LAB: Enterprise Single Sign-On Services
LAB: Enterprise Single Sign-On Services 2 TABLE OF CONTENTS HOL: Enterprise Single Sign-On Services...3 Objectives...3 Lab Setup...4 Preparation...5 Exercise 1: Understanding Enterprise SSO basic concepts...6 SSO SYSTEM...6 MASTER SECRET SERVER...8 AFFILIATE APPLICATIONS...9 MAPPINGS...13 MAPPINGS using MAPPING WIZARD...16 BIZTALK HTTP ADAPTER CONFIGURATION AND SCENARIO...21 SERVER MANAGEMENT...24 Exercise 2: Enterprise SSO Management Agent...26 CREATE ENTSSO MANAGEMENT AGENT...26 RUN MANAGEMENT AGENTS and CREATE SSO MAPPINGS...27 Exercise 3: Password Management...31 PREPARE FOR PASSWORD SYNC...31 RUN PASSWORD SYNC FOR ENTERPRISE SSO...33 UNDERSTAND PASSWORD SYNC CONFIG FOR ENTSSO MA...36 CONFIGURE PASSWORD FILTER...39 Exit Lab...42
HOL: Enterprise Single Sign-On Services 3 HOL: Enterprise Single Sign-On Services Objectives After completing this lab, you will be able to: Understand Enterprise SSO (EntSSO) key concepts Use Enterprise SSO tools efficiently Learn how to integrate Microsoft Identity Integration Server (MIIS) with Enterprise SSO services Learn how to configure BizTalk Adapters to use EntSSO Understand Password Management
Lab Setup HOL: Enterprise Single Sign-On Services 4 To complete this lab, you need Domain Controller and Active Directory Visual Studio.NET 2005 MMC 3.0 BizTalk Server 2006 Host Integration Server 2006 Enterprise Single Sign-On v4 (available with HIS 2006) Microsoft Identity Integration Server 2003 SP1 IIS 6.0 Some of the tools you are going to use in this lab are: Enterprise SSO Administration MMC snap-in (Start, All Programs, Microsoft Enterprise Single Sign-On, SSO Administration) Identity Manager (Start, All Programs, Microsoft Identity Integration Server, Identity Manager) BizTalk Server Administration Console (Start, All Programs, Microsoft BizTalk Server 2006, BizTalk Server Administration) Enterprise SSO Client Utility (Start, All Programs, Microsoft Enterprise Single Sign-On, SSO Client Utility) Active Directory Users and Computers(Start, All Programs, Administrative Tools, Active Directory Users and Computers)
HOL: Enterprise Single Sign-On Services 5 Preparation Start VPC and Logon Start the VPC (BTSHIS_ESSO_VPC) This may take 5 minutes. Login using the following credentials- User name: donhall Password: donhall Domain name: fabrikam The VPC is a Domain Controller and contains all pre-requisites mentioned above that you need to complete this lab. Basic Validation 1. Right Click My Computer on the desktop, select Manage to open Computer Management 2. Look under System Tools > Event Viewer, Application event log and System event log entries to verify if there are any service start-up failures. 3. Right click Application event log and clear all entries. 4. Launch the Identity Manager Start->All Programs->Microsoft Identity Integration Server->Identity Manager to verify if it opens successfully without any errors. If it doesn t, verify if the Microsoft Identity Integration Server (miiserver.exe) service is running. To do this, in Computer Management, look under Services and Applications -> Services. If the service is stopped, right click and Start the service. Check Application event log to ensure that the service started successfully. 5. Launch the SSO Administration MMC snap-in Start->All Programs->Microsoft Enterprise Single Sign-On- >SSO Administration to verify if it opens successfully without any errors. If it doesn t, verify if the Enterprise Single Sign-On (entsso.exe) service is running. To do this, in Computer Management, look under Services and Applications -> Services. If the service is stopped, right click and Start the service. Check Application event log to ensure that the service started up successfully.
HOL: Enterprise Single Sign-On Services 6 Exercise 1: Understanding Enterprise SSO basic concepts Estimated Time 45 mins SSO SYSTEM 1. In SSO Administration snap-in, right click System on the left pane and then click on Disable to disable SSO System. 2. Select Yes when prompted with the confirmation to disable the system. Note: This operation can be done only by the SSO Administrator. Disabling this will turn off all SSO operations.
HOL: Enterprise Single Sign-On Services 7 3. Right click System on the left pane and select Properties. 4. Go to Accounts tab and click on Add to add another SSO Administrators account. 5. In the Users and Groups dialog, type fabrikam\sso Administrators and click on Check Names to resolve the name. 6. Click OK. Note: Changing or adding new SSO Administrators account can be done only when the SSO System is disabled. 7. Right click System on the left pane and then click on Enable to enable SSO System. Note: This operation can be done only by the SSO Administrator
HOL: Enterprise Single Sign-On Services 8 MASTER SECRET SERVER 1. In SSO Administration snap-in, right click System on the left pane and then click on Backup Secret to backup the secret to a secure location. 2. In the Backup Secret dialog, specify the following: a. Backup File Name with location Example: C:\Program Files\Common Files\Enterprise Single Sign-On\EntSSOkey.bak b. File Password: password c. Confirm Password: password d. Password Reminder: password 3. Click OK to backup the secret. 4. Click OK in the next message box. Note: Secret management can be performed only by an SSO Administrator on the Master Secret Server
HOL: Enterprise Single Sign-On Services 9 AFFILIATE APPLICATIONS 1. In SSO Administration snap-in, on the left pane, click on Affiliate Applications node. 2. All existing Affiliate Applications will be displayed on the right pane. 3. Then, on the left pane, right click on the Affiliate Applications node and click on Create Application to create a new Affiliate Application. This will launch the Enterprise Single Sign-On Application Wizard. Note: Only an SSO Administrator or an SSO Affiliate Administrator can perform this operation.
HOL: Enterprise Single Sign-On Services 10 4. Specify the following info for the Affiliate Application in the General page of the wizard. Application Type: Individual Application Name: LABAPP1 Description: Individual App for Lab Contact Information: myname@mycompany.com 5. Select Allow local accounts for access accounts. Do not select Use SSO Affiliate Admin Accounts for Application Admin accounts. 6. Click Next to go to the next step in the wizard.
HOL: Enterprise Single Sign-On Services 11 7. In the Accounts page, specify the following: For Application Administrators account, click add and specify fabrikam\biztalk Application Users. Then click on Check Names to resolve the group account. For Application Users account, click Add and specify fabrikam\racfusersgrp. Then click on Check Names to resolve the group account. 8. Click OK. 9. Select Next to go to the next step in the wizard.
HOL: Enterprise Single Sign-On Services 12 10. In the Options page, in addition to the defaults, select the following: Disable Credential cache Tickets Allowed Everything else will continue to be the default selection; Enabled Checked Allow Windows initiated SSO checked Allow host initiated SSO unchecked Direct Password Sync from Windows unchecked Application Users cannot create mappings checked 11. Select Next, then Finish to create the Affiliate Application. 12. Click OK.
HOL: Enterprise Single Sign-On Services 13 MAPPINGS 1. In SSO Administration snap-in, under the Affiliate Applications node on the left pane, select LABAPP1 and right click it to view the options available. 2. Select New Mapping to create a new mapping. Note: Application Administrator for the Affiliate Application, or SSO Affiliate Administrator or SSO Administrator can perform this operation. They can create a mapping for any user that belongs in the Application Users account for this Affiliate Application.
HOL: Enterprise Single Sign-On Services 14 3. Specify the following in the Create New Mapping dialog. Windows user: fabrikam\user1 External user: usera Select Set credentials for new mapping 4. Click OK 5. In the Set Credentials dialog, specify the following: Password: usera Confirm: usera 6. Click OK
HOL: Enterprise Single Sign-On Services 15 7. Launch SSO Client Utility From Start->All Programs- >Microsoft Enterprise Single Sign-On->SSO Client Utility 8. Under Affiliate applications, select LABAPP1 and then click on Set Credentials. 9. Specify the following in the Set Credentials dialog: User Id: user9 Password: user9 Confirm: user9 10. Click OK to set the credentials. 11. Click Close to close the SSO Client Utility.. Note: This utility is for end-users to optionally manage their own mappings. They can view, create, disable, enable and delete their own mappings for the Affiliate Applications in which they are a member of the Application Users access account. 12. In SSO Administration snap-in, on the left pane expand Affiliate Applications node, select LABAPP1, right click and click on Refresh to view the new mapping on the right pane.
HOL: Enterprise Single Sign-On Services 16 MAPPINGS using MAPPING WIZARD 1. In SSO Administration snap-in, on the left pane, under the Affiliate Applications node, right click the LABAPP1, and click on Refresh. This will display the new mapping that you just created for fabrikam\donhall using the SSO Client Utility on right pane. 2. Then, right click LABAPP1 and click Create Mappings to launch the Enterprise Single Sign-On Mappings Wizard. This will walk you through a wizard to create rules-based mappings for users in the Application Users account. Note: The rule defined by the administrator will be based on the domain name and user name. This is useful only when the external userid can be constructed from the values in the Windows domain name and user name
HOL: Enterprise Single Sign-On Services 17 3. In the Mappings Wizard, click Next in the Welcome screen. 4. In the Mappings File Option page, select Next with the default option selected Generate New Mappings File Note: Use an existing mappings file can be used when a mappings file already exists and you want to create mappings from that file. 5. In the Files Location page, click on Validate to verify if these files can be created successfully. Then click Next to go to the next step. 6. In the Accounts, click on Validate to verify the account selected. Validation will also provide an estimate on the number of accounts that exist in the group in the Status window. Then click Next.
HOL: Enterprise Single Sign-On Services 18 7. In the External User Name page, specify the following: Windows domain name using: Lower case Windows user name using: Upper Case Append characters: 0 (zero) Limit the number of characters: 15 Example - Windows user name: user2 Note: The Example External user name displayed would be fabrikamuser2 8. Click Next 9. Click Start in the Generate page to create the mappings file. 10. When the Status indicates Completed, the following values should be indicated: Number of mappings generated: 5 Number of errors: 0 11. Note: At this stage, only the mappings file has been generated. The mapping itself has not been created. 12. Click Next.
HOL: Enterprise Single Sign-On Services 19 13. In the Options page, click on View/Edit Mappings File to view the mappings file that will be used for creation of mappings. This will open the mappings file in notepad. Note: This intermediate stage is available if the administrator wants to modify mappings in the file. 14. In this case, since there is already a mapping for fabrikam\donhall and for fabrikam\user1 accounts, delete these 2 mappings from the XML mappings file. See highlighted sections here that needs to be deleted.-------------------- 15. Save the file Click on File menu in notepad and click Save. 16. Close the file Click on File menu in notepad and click Exit. 17. Select Set Password(Password) and default to Same as external user name. 18. Select Next.
HOL: Enterprise Single Sign-On Services 20 19. In the Create page of the wizard, click Start to create new mappings using the mappings file. 20. When the Status indicates Completed, the following values should be indicated: Number of mappings created: 3 Number of errors: 0 21. Click Next to go to the Finish screen and then click Finish to exit from the wizard. 22. In SSO Administration snap-in, on the left pane, under Affiliate Applications node, click on LABAPP1 to view the new mappings that have been created on the right pane.
HOL: Enterprise Single Sign-On Services 21 BIZTALK HTTP ADAPTER CONFIGURATION AND SCENARIO 1. Launch Internet Explorer Browser to launch the IE Click on the IE icon next to the Start button. 2. In the browser, under Favorites menu -> Links -> HTTPSSOSAMPLE, click on ValidateUserforSSOSample, or go to http://localhost/ssosampleserverapplication/validateuse r.aspx 3. Note: This web site uses Basic Authentication which means that you need to provide valid user name and password credentials to connect. 4. When prompted with logon credentials dialog, specify the following: User name: hostuser1 Password: hostuser1 5. Click OK. You should see the following text displayed: Enterprise Single Sign-On validation with BizTalk Server 2006 HTTP Adapter. Welcome 'FABRIKAM\hostuser1' 6. Close the browser click File menu and Close.
HOL: Enterprise Single Sign-On Services 22 7. Launch a new instance of Internet Explorer Browser Click on the IE icon next to the Start button. 8. In the browser, under Favorites menu -> Links -> HTTPSSOSAMPLE, click on http--localhost- SSOSample., or go to http://localhost/ssosamplebiztalkhttpreceive/btshttpr eceive.dll?<message/> Note: In this case, the same web site is being accessed through BizTalk Server and HTTP Adapters that are integrated with Enterprise Single Sign-On. You should see the following text displayed: Enterprise Single Sign-On validation with BizTalk Server 2006 HTTP Adapter. Welcome 'FABRIKAM\hostuser1' Note: This time, you were not prompted to specify any credentials to access the same web site. 9. Launch BizTalk Server Administration snap-in from Start->All Programs->Microsoft BizTalk Server 2006 10. In the snap-in, on the left pane, go to BizTalk Server 2006 Administration -> BizTalk Group -> Applications -> BizTalk Application 1 and click on Send Ports to view the send ports in the right pane. 11. On the right pane, double-click SsoSampleSendPort to view Properties. 12. In the General page, click on Configure button to configure the send port. 13. Go to the Authentication tab, and under the Affiliate Application drop-down, select LABAPP1 to change the
HOL: Enterprise Single Sign-On Services 23 affiliate application configured for this send port. 14. Click OK. 15. Click OK. 16. In the BizTalk Server Administration snap-in, on the left pane, go to BizTalk Server 2006 Administration -> BizTalk Group -> Platform Settings and click on Host Instances. On the right pane, all the Host Instances would be displayed. 17. On the right pane, right click on BizTalkServerApplication host instance and click on Restart. This is to pick up the configuration change immediately. 18. Launch a new instance of Internet Explorer Browser Click on the IE icon next to the Start button. 19. In the browser, under Favorites menu -> Links -> HTTPSSOSAMPLE, click on http--localhost- SSOSample., or go to http://localhost/ssosamplebiztalkhttpreceive/btshttpr eceive.dll?<message/> Note: In this case, the same web site is being accessed through BizTalk Server and HTTP Adapters that are integrated with Enterprise Single Sign-On. You should see the following text displayed: Enterprise Single Sign-On validation with BizTalk Server 2006 HTTP Adapter. Welcome 'FABRIKAM\user9' Note: This time, your (fabrikam\donhall) external credentials used to access the web site is the one associated for Affiliate Application LABAPP1.
HOL: Enterprise Single Sign-On Services 24 SERVER MANAGEMENT 1. In SSO Administration snap-in, on the left pane, click on Servers node. This will display the SSO Servers on the right pane. 2. Right click the SSO Server (INTSVR1.fabrikam.com) and click on Delete. This will clear the server from the display. 3. On the left pane, right click the Servers node and select Discover. This will discover SSO Servers in the system and add it to the list of SSO Servers and you can view this on the right pane. 4. On the right pane, right click the server, INTSVR1.fabrikam.com, and click on Properties to view the properties of this server. 5. Go to Password Sync tab and select Allow password sync from PCNS, and Allow password sync from MIIS. 6. Click OK. 7. On the left pane, under Servers node, click on INTSVR1.fabrikam.com to view the server and system level settings associated with this server on the right pane.
HOL: Enterprise Single Sign-On Services 25
HOL: Enterprise Single Sign-On Services 26 Exercise 2: Enterprise SSO Management Agent Estimated Time 30 mins CREATE ENTSSO MANAGEMENT AGENT 1. Open Identity Manager from Start ->All Programs - >Microsoft Identity Integration Server->Identity Manager. 2. Click on the icon Management Agents. You will notice that there are 3 Management Agents that already exist. 3. Under the Actions pane, click Create to create a new Management Agent. 4. From the drop down for Management agent for:, select Enterprise Single Sign-On(Microsoft) 5. For MA Name, specify ENTSSOMA2 6. Under Description, specify To manage SSO mappings 7. Click Next 8. For Connection Information, specify the following: Connect To: INTSVR1 User: fabrikam\donhall Password: donhall Note: This account must be a member of SSO Affiliate
HOL: Enterprise Single Sign-On Services 27 Administrators or SSO Administrators account. 9. Click Next and continue to click Next through the rest of the steps. In the finish page, click Finish to create the ENTSSOMA2 Management Agent. 10. In Identity Manager, select Tools menu and click on Options. Verify that Metaverse Rules Extension is enabled and, Rules Extension Name is referring to Microsoft.EnterpriseSingleSignOn.ManagementAg ent.dll RUN MANAGEMENT AGENTS and CREATE SSO MAPPINGS 1. Select ENTSSOMA2 in the Management Agents view. In the Actions pane, select Configure Run Profiles. 2. Verify that a Run Profile called Export exists, and the click OK
HOL: Enterprise Single Sign-On Services 28 3. In SSO Administration snap-in, go to select Affiliate Application app1 on the left pane. 4. On the right pane, select all mappings. Then right click and click on Delete to delete all mappings. Select Yes when prompted to confirm delete. Note: This will delete all mappings for app1 from the SSO Credential Database. 5. Open Windows Explorer from Start menu and go to C:\Program Files\Microsoft Identity Integration Server\Extensions. 6. Right click ENTSSO.xml and click on Edit to modify this file. It should open in notepad. 7. Replace the content in the file with the content specified here -> 8. Click on File menu and click Save to save this configuration change. 9. Close the file File menu and click on Exit Note: The ENTSSO MA reads configuration from this file.
HOL: Enterprise Single Sign-On Services 29 10. In Identity Manager, under the Management Agents view, select ADMA and then click on Delete from the Action pane. 11. Make sure that Delete Connector Space only is selected. Then click on OK to delete the Connector Space for ADMA. Important: Do not delete the Management Agent. Only delete the Connector Space Note: Please wait until the clean up is complete. 12. Repeat the same step for ExternalMA -> Select ExternalMA, then click on Delete to delete the connector space for ExternalMA. 13. Repeat the same step for ENTSSOMA -> Select ENTSSOMA, then click on Delete to delete the connector space for ENTSSOMA. 14. Identity Manager, under the Management Agents view, select ADMA, and then click on Run from the Action pane. 15. Highlight the FullImportandSync run profile and click OK Note: This will import data from Active Directory for fabrikam domain. Note: The State will indicate Running. Wait until this indicates Idle. 16. Repeat the same steps for ExternalMA -> Select ExternalMA, select Run and highlight FullImportandSync and click OK.
HOL: Enterprise Single Sign-On Services 30 Note: This will import data from the file located at C:\Program Files\Microsoft Identity Integration Server\MaData\ExternalMA 17. In Identity Manager, select ENTSSOMA2 under the Management Agents view and click on Run from the Action pane. 18. Highlight Export run profile and click OK. This will create mappings in the SSO Credential Database for app1 Affiliate Application. Note: The State will indicate Running. Wait until this indicates Idle. 19. In SSO Administration, on the left pane, select app1 under the Affiliate Applications node to view the mappings in the right pane. Note: If you don t see any mappings displayed, right click app1 on the left pane and click on Refresh.
HOL: Enterprise Single Sign-On Services 31 Exercise 3: Password Management Estimated Time 30 mins PREPARE FOR PASSWORD SYNC 1. Open Active Directory Users and Computers snap-in from Start ->All Programs - >Administrative Tools. 2. Reset password for domain account fabrikam\kimakers. Select Users node on the left pane under Active Directory Users and Computers -> fabrikam.com->users 3. On the right pane, select Name, Kim Akers, right click and select Reset Password and type the following: New Password: kimakers Confirm Password: kimakers 4. Click OK, and again click OK. 5. Open Command Prompt from Start->Command Prompt. 6. Type runas /u:fabrikam\kimakers cmd and hit Enter key. Specify the password as kimakers and hit Enter key. This will launch a command prompt window that is running under fabrikam\kimakers account. 7. In this new command prompt window, go to c:\entsso_tools folder -> Type cd c:\entsso_tools and hit Enter key.
HOL: Enterprise Single Sign-On Services 32 8. Clear Application Event Log entries. Start->Run, type eventvwr and hit Enter key. Right click Application on the left pane and click Clear all Events and select No to clear the event log. 9. Open Services.msc, Start->Run, type services.msc and hit Enter key 10. On the right pane, select Password Change Notification Service, right click and select Start to start the service (if the service is not running.). 11. Look under Application event log to ensure that there are no errors or warnings. 12. Similarly, in services.msc, on the right pane, select ENTSSO Loopback Adapter, right click and select Start to start the service (if the service is not running).
HOL: Enterprise Single Sign-On Services 33 RUN PASSWORD SYNC FOR ENTERPRISE SSO 1. In SSO Administration snap-in, on the left pane, expand Password Management and then click on ENTSSOLoopbackAdapter. On the right pane, associated Affiliate Application (affapp2) will be listed. 2. Under Affiliate Applications Node, select affapp2 and then set credentials for fabrikam\kimakers mapping. To do this, on the right pane, select FABRIKAM\kimakers right click and select Set Credentials. 3. In the Set Credentials dialog, specify the following: Password: pwd Confirm: pwd 4. Click OK. 5. In the command prompt window that is running under the account of fabrikam\kimakers, type ssocheck getcreds affapp2 to view the external credentials for fabrikam\kimakers that is associated with affapp2.
HOL: Enterprise Single Sign-On Services 34 6. In SSO Administration snap-in, under Affiliate Applications node, go to select Affiliate Application, LABAPP1 on the left pane, right click and click on Properties. 7. Go to Options tab and select Direct Password Sync from Windows. 8. Click OK. 9. In the command prompt window that is running under the account of fabrikam\kimakers, type ssocheck getcreds labapp1 to view the external credentials for fabrikam\kimakers that is associated with labapp1. 10. Open Active Directory Users and Computers snap-in from Start ->All Programs - >Administrative Tools 11. Select Users node on the left pane under Active Directory Users and Computers- >fabrikam.com->users 12. On the right pane, select Name, Kim Akers, right click and select Reset Password and type the following: New Password: newpwd
HOL: Enterprise Single Sign-On Services 35 Confirm Password: newpwd 13. Click OK, and again click OK. 14. In the command prompt window that is running under the account of fabrikam\kimakers, type ssocheck getcreds affapp2 and then ssocheck getcreds labapp1 to view the external credentials for fabrikam\kimakers that is associated with affapp2 and with labapp1 respectively. 15. View Application event log to view the chain of events that occurred.
HOL: Enterprise Single Sign-On Services 36 UNDERSTAND PASSWORD SYNC CONFIG FOR ENTSSO MA Note: Both MIIS and ENTSSO cannot receive password changes from PCNS on the same computer. Since ENTSSO is already configured to receive changes from PCNS, MIIS cannot receive the password change. 1. Open Identity Manager from Start ->All Programs ->Microsoft Identity Integration Server- >Identity Manager. 2. Select Options under the Tools 3. Select Enable Password Synchronization to enable password sync for MIIS. 4. Select ADMA under the Management Agents view and select Properties in the Action pane. 5. In Properties page, select Configure Directory Partitions and select Enable this partition as a password synchronization source. 6. Click on Targets and select ENTSSOMA2 to enable it to receive password change from MIIS. Uncheck ENTSSOMA. Click OK. Click OK on the Properties page. 7. Click on ENTSSOMA2 in the Management Agent view and select Properties on the right pane, and click on Configure Extensions on the left pane of the Properties page 8. Make sure Enable password management is selected and then click on Settings to specify Connection Information for password
HOL: Enterprise Single Sign-On Services 37 extension. 9. In the Connection Settings dialog, specify the following: Connect To: INTSVR1.fabrikam.com User: fabrikam\ssosvcact Password: ssosvcact Note: This account should match the ENTSSO service account configured on INTSVR1.fabrikam.com 10. Click OK and again click OK on the Properties page. 11. To disable password sync for MIIS, in Identity Manager, go to Tools menu, click on Options, and deselect Enable Password Synchronization.
HOL: Enterprise Single Sign-On Services 38 12. In SSO Administration, expand Servers node on the left pane, right click INTSVR1.fabrikam.com, and select Properties. 13. Go to Password Sync tab and select Allow password sync from MIIS. 14. In SSO Administration snap-in, on the left pane, click on System, right click and select Properties. Go to Options tab and check that Password Sync is enabled for From Windows to adapters to receive password change from PCNS or MIIS. 15. Click OK.
HOL: Enterprise Single Sign-On Services 39 CONFIGURE PASSWORD FILTER 1. In SSO Administration snap-in, on the left pane, click on Password Management. Then right click the Password Management node and select Create Filter to launch the Filter Wizard. 2. Click Next in the wizard and specify Filter Name as LabFilter1 in the General page. 3. Click Next to go the Basic Filter Options page. 4. In the Basic Filter Options page, specify test$@password as the Original password. Note: this is a sample password specified to view what the output would look like once the filter is specified. 5. In the same page, define the basic filter options as follows: a. Set Format to Upper Case b. Specify $#% in the Remove these characters field. c. Set Maximum Length to 8. Note: The Filtered output should reflect what the output would look like. 6. Click Next.
HOL: Enterprise Single Sign-On Services 40 7. In the Advanced Filter Options, specify the characters that need to be substituted. a. Specify @ in the Replace these characters field. b. Specify 1 in the With these characters field Note: The Filtered result output should reflect this change. 8. Click Create to create the Filter. 9. Click Finish in the last page to exit the wizard. 10. In SSO Administration snap-in, on the left pane, expand Password Management. 11. On the left pane, right click LabFilter1 and click on Assign. 12. Select LABAPP1 from the list of Affiliate Applications in the drop down. 13. Click OK to make the assignment. 14. Open Command Prompt from Start->Command Prompt. 15. Type runas /u:fabrikam\kimakers cmd and hit Enter key. Specify the password as newpwd and hit Enter key. This will launch a command prompt window that is running under fabrikam\kimakers account.
HOL: Enterprise Single Sign-On Services 41 16. In this new command prompt window, go to c:\entsso_tools folder -> Type c:\entsso_tools and hit Enter key. 17. Open Active Directory Users and Computers snap-in from Start ->All Programs - >Administrative Tools 18. Select Users node on the left pane under Active Directory Users and Computers- >fabrikam.com->users 19. On the right pane, select Name, Kim Akers, right click and select Reset Password and type the following: a. New Password: pass$@%word b. Confirm Password: pass$@%word 20. Click OK, and again click OK. 21. In the command prompt window that is running under the account of fabrikam\kimakers, type ssocheck getcreds labapp1 to view the external credentials for fabrikam\kimakers that is associated with labapp1. Note: The filtered password is returned by SSO for this Affiliate Application.
HOL: Enterprise Single Sign-On Services 42 Exit Lab Once you have completed the lab, close the VPC. When prompted with Close options, select Turn off and delete changes. Click OK.