in the previous table for the VM that you are creating,
and then click Next.
For example, if you are creating CONTOSOSRV01, enter 1536 here.
6. On the Configure Networking page, in Connection, select the network connection that
maps to a physical network adapter that has access to the Internet, and then click Next.
7. On the Connect Virtual Hard Disk page, click Use an existing hard disk, and then click
Browse to locate the differencing disk image file (CONTOSOSRV01.vhd) that you created
in the previous procedure, and then click Next.
8. On the Completing the New Virtual Machine Wizard page, select the Start the virtual
machine after it is created check box, and then click Finish.
9. Repeat this procedure three more times to make all four VMs before moving on to the
next part of the process.
After you complete these steps, you should be able to verify that you can log on to each
VM with the local Administrator account and then verify that you have Internet access
before moving on to the following steps. Before you create and start each subsequent
VM, be sure that the previously created VM is up and running.
Important
Before you reconfigure your VMs in subsequent steps of this guide, we recommend
that you first do the following for each VM while it has Internet connectivity:
 Complete Windows activation.
 For consistency with later hands-on lab instructions set the Administrator password
to " demo!23" on all the VMs.
 Make sure that you have downloaded all corresponding prerequisite software that
is mentioned in the following section (Step 2) to the appropriate VM computers.

Make sure to turn on Network discovery and File sharing in the Network and
Sharing Center Control Panel on each of the Windows Server 2008 VMs.
 Make sure that all the clocks on each of the VM computers are set to the same time
or within five minutes of each other. This ensures that token time stamps are always
valid.
Step 2: Download and install prerequisite software
Before you begin installing and configuring the lab settings for each of the four VMs, download
and install additional software that is specific to each of the VMs. The following table provides
details about the required software for each VM, which actions to take, the reasons that the
software is needed, and links to locations for downloading the software. Downloads that are for
evaluation versions of software (such as Office SharePoint Server 2007) are noted where
applicable.
Note
For now, you can download all the software, but install the software only where advised
to do so in this step. Later steps will indicate the appropriate time to install and configure
the remainder of the software that you download at this point.
Required software
Action
Description
Microsoft
SQL Server 2008S
tandard with
Management
Studio
Download only
This software is required. It
to contososrv01. acts as the policy store for
each federation server.
Note
Accept all the
default settings in
the installation
wizard.
Link to download the software
Microsoft SQL Server 2008
Evaluation (180 day trial)
(http://go.microsoft.com/f
wlink/?LinkId=179740)
This software is required to
configure SharePoint for
federation and enable it to
provide claims-aware
access.
Windows Identity Framework
Download only
to the
contososrv01
and
fabrikamsrv01
VM computers.
This software is
required to create the
security token services
(STSs) for both Contoso
Pharmaceuticals and
Fabrikam Suppliers.
AD FS 2.0
Microsoft
Office 2007
Professional
Download and
install on
fabrikamsrv01.
This software is
required to access
documents on the
SharePoint site by the
Fabrikam client in later
hands-on lab exercises.
Microsoft Office 2007
Professional
Office SharePoint
Download only
This software creates
Microsoft Office SharePoint
Windows Identity Download only
Framework (WIF), to contososrv02.
WIF SDK and
SharePoint
Configure
Package
AD FS 2.0
(http://go.microsoft.com/f
wlink/?LinkID=179831)
(http://go.microsoft.com/f
wlink/?LinkId=179837)
(http://go.microsoft.com/f
wlink/?LinkId=150947)
Required software
Action
Description
Link to download the software
Server 2007 SP1
to the
contososrv02
computer.
the SharePoint site
server that will be used
to implement
collaboration between
Contoso and Fabrikam.
Server 2007 (trial version)
(http://go.microsoft.com/f
wlink/?LinkId=150948)
For product IDs to use in
trial activation of this
product, see Microsoft
Office SharePoint Server 2007
Trial Version (x64)
(http://go.microsoft.com/f
wlink/?LinkID=150950).
Support files for
the Federated
Document
Collaboration Lab
Setup
Download and
install on all VM
computers.
This software contains
files that are used to
assist in completing
various hands-on lab
tasks throughout the
feature walkthrough.
Support Files for Federated
Document Collaboration
(http://go.microsoft.com/f
wlink/?LinkId=179894)
Step 3: Reconfigure the IP and DNS settings for all
VMs
After you completed the previous steps, it is no longer necessary to keep your VMs configured
for Internet access through the physical adapter for your virtual test lab computer. In this step,
we work through the process of reconfiguring the IP and DNS settings for each of the four VMs
so that they are able to be connected in their own virtual network.
Create a new virtual network
All of the VM images (servers as well as clients) must be reconfigured to use a virtual private
network interface. The following procedures describe how to create this network and
reconfigure VMs to use it.
To create the virtual network
1. On the virtual test lab computer, open Hyper-V Manager.
To open Hyper-V Manager, on the Start menu, point to Administrative Tools, and
then click Hyper-V Manager.
2. In Hyper-V Manager, on the Action menu, click Virtual Network Manager.
3. In Virtual Network Manager, click Internal for the type of virtual network that you want
to create, and then click Add.
4. In New Virtual Network, in Name type Internal-Network, verify that for Type the
Internal network option is selected, and then click OK.
Note that the network name is case sensitive and it should be entered exactly as
indicated above. All four VMs will have to use this network, which will be a "local only"
interface. All four VM images should already be IP configured as described in the
following procedure.
To reconfigure the network settings for each VM
1. In Hyper-V Manager, select a VM in the Virtual Machines list.
2. On the Action menu, click Settings.
3. In the Settings dialog box, under the Hardware settings, click Network Adapter.
4. In the Network Adapter settings, click the Network drop-down list, and then click
Internal-Network.
5. Click OK.
6. Repeat steps 1 through 5 for the other three VMs.
Configure static IP and DNS settings for each VM
All the VM images (servers as well as clients) must be reconfigured to use static IP version 4
(IPv4) address and Domain Name System (DNS) client settings. For more information about how
to do this, see Configure a DNS Client for Static IP Address
(http://go.microsoft.com/fwlink/?LinkId=150952).
Note
You can also disable IP version 6 (IPv6) as you complete this process to avoid warnings about
setting dynamic IPv6 when you install the AD DS and DNS server roles in the next step.
The following table provides the details of how these settings must be configured for each VM.
VM name
IP configuration
DNS client settings
CONTOSOSRV01
10.0.0.1/8 (AD DS, DNS, AD CS)
Preferred: 10.0.0.1
10.0.0.20/8 (AD FS 2.0)
Alternate: 10.0.0.101
10.0.0.30/8 (AD RMS)
FABRIKAMSRV01
10.0.0.101/8 (AD DS, DNS, AD CS)
Preferred: 10.0.0.101
10.0.0.120/8 (AD FS 2.0)
Alternate: 10.0.0.1
CONTOSOSRV02
10.0.0.2/8
Preferred: 10.0.0.1
FABRIKAMSRV02
10.0.0.110/8
Preferred: 10.0.0.101
Change the names of the computers
Change the name of the computers for each VM to the following. For more information about
renaming computers, see Rename the Computer
(http://go.microsoft.com/fwlink/?LinkId=179745).
VM Name
Computer Name
CONTOSOSRV01
CONTOSOSRV01
CONTOSOSRV02
CONTOSOSRV02
FABRIKAMSRV01
FABRIKAMSRV01
FABRIKAMSRV02
FABRIKAMSRV02
Step 4: Install and configure AD DS
In this step, we install AD DS and configure a single-domain forest for each of the two companies
(Contoso Pharmaceuticals and Fabrikam).
Install and configure AD DS
This section includes the following procedures:
 Install AD DS
 Create accounts
 Join the client computer to the Contoso domain
Install AD DS
You can use the Add Roles Wizard to create two new Active Directory forests on both the
federation server VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard
pages, use the company names and AD DS domain names in the following table.
Note
AD FS 2.0 has no dependency on forest functional level. When you install AD DS, you can
select any forest functional level that is appropriate for your environment.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and
then, in the right pane, click Add Roles.
Important
Configure the IP addresses as specified in the table in the Configure static IP and DNS
settings for each VM section of this guide before you attempt to install AD DS. This helps
ensure that DNS records are configured appropriately.
Computer name
Company name
AD DS domain name
DNS configuration
(new forest)
Contososrv01
Contoso
Pharmaceuticals
contoso.com
Install DNS when you
are prompted.
Fabrikamsrv01
Fabrikam
fabrikam.com
Install DNS when you
Computer name
Company name
AD DS domain name
DNS configuration
(new forest)
are prompted.
If you need assistance in creating a new Windows Server 2008-based AD DS forest, see Installing
a New Forest (http://go.microsoft.com/fwlink/?LinkId=101704).
Join the client computer to the Contoso domain
Use the value in the following table to identify which computer to join to the contoso.com
domain.
Computer name
Join to:
CONTOSOSRV02
contoso.com
FABRIKAMSRV02
fabrikam.com
For more information about how to do this, see Join a Computer to a Domain
(http://go.microsoft.com/fwlink/?LinkID=150213).
Create accounts
After you set up two forests, log on as the Administrator for each domain and start the
Active Directory Users and Computers snap-in on both domain controllers (both contososrv01
and fabrikamsrv01) to create several accounts that you will use to test and verify federated
access across both forests.
For more information about how to create accounts in AD DS, see Create a New User Account
(http://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group
(http://go.microsoft.com/fwlink/?LinkID=133523).
For more information about how to add a user to a group in AD DS, see Add a Member to a Group
(http://go.microsoft.com/fwlink/?LinkID=133522).
Create accounts in the Contoso domain
Create and configure the accounts with the values in the following table at CONTOSOSRV01 for
the Contoso.local domain. When you create the accounts, clear the User must change password
upon login check box.
Note: In addition to creating new accounts, set the email address for the Administrator account
to "administrator@contoso.com".
Create:
User
account
Account name
(AD RMS service account)
User
name
Action
Set password to never
expire and the password
value to "p@ssw0rd" for
Adrmssrvc this account.
Add as a member of the
Domain Admins group.
User
account
User
account
AD FS 2.0 Service Account
Daniel Weisman
adfssrvc
Danielw
Set password to never
expire and the password
value to "p@ssw0rd" for
this account.
Set password to never
expire and the password
value to "demo!23" for this
account.
Set the e-mail address for
this account to
"danielw@contoso.com".
Security
group Global
account
DrugTrial1Admins
N/A
Add danielw as a member
of this group.
Create accounts in the Fabrikam domain
Create and configure the account values in the following table at FABRIKAMSRV01 for the
Fabrikam domain. In addition to creating new accounts, set the e-mail address for the
Administrator account to "administrator@fabrikam.com".
Create:
Account name
User name
Action
Set password to never expire
and the password value to "
demo!23" for this account.
User account
Frank Miller
frankm
Set the e-mail address for
this account to
"frankm@fabrikam.com".
User account
AD FS Service
adfssrvc
Security
group Global
account
DrugTrial1Auditors N/A
Set password to never expire
and the password value to
"p@ssw0rd" for this account.
Add frankm as a member of
this group.
Set password to never expire
and the password value to
"p@ssw0rd" for this account.
User account
Alice Scott
alices
Set the e-mail address for
this account to
"alices@fabrikam.com".
Configure DNS zones for services
When AD DS is installed and configured as a server role on CONTOSOSRV01 and
FABRIKAMSRV01, you will also have installed the DNS Server role on these VMs as well. The
Contoso zones will be managed using the DNS Server that you added for CONTOSOSRV01. The
Fabrikam zones will be managed using the DNS Server that you added for FABRIKAMSRV01.
To assist in locating services to be used in later virtual lab exercises, additional resource records
must be configured on each of these two DNS servers.
Configure DNS service records for Contoso
Configuring DNS service records for the Contoso domain is a two-step process. In the first step,
we create new zones for the contoso.com domain. Next, we add host (A) resource records to
the zone.
Configure zones for the Contoso.com domain
To configure zones for the Contoso.com domain
1. Log on to CONTOSOSRV01 as CONTOSO\Administrator, and then open the DNS
Manager snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. Add new host (A) resource records as described in the following section to the Forward
Lookup Zone for contoso.com.
Create host (A) resource records for the Contoso.com domain
The following are host (A) resource records that you can add using DNS Manager on
CONTOSOSRV01. For more information about how to add these records, see "Add a Resource
Record to a Zone" in the DNS Server Help.
Name
Type
Data
Adrms
Host (A)
10.0.0.30
Docs
Host (A)
10.0.0.2
Pki
Host (A)
10.0.0.1
sts1
Host (A)
10.0.0.20
Configure zones for Fabrikam.com domain
To configure zones for the Fabrikam.com domain
1. Log on to FABRIKAMSRV01 as FABRIKAM\Administrator, and open the DNS Manager
snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. Add new host (A) resource records as described in the following section to the Forward
Lookup Zone for fabrikam.com.
Create host (A) resource records for the Fabrikam.com domain
The following are host (A) resource records that you can add using DNS Manager on
FABRIKAMSRV01.
Name
Type
Data
Pki
Host (A)
10.0.0.101
sts2
Host (A)
10.0.0.120
Step 5: Install and Configure IIS, Certificates, and
Group Policy
Use the following procedure to install the IIS (Web Server) role on FABRIKAMSRV01,
CONTOSOSRV01, and CONTOSOSRV02.
To install IIS
1. Click Start, and then click Server Manager.
2. Right-click Roles menu, click Add Roles.
3. On the Add Roles Wizard, click Next.
4. On the Select Server Roles page, select the Web Server (IIS) check box, and then click
Next twice.
5. On the Select Role Services page, select ASP.NET.
6. In the Add role services required for ASP.NET? dialog box, click Add Required Role
Services.
7. On the same page, select the Windows Authentication and IIS 6 Metabase
Compatibility check boxes.
8. Click Next to go to the Confirm Installation Options page.
9. Click Install to begin installing IIS with the options that appear on the page.
When the setup process is complete on all servers in the lab, proceed to the next step.
Disable Internet Explorer Enhanced Security
Configuration
For SharePoint and AD FS login pages to work correctly, Internet Explorer Enhanced Security
Configuration (ESC) must be disabled on all VMs. To disable ESC, complete the following steps
on all four VMs (ContosoSrv01, ContosoSrv02, FabrikamSrv01, and FabrikamSrv02).
To disable ESC
1. Login into the computer using the domain Administrator account.
2. Click Start, and then click Server Manager.
3. In the console tree, select the top-level (Server Manager) node, and then in the details
pane click Configure IE ESC.
4. In the Configure IE ESC dialog box, click Off for both administrators and users, and then
click OK.
Configure Group Policy
Use the following procedures to configure Group Policy to push important browser-specific
settings to client computers. This section includes procedures for pushing Internet Explorer
settings to the computers in both the Contoso and Fabrikam domains.
Push Internet Explorer settings to computers in the Contoso domain
Use the following procedure to configure Group Policy on the contososrv01 VM computer.
To push Internet Explorer settings in the Contoso domain
1. Log on to contososrv01 with the Domain Administrator account.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove
Snap-ins dialog box opens.
4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor,
and then click OK. The Group Policy Wizard opens.
5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object
dialog box opens.
6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and
then click OK.
7. Click Finish, and then click OK.
8. In the Default Domain Policy console tree, expand the following: User Configuration,
Policies, Windows Settings, Internet Explorer Maintenance, Connection.
9. Double-click Automatic Browser Configuration, clear the Automatically detect
configuration settings check box, and then click OK.
10. In the Default Domain Policy console tree, expand the following: User Configuration,
Policies, Windows Settings, Internet Explorer Maintenance, Security.
11. Double-click Security Zones and Content Ratings, click Import the current security
zones and privacy settings, click Continue when you see the prompt, and then click
Modify Settings.
12. In the Internet Properties dialog box, click the Security tab, click the Local intranet icon,
and then click Sites.
13. In the Local Intranet dialog box, in Add this website to the zone, type *.contoso.com,
click Add, select the Require server verification (https) for all sites in this zone, click
Close, and then click OK.
Push Internet Explorer settings to computers in the Fabrikam domain
Use the following procedure to configure Group Policy on the fabrikamsrv01 VM computer.
To push Internet Explorer settings in the Fabrikam domain
1. Log on to Fabrikamsrv01 with the Domain Administrator account.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove
Snap-ins dialog box opens.
4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor,
and then click OK. The Group Policy Wizard opens.
5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog
box opens.
6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then
click OK.
7. Click Finish, and then click OK.
8. In the Default Domain Policy console tree, expand the following path: User
Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection.
9. Double-click Automatic Browser Configuration, clear the Automatically detect
configuration settings check box, and then click OK.
10. In the Default Domain Policy console tree, expand the following path: User
Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Security.
11. Double-click Security Zones and Content Ratings, click Import the current security zones
and privacy settings, click Continue when you see the prompt, and then click Modify
Settings.
12. In the Internet Properties dialog box, click the Security tab, click the Local intranet icon,
and then click Sites.
13. In the Local Intranet dialog box, in Add this website to the zone, type *.fabrikam.com,
click Add, select the Require server verification (https) for all sites in this zone check
box, and then click Close.
Refresh Group Policy
To refresh Group Policy, complete the following procedure on each of the four VM
computers (contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02).
To refresh Group Policy
1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt
window opens.
2. At the command prompt, type gpupdate /force, and then press ENTER.
Configure certificates
Now that you have configured Group Policy to distribute certificates for the users in the
contoso.com and fabrikam.com domains, use the following procedures to create the user and
computer certificate templates.
This section includes the following procedures:
 Install AD CS
 Disable CRL extension
 Configure certificate templates
 Configure the Default Web Site on FabrikamSrv01
Install AD CS
Use the following procedure to install Active Directory Certificate Services (AD CS) on the
contososrv01 and fabrikamsrv01 VM computers.
To install AD CS
1. Log on to contososrv01 and fabrikamsrv01 with the domain administrator account.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. In the Roles Summary section, click Add roles.
4. On the Select Server Roles page, select the Active Directory Certificate Services check
box. Click Next two times.
5. On the Select Role Services page, select the Certification Authority and Certification
Authority Web Enrollment check boxes.
6. In the Add role services required for Certification Authority Web Enrollment dialog
box, click Add Required Role Services, and then click Next.
7. On the Specify Setup Type page, click Enterprise, and then click Next.
8. On the Specify CA Type page, click Root CA, and then click Next.
9. On the Set Up Private Key page, click Create a new private key, and then click Next.
10. On the Configure Cryptography for CA page, click Next to accept the default settings.
11. On the Configure CA Name page, click Next to accept the default settings.
12. On the Set Validity Period page, accept the default validity period, and then click Next.
13. On the Configure Certificate Database page, accept the default values, and then click
Next.
14. On the Web Server (IIS) page, click Next.
15. On the Select Role Services page, select the CGI, Client Certificate Mapping
Authentication, IIS Client Certificate Mapping Authentication, and URL Authorization
check boxes, and then click Next.
16. Verify the information on the Confirmation page, and then click Install.
17. Review the information on the confirmation screen to verify that the installation was
successful.
Disable CRL Extension
For the purpose of this demonstration, we are going to not publish the certificate revocation list
(CRL) endpoint in the certificates. To disable the CRL extension in the issued certificates,
complete the following steps on contososrv01 and fabrikamsrv01:
1. Logon to the contososrv01 and fabrikamsrv01 with domain administrator credentials.
2. Click Start, point to Administrative Tools, and then click Certificate Authority.
3. In the window Certsrv, right-click the computer name (either contosoCONTOSOSRV01-CA or fabrikam-FABRIKAMSRV01-CA), and then click
Properties.
4. In the dialog box that appears, click the Extensions tab.
5. Delete all entries in the CRL Distribution Point list by selecting each item in the field
and clicking Remove.
6. After all entries are deleted, click OK to exit the dialog box.
7. Click Yes in the next dialog box that appears.
Configure certificate templates
Use the following procedure to configure the domain user certificates in AD CS on the
contososrv01 and fabrikamsrv01 VM computers.
To configure certificate templates
1. Log on to contososrv01 and fabrikamsrv01 with the domain administrator account.
2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and
then click Add/Remove Snap-in.
3. In Available snap-ins, double-click Certificate Templates, and then click OK.
4. In the console tree, click Certificate Templates. All the certificate templates appear in
the details pane.
5. In the details pane, right-click the Web Server template, and then click Properties.
If the Security tab does not appear (you will need it in the next step), you might have to
reopen this properties page by clicking the Manage link in the Actions pane.
6. On the Security tab, click Add. In Enter the object names to select, type Domain
Computers, and then click OK.
7. In Permissions for Domain Computers, under Allow, select the Read and Enroll check
boxes, and then click OK.
8. On the Security tab, click Add. In the Enter object names to select, type Domain
Controllers, and then click OK.
9. In Permissions for Domain Controllers, under Allow, select the Read and Enroll check
boxes, and then click OK.
10. Close the console, and open the command prompt window (click Start, click Run, type
cmd, and then click OK), and type the following two commands to restart AD CS:
net stop "Active Directory Certificate Services"
net start "Active Directory Certificate Services"
Create a shared certificate for AD RMS and AD FS 2.0 on ContosoSrv01
To create the certificate for AD RMS and AD FS 2.0 to use
1. Log on to contososrv01 as the CONTOSO\Administrator account with " demo!23" as the
password.
2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative
Tools, and then click Internet Information Services (IIS) Manager.
3. In the console tree, click CONTOSOSRV01.
4. In Features View pane, double-click Server Certificates.
5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard
opens.
6. On the Distinguished Name Properties page of the wizard, enter the settings from the
following table, and then click Next.
Field
Value
Common name
*.contoso.com
Organization
Contoso Pharmaceutical
Organizational unit
IT
City/Locality
Redmond
State/Province
WA
Country/Region
US
7. On the Online Certification Authority page, in Specify Online Certification Authority,
click Select to search for a certification authority (CA) server in the domain.
Note
The Select button will be enabled only if a CA is correctly configured and exists on
the domain.
8. Select the certification authority (CA) that appears in the list, and then click OK.
9. In Friendly name, type *.contoso.com Certificate, and then click Finish.
Note
You must provide a friendly name for the certificate.
Create a certificate for AD FS 2.0 on Fabrikam.com
To create the certificate for AD FS 2.0 Server to use
1. Log on to fabrikamsrv01 as the FABRIKAM\Administrator account with "demo!23" as
the password.
2. Open the IIS Manager snap-in. To open IIS Manager, click Start, point to Administrative
Tools, and then click Internet Information Services (IIS) Manager.
3. In the console tree, click FABRIKAMSRV01.
4. In Features View pane, double-click Server Certificates.
5. In the Actions pane, click Create Domain Certificate. The Create Certificate Wizard
opens.
6. On the Distinguished Name Properties page of the wizard, enter the settings from the
following table, and then click Next.
Field
Value
Common name
Sts2.fabrikam.com
Organization
Fabrikam Research
Organizational unit
IT
City/Locality
Redmond
State/Province
WA
Country/Region
US
7. On the Online Certification Authority page, in Specify Online Certification Authority,
click Select to search for a CA server in the domain.
Note
The Select button will be enabled only if a CA is correctly configured and exists on
the domain.
8. Select the CA that appears in the list, and then click OK.
9. In Friendly name, type sts2.fabrikam.com Certificate, and then click Finish.
Note
You must provide a friendly name for the certificate.
Configure the Default Web Site on FabrikamSrv01 with the new server
authentication certificate
Each security token service (STS) requires a server authentication certificate (also known as a
Secure Sockets Layer (SSL) certificate) to be bound to the Default Web Site before you can use
AD FS 2.0. The Web server also requires this certificate.
To configure the Default Web Site on FabrikamSrv01 with the new server authentication
certificate
1. Log on to contososrv01 with the Domain Administrator account.
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
3. In the console tree, double-click FABRIKAMSRV01, double-click Sites, click Default Web
Site, and then in the Actions pane, click Bindings.
4. On the Site Bindings dialog box, click Add.
5. In the Add Site Binding dialog box, under Type click https, under SSL certificate, select
sts2.fabrikam.com Certificate in the list, click OK, and then click Close.
6. In the details pane, double-click SSL Settings. Under Client certificates, verify that the
Ignore option is selected, and then click Apply.
Export and import Root CA certificates
This section includes the following procedures:

Export both Root CA certificates

Import both Root CA certificates
Export both Root CA certificates
Use the following procedure to export the Root CA certificates from both the contososrv01 and
the fabrikamsrv01 VM computers.
To export both Root CA certificates
1. Log on to contososrv01 with the domain administrator account
(CONTOSO\Administrator).
2. Click Start, click Run, type mmc, and then click OK. In the empty console, click File, and
then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates in the list of Available
snap-ins, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click Next.
5. In the Select Computer dialog box, ensure that Local computer: (the computer this
console is running on) is selected, and then click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the console tree, expand Certificates (Local Computer), and then double-click
Personal.
8. Click Certificates; in the details pane, right-click Contoso-CONTOSOSRV01-CA; point to
All Tasks, and then click Export.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. On the Export Private Key page, click No, do not export the private key, and then click
Next.
11. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click
Next.
12. On the File to Export page, type c:\users\public\ContosoCA.cer, and then click Next.
13. On the Completing the Certificate Export Wizard page, click Finish, and then click OK.
14. Repeat steps 1 through 14 on the fabrikamsrv01 VM computer using
FABRIKAM\Administrator for the login. In step 8, the certificate that you select will be
named Fabrikam-FABRIKAMSRV01-CA. In step 12, type
c:\users\public\FabrikamCA.cer as the File to Export value.
Import both Root CA certificates
Use the following procedure to import the Root CA certificates to both the contososrv01 and the
fabrikamsrv01 VM computers and then share it with all the client computers using Group
Policy..
To import both Root CA certificates
1. Log on to contososrv01 with the CONTOSO\Administrator account.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove
Snap-ins dialog box opens.
4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor,
and then click OK. The Group Policy Wizard opens.
5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object
dialog box opens.
6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and
then click OK.
7. Click Finish, and then click OK.
8. Double-click Default Domain Policy. In the console tree, expand the following path:
Computer Configuration, Policies, Windows Settings, Security Settings, Public Key
Policies, Trusted Root Certification Authorities.
9. Right-click Trusted Root Certification Authorities, and select Import.
10. On the Welcome to the Certificate Import Wizard page, and then click Next.
11. On the File to Import page, type \\fabrikamsrv01\c$\users\public\FabrikamCA.cer,
and then click Next.
12. On the Certificate Store page, select Place all certificates in the following store and
verify that it is pointed to the Trusted Root Certification Authorities store, and then
click Next.
13. On the Completing the Certificate Import Wizard page, click Finish, and then click
Finish.
14. Repeat steps 2 through 13 on the fabrikamsrv01 VM computer using
FABRIKAM\Administrator as the login. In step 11, type
\\contososrv01\c$\users\public\ContosoCA.cer as the File to Import value.
Refresh Group Policy
To refresh Group Policy
1. Log on to the contososrv01, contososrv02, fabrikamsrv01, and fabrikamsrv02 VM
computers, click Start, click Run, type cmd, and then press ENTER.
The Command Prompt window opens.
2. At the command prompt, type gpupdate /force, and then press ENTER.
Install and configure AD RMS as a root cluster
Use the Add Roles Wizard to create a new Active Directory Rights Management Services
(AD RMS) cluster on the contososrv1 VM.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager,
and then in the right pane click Add Roles.
Note
AD RMS creates new groups in AD DS. Therefore, you should install AD RMS after the
AD DS role is fully installed and configured. Also, select the Add Required Role Services
option during role installation.
Complete the Add AD RMS Role Wizard using the information in the following table.
Wizard page
Settings to use
Select Role Services
Select Active Directory Rights Management Server.
Do not select Identity Federation Support.
Create or Join an AD RMS
Cluster
Select Create a new AD RMS cluster.
Select Configuration Database Select Use Windows Internal Database on this server
Specify Service Account
In Domain User Account, click Specify, and then select
the CONTOSO\adrmssrvc account.
Note
If the password does not validate when it is applied,
ensure that the adrmssrvc account is a member of
the CONTOSO\Domain Admins group.
Configure AD RMS Cluster Key Select Use AD RMS centrally managed key storage.
Storage
Specify AD RMS Cluster Key
Password
Enter "p@ssw0rd" as the password.
Select AD RMS Cluster Web
Site
Select Default Web Site.
Specify Cluster Address
Select the Use an SSL-encrypted connection option.
In Internal Address, in Fully-Qualified Domain Name,
type adrms.contoso.com. In Port, use 443; and then
click Validate. When the URL validates, you can click
Next.
Choose a Server
Authentication Certificate for
SSL Encryption
Select the Choose an existing certificate for SSL
encryption option.
Name the Server Licensor
Certificate
In Name, use CONTOSOSRV01.
Register AD RMS Service
Connection Point
Select Register the AD RMS service connection point
now.
Web Server (IIS)
Accept the default options for the role, and then click
Next.
Select the certificate issued to *.contoso.com.
Note
After the AD RMS role is added, you must log off and log on again before you can administer
the AD RMS role.
Install SQL Server 2008 Standard SP1
We will be using Microsoft SQL Server® 2008 Standard Service Pack 1 (SP1) to show how
AD FS 2.0 connects to another data store and issue tokens containing value from that data store.
To install Microsoft SQL Server 2008 Standard SP1
1. Log on to the contososrv01 computer with the Domain Administrator account.
2. Locate the Setup.exe installer that you downloaded to the contososrv01 computer,
and then double-click it.
3. On the SQL Server Installation Center wizard page, click Installation.
4. On the Installation page, click New SQL Server stand-alone installation or add
features to an existing installation.
5. Continue the installation. Accept the defaults for all installation options.
When you install SQL Server 2008 Standard SP1, in the SQL Server 2008 Setup Wizard use
default choices, except for the following specific configuration changes to support the AD FS 2.0
virtual lab environment:

On the Feature Selection page, select the Database Engine Services and Management
Tools - Basic check boxes as your installed feature options.

On the Server Configuration page, on the Service Account tab, for Account name, select
NTAUTHORITY\SYSTEM, as the account to be used.

On the Database Engine Configuration page, on the Account Provisioning tab, where it
lists Specify SQL Server Administrators, click Add Current User, click Add, and then
browse and add the user account (adfssrv) that you created.
Create the HOL Doctors Role database on ContosoSrv01
After you install and configure SQL Server on ContosoSrv01, you then create the hands-on lab
Doctors Role database.
To create the hands-on lab (HOL) Role database on CONTOSOSRV01
1. Log on to the contososrv01 computer with the Domain Administrator account.
2. Start the SQL Server Management studio by clicking Start, All Programs, Microsoft SQL
Server 2008, and SQL Server Management Studio.
3. In the dialog box that appears, type ContosoSrv01 for the server name.
4. Use the SQL script (HOL_Doctors_DB.sql) included with the support files for this lab setup.
Open it using the Microsoft SQL Server Management Studio by clicking File, Open, and then
selecting File.
Note
This document is part of the support files download for this lab setup. For more
information see the table in Step 2: Download and install prerequisite software.
5. Select the file HOL_Doctors_DB.sql in the directory where it is saved.
6. To run the script, click Execute. This should create the necessary database and associated
tables.
Step 6: Install and configure the SharePoint site on
ContosoSrv02
To enable SharePoint document collaboration across a federated trust, you install and configure
a SharePoint portal site on the appropriate VM computer in the test lab environment. For this
configuration, use the CONTOSOSRV02 VM. In addition to installing
Office SharePoint Server 2007, you apply additional configuration changes to enable SharePoint
collaboration before you begin walking through the scenarios.
This section includes the following procedures:

Create an SSL certificate for the SharePoint site

Install .NET Framework 3.5 on ContosoSrv02

Install Microsoft Office SharePoint Server 2007
Create an SSL certificate for the SharePoint site
To create an SSL certificate for the extranet site
1. Log on to the contososrv02 computer with the Domain Administrator account.
2. On the Start menu, click Administrative Tools, and then click Internet Information
Services (IIS) Manager.
3. Click the name of the server in the Connections column, and then double-click
Server Certificates.
4. In the Actions pane, click Create Domain Certificate.
5. Enter all the following information about your company and the domain that you
are securing, and then click Next.
Field name
Value
Common name
docs.contoso.com
Organization
Contoso Pharmaceutical
Organizational Unit
IT
City/Locality
Redmond
State/Province
WA
Country/Region
US
6. Under Specify Online Certificate Authority, click Select, and then click ContosoCONTOSOSRV01-CA.
Note
The Select button is enabled only if a CA is correctly configured and exists on the
domain.
7. Under Friendly name, type docs.contoso.com Certificate, and then click Finish.
Install .NET Framework 3.5 on ContosoSrv02
Before you install Microsoft Office SharePoint Server 2007, you must install .NET Framework 3.5
on ContosoSrv02.
To install.NET Framework 3.5 on ContosoSrv02
1. Log on to ContosoSrv02 with domain Administrator credentials.
2. Click Start, click Administrative Tools, click Server Manager, and then in the console tree
click Features.
3. In the details pane, click Add Features
4. In the Select Features page, select .NET Framework 3.5.1 Features.
5. Click Add Required Features in the message box that appears.
6. Click Next, and then click Install.
7. When the installation finishes, click Close to exit the wizard.
Install Microsoft Office SharePoint Server 2007
Note
Before you can proceed with installation of Office SharePoint Server 2007 SP1, complete the
steps to create an installation package for Windows Server 2008 R2, on the Microsoft SharePoint
Team Blog (http://go.microsoft.com/fwlink/?LinkId=179787).
To install Microsoft Office SharePoint Server 2007 SP1
1. Run setup.exe for Office SharePoint Server 2007. After you start the installation process,
you have to enter a valid product identification key code.
2. After you enter the product identification key code, click Continue. The next screen is the
licensing agreement screen.
For product IDs to use in trial activation of this product, see Microsoft Office
SharePoint Server 2007 Trial Version (x64)
(http://go.microsoft.com/fwlink/?LinkID=150950).
3. Select the I accept the terms of this agreement check box, and then click Continue. On
the next screen, you can select the type of installation.
4. Click Advanced.
5. For Server Type, keep the default selection of Stand-alone.
6. Click Install Now, and continue until you complete the installation process.
7. If you see the prompt “Program Compatibility Assistant”, click Run program.
Configure Microsoft Office SharePoint Server 2007
After the SharePoint installation process is complete, you can run through the SharePoint
Products and Technologies (SPPT) Configuration Wizard. Use this wizard to commit the initial
configuration options for your new SharePoint farm.
To configure the SharePoint farm using the SPPT wizard

Start the SPPT wizard, and on the Welcome page, click Next.
You should see a message informing you that certain services (IIS, SharePoint
Administration, SharePoint Timer) are going to be stopped. Click Yes. After the
installation is complete, click Finish.
Extend the default SharePoint application to docs.contoso.com
To extend the default SharePoint application to support docs.contoso.com
1. Start the SharePoint Central administration site: click Start, and then click SharePoint 3.0
Central Administration.
2. In the Central Administration site, click Application Management
3. In the SharePoint Web Application Management section of the page, click Create or
extend Web application.
4. On the next page, click Extend an existing Web application.
5. In the Web Application drop-down list, select Change Web Application, and then click
SharePoint-80.
6. Keep the selection for Create a new IIS web site and for the description type
docs.contoso.com, and then select the following options:

For port type: 443

For Host Headers type: docs.contoso.com

For Use Secure Socket Layer (SSL): Yes

For Zone: Extranet
7. Click OK.
Set the SSL certificate for docs.contoso.com
To set the SSL certificate for docs.contoso.com
1. Open IIS Manager
To open IIS manager, click Start, point to Administrative Tools, and then click IIS
Manager.
2. In the console tree, expand CONTOSOSRV02 and Sites, and then click SharePoint docs.contoso.com443.
3. In the Action pane, click Bindings.
4. In the Site Bindings dialog box, select the top row, and then click Edit.
5. In the Edit Site Binding dialog box, select the docs.contoso.com certificate in the SSL
certificate drop-down list.
6. Click OK, and then click Close.
Upload Sample Documents to docs.contoso.com
To upload sample documents to docs.contoso.com
1. Log on to CONTOSOSRV01 as CONTOSO\Administrator using the password "demo!23".
2. Open Internet Explorer, and then navigate to the site https://docs.contoso.com
3. At the site, click Document Center.
4. In the left pane, click Documents.
5. In the middle pane, click Upload.
6. In the next page, click Browse. Navigate to and select the Contoso-Statement of
General Terms.docx document.
Note
This document is part of the support files download for this lab setup. For more
information see the table in Step 2: Download and install prerequisite software.
7. Click OK.
8. When the next page appears, click Check In.
Step 7: Install and configure Windows claimsaware identity software
Before you can evaluate the federated document collaboration scenarios that this guide
enables setup for, you must first install all Windows software programs that are necessary for
creating a claims-based identity solution on the appropriate VM computers in the test lab
environment. You must also perform several steps to configure both Federation Services
before you begin walking through the scenarios.
This section includes the following procedures:

Install and configure AD FS 2.0 on ContosoSrv01

Install and configure AD FS 2.0 on FabrikamSrv01

Customize the AD FS 2.0 Sign-in pages

Install and configure WIF and SharePoint support software on ContosoSrv02

Install and configure the Desktop Experience feature on FabrikamSrv02

Install and configure Microsoft Office 2007 on FabrikamSrv02
Install and configure AD FS 2.0 on ContosoSrv01
To install and configure AD FS 2.0 on ContosoSrv01
1. Log on to ContosoSrv01 as CONTOSO\Administrator using the assigned password
("demo!23").
2. Locate the AdfsSetup.exe installable package that you downloaded, and then
double-click it.
3. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
4. On the End-User License Agreement page, read the license terms. If you agree to
them, select the I accept the terms in the License Agreement check box, and then
click Next.
5. On the Server Role page, select Federation server, and then click Next.
6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.
Note: The wizard may ask you to restart the computer. If so, click Finish to restart the
computer. After the computer is restarted, log in as contoso\administrator user. On
the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
7. Completing the wizard should open the AD FS 2.0 Management console.
If you do not see the AD FS 2.0 Management console, on the Start menu, click All
Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
8. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0
Federation Server Configuration Wizard.
9. On the Welcome page, select Create a new Federation Service, and then click Next.
10. On the Select Stand-Alone or Farm Deployment page, select New federation server
farm, and then click Next.
11. On the Specify the Federation Service Name page, type sts1.contoso.com as the
federation service name, and then click Next
12. On the Specify a Service Account page, click Browse, type CONTOSO\adfssrvc, and
then click OK.
13. In Password, type p@ssw0rd, and then click Next.
14. On the Ready to Apply Settings page, review the settings, and then click Next.
15. On the Results page, click Close.
Install and configure AD FS 2.0 on FabrikamSrv01
To install and configure AD FS 2.0 on FabrikamSrv01
1. Log on to FABRIKAMSRV01 as FABRIKAM\Administrator using the assigned password
("demo!23").
2. Locate the AdfsSetup.exe installable package that you downloaded, and then
double-click it.
3. On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
4. On the End-User License Agreement page, read the license terms. If you agree to
them, select the I accept the terms in the License Agreement check box, and then
click Next.
5. On the Server Role page, click Federation server, and then click Next.
6. On the Completed the Microsoft AD FS 2.0 Setup Wizard page, click Close.
7. Note: The wizard may ask you to restart the computer. If so, click Finish to restart the
computer. After the computer is restarted, log in as FABRIKAM\administrator user.
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
8. Completing the wizard should open the AD FS 2.0 Management console.
If you do not see the AD FS 2.0 Management console, on the Start menu, click All
Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
9. In the console tree, click AD FS 2.0, and then, in the right pane, click AD FS 2.0
Federation Server Configuration Wizard.
10. On the Welcome page, select Create a new Federation Service, and then click Next.
11. On the Select Stand-Alone or Farm Deployment page, select New federation server
farm, and then click Next.
12. On the Specify the Federation Service Name page, the federation service name
should appear as sts2.fabrikam.com. Click Next
13. On the Specify a Service Account page, click Browse, type FABRIKAM\adfssrvc, and
then click OK.
14. In Password type p@ssw0rd, and then click Next.
15. On the Ready to Apply Settings page, review the settings, and then click Next.
16. On the Results page, click Close.
Customize the AD FS 2.0 sign-in pages
Next, you customize the AD FS 2.0 sign-in pages with a custom logo and set the
authentication type to support Username/Password type authentication.
To customize the AD FS 2.0 sign-in pages
1. Log in to Contososrv01 as CONTOSO\Administrator using the assigned password
("demo!23").
2. Navigate to the folder c:\inetpub\adfs\ls.
3. Copy the Contoso_logo.png file to this folder.
Note
This document is part of the support files download for this lab setup. For more
information see the table in Step 2: Download and install prerequisite software.
4. Open the file web.config.
5. In the <appSettings> section, replace logo.png with contoso_logo.png, and
uncomment that line.
6.
In the <authenticationTypes> section, move the line <add name=”Forms” … /> to
the top of the list.. Save the changes, and close the file.
For changes on fabrikamsrv01, follow the steps above, except replace contoso_logo.png with
fabrikam_logo.png.
Install and configure the WIF and SharePoint support software on
ContosoSrv02
To install WIF and SharePoint support software on ContosoSrv02
1. Log on to ContosoSrv02 as CONTOSO\Administrator using the assigned password
("demo!23").
2. Install the following programs, and accept their default settings in the installation:

Windows Identity Foundation (Windows6.1-KB974405-x64.msu)

Microsoft-Federation-Extension-For-Sharepoint3.0 (Microsoft-FederationExtensions-For-SharePoint3.0.msi)

Windows Identity Foundation SDK (WindowsIdentityFoundation-SDK.msi)
Install and configure the Desktop Experience feature on FabrikamSrv02
Before you install the Office component on FabrikamSrv02, the Desktop Experience feature
must be installed to provide for a typical Windows desktop environment when you are
working with the Windows Server 2008 R2 operating system in the VMs.
To install and configure Desktop Experience on FabrikamSrv02
1. Log on to FabrikamSrv02 as FABRIKAM\Administrator using the assigned password
("demo!23").
2. Click Start, click Administrative Tools, click Server Manager, and then, in the left
pane, click Features.
3. On the right pane, click Add Features
4. On the Select Features page, click Desktop Experience.
5. Click Add Required Features in the message box that appears.
6. Click Next, and then click Install.
7. After the installation finishes, click Close to exit the wizard.
Restart the computer if you are prompted.
Install and configure Microsoft Office 2007 on FabrikamSrv02
To install WindowsMicrosoft Office 2007 on FabrikamSrv02
1. Log on to FabrikamSrv02 with FABRIKAM\Administrator credentials.
2. Install the following programs, and accept their default settings in the installation:

Microsoft Office 2007

2007 Microsoft Office Suite Service Pack 2 (SP2)

2007 Office system hotfix package kb969413
Step 8: Configure ContosoSrv02 and
FabrikamSrv02 for the step-up authentication
scenario
In the step-up authentication scenario, users are authenticated with a smart card. To
simulate authentication with a smart card, we use a software-based, X.509 client certificate
and protect it using a PIN. This certificate is available for enrollment by default in
Active Directory Certificate Services (AD CS), which acts as the CA for the domain.
To request a certificate from the CA and set the private key PIN
1. Log on to a client computer (FabrikamSrv02 or ContosoSrv02) as one of the users
(FABRIKAM\frankm or CONTOSO\danielw) with “demo!23” as the user’s password.
2. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then
click OK.
3. At the command prompt, type mmc, and then press ENTER. This command opens
theMicrosoft Management Console (MMC).
4. In the MMC, click File, and then click Add/Remove Snap-in.
5. In the Available snap-ins list, click Certificates, and then click Add.
6. In the prompt, leave My user account selected, and then click Finish.
7. Click OK. This action adds the snap-in for certificate enrollment.
8. In the console tree, right-click Personal, click All Tasks, and then click Request New
Certificate. The Certificate Enrollment window opens.
9. In the Certificate Enrollment window, click Next twice.
10. In the list, select the User check box, expand Details, and then click Properties. The
Certificate Properties dialog box opens.
11. Click the Private Key tab.
12. Expand Key options, and select the Strong private key protection check box.
Selecting this setting prompts you to select a PIN for the certificate during enrollment.
13. Click OK. The Certificate Properties dialog box closes.
14. Click Enroll. A dialog box opens prompting you to select the security level for using
the certificate.
15. Click Set Security Level. In the dialog box, click High, and then click Next.
16. Type 1@234abcd as a PIN for the certificate in the Password field and in the
Confirm field. Click Finish.
17. Click OK.
18. Click Finish in the Certificate Enrollment window.
19. Close the console. (You can click No when you are prompted to save console
settings.)
On ContosoSrv02 we have to register the .dll that will be needed to perform the step-up
authentication scenario. We will use Gacutil.exe to register that dll. To obtain GacUtil.exe,
download and install the .NET Framework 2.0 Software Development Kit (SDK) (x64)
(http://go.microsoft.com/fwlink/?LinkId=179799) with default settings.
TO: TENNESSEE SALES AND USE TAX BLANKET CERTIFICATE OF

TO: TENNESSEE SALES AND USE TAX BLANKET CERTIFICATE OF

 Network Operating Systems 

 Network Operating Systems 

TENNESSEE SALES OR USE TAX BLANKET CERTIFICATE OF RESALE TO:

TENNESSEE SALES OR USE TAX BLANKET CERTIFICATE OF RESALE TO:

HOW TO … HELPFUL INFORMATION

HOW TO … HELPFUL INFORMATION

for SharePoint Server 2013

for SharePoint Server 2013

How to index IBM Connection in Portal environment

How to index IBM Connection in Portal environment

Document 165434

Document 165434

DO NOT WRITE IN THIS SPACE SEE INSTRUCTIONS AND APPLICABLE FEES BELOW

DO NOT WRITE IN THIS SPACE SEE INSTRUCTIONS AND APPLICABLE FEES BELOW

Document 42690

Document 42690

Document 173473

Document 173473

How to Install Windows 7

How to Install Windows 7

abcdocz.com

© Copyright 2025