Setup Guide for AD FS 3.0 on the Apprenda Platform

Similar documents
ADFS Integration Guidelines

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

LAB 1: Installing Active Directory Federation Services

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

Introduction to the EIS Guide

Cloud Services ADM. Agent Deployment Guide

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Setting Up SSL on IIS6 for MEGA Advisor

Copyright

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Secure Messaging Server Console... 2

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Deploy Remote Desktop Gateway on the AWS Cloud

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

RoomWizard Synchronization Software Manual Installation Instructions

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

SQL Server 2008 and SSL Secure Connection

NSi Mobile Installation Guide. Version 6.2

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Installation Guide. SafeNet Authentication Service

Active Directory Management. Agent Deployment Guide

Windows Azure Pack Installation and Initial Configuration

Windows Intune Walkthrough: Windows Phone 8 Management

Introduction to Directory Services

WhatsUp Gold v16.3 Installation and Configuration Guide

Shavlik Patch for Microsoft System Center

Active Directory Management. Agent Deployment Guide

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

O Reilly Media, Inc. 3/2/2007

DriveLock Quick Start Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

safend a w a v e s y s t e m s c o m p a n y

Configure Microsoft Dynamics AX Connector for Mobile Applications

Installing and Configuring a. SQL Server 2012 Failover Cluster

Microsoft Corporation. Project Server 2010 Installation Guide

StarWind Virtual SAN Installing & Configuring a SQL Server 2012 Failover Cluster

Introduction to Mobile Access Gateway Installation

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

AVG Business SSO Connecting to Active Directory

NETWRIX USER ACTIVITY VIDEO REPORTER

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Installing GFI MailArchiver

AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

HOTPin Integration Guide: DirectAccess

Lab 05: Deploying Microsoft Office Web Apps Server

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Specops Command. Installation Guide

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

Kaspersky Lab Mobile Device Management Deployment Guide

HarePoint Workflow Extensions for Office 365. Quick Start Guide

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

ACTIVE DIRECTORY DEPLOYMENT

SafeGuard Enterprise upgrade guide. Product version: 6.1

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

RSA Security Analytics

Mobility Manager 9.0. Installation Guide

Deploy App Orchestration 2.6 for High Availability and Disaster Recovery

These notes are for upgrading the Linko Version 9.3 MS Access database to a SQL Express 2008 R2, 64 bit installations:

Migrating Exchange Server to Office 365

Active Directory Installation on Windows Server 2012

2X ApplicationServer & LoadBalancer Manual

System Administration Training Guide. S100 Installation and Site Management

Kaseya Server Instal ation User Guide June 6, 2008

NETWRIX PASSWORD MANAGER

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

App Orchestration Setup Checklist

Sophos Mobile Control Installation guide. Product version: 3.5

Wavecrest Certificate

IIS, FTP Server and Windows

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

ILTA HAND 6B. Upgrading and Deploying. Windows Server In the Legal Environment

Universal Management Service 2015

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Renew ADFS and ADFS Proxy servers SSL Service Communication certificate

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Installing and Configuring vcloud Connector

LAB 2: Identity Management

NetWrix Password Manager. Quick Start Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Browser-based Support Console

Check Point FDE integration with Digipass Key devices

Sophos for Microsoft SharePoint startup guide

Configuration Guide. BES12 Cloud

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

File Auditor for NAS, Net App Edition

This How To guide will take you through configuring Network Load Balancing and deploying MOSS 2007 in SharePoint Farm.

Transcription:

Setup Guide for AD FS 3.0 on the Apprenda Platform Last Updated for Apprenda 6.0.3 The Apprenda Platform leverages Active Directory Federation Services (AD FS) to support identity federation. AD FS and the Apprenda Platform can then be configured to authenticate against an external user store (e.g. Active Directory). In Apprenda terminology, AD FS instances that are leveraged and managed by the Apprenda Platform are called AD FS nodes. For those who may not be familiar with AD FS setup, this guide provides information on configuring AD FS nodes for use with the Apprenda Platform. Setup information is based on scenarios that have been configured and tested by the Apprenda Client Services team. Notable characteristics of AD FS 3.0: AD FS 3.0 is available as a role on Windows Server 2012 R2. Although earlier versions of AD FS offered a stand-alone federation server option, AD FS 3.0 can be installed only as a federation server farm. Note that you can set up a farm with only one server (and add servers later as needed). AD FS 3.0 configuration requires a domain administrator account. The account is required for setup only and will no longer be needed once AD FS setup is complete, but will be required again in the future if configuration changes must be made (e.g., adding a node to the farm). Unlike earlier versions of AD FS, an underlying installation of IIS is not required for AD FS 3.0. IT professionals who are familiar with AD FS setup and configuration should feel free to forego this guide and configure AD FS nodes to meet the basic Apprenda requirements outlined in the Pre-Installation Checklist while keeping in accordance with the procedures outlined by their own enterprise IT policy. Contents Apprenda AD FS Configuration Pre-requisites... 2 Configuration for an AD FS Federation Server Farm... 6 Install Apprenda with an AD FS Federation Server Farm... 15 Appendix 1: Understanding AD FS Trust Relationships... 18

2 APPRENDA AD FS CONFIGURATION PRE-REQUISITES The following should be performed prior to configuring AD FS and installing the Apprenda Platform. Apprenda Windows App Server Pre-requisites AD FS nodes will also act as Apprenda Windows Application Servers, as they host the Apprenda Windows Host in order to support the Apprenda Federation WCF service. As such, they must meet all the requirements for Windows Application Servers (including all hardware and software requirements for Apprenda Platform Windows Servers in general) listed in the Pre-Installation Checklist. Federation Service and Site Name Each AD FS node must run AD FS under a service name (and hosts. For an AD FS Federation Service farm, the service name must be the same across all AD FS nodes. The following form is suggested (where cloudurl is the root URL that will be used in one of the clouds on your Apprenda environment): identity.cloudurl. If, for instance, the cloudurl planned for one of the clouds on your Apprenda environment is apprenda.fedtest, the suggested identity service and site name would be identity.apprenda.fedtest. DNS Setup A DNS A record entry must be set up that points the identity site name (e.g., identity.cloudurl) to the AD FS node(s). If you will use more than one AD FS node, a load balancer may be used to distribute traffic; alternately, a round-robin DNS setup will suffice. Accounts Install account The account under which AD FS is configured must have domain administrator privileges on each AD FS node. A check made by the AD FS 3.0 Configuration Wizard (and related Powershell commands) requires domain administrator privileges (and prevents workarounds to this requirement that were available in earlier versions of AD FS). AD FS Service account You will need a dedicated Service Account under which the AD FS service will run on all AD FS nodes. You may use a domain user account or, if supported on your domain, a group Managed Service Account. The account will be granted Log on as a Service rights on the AD FS nodes during the AD FS configuration process, as the AD FS service will log on as this account. It is important that you (or your

3 IT department) ensure that Group Policy settings will not disable the Log on as a Service permission for this account. Certificates AD FS requires a certificate for three different purposes: SSL certificate (you must provide this) Token Signing certificate (can be provided or generated through AD FS) Token Decrypting certificate (can be provided or generated through AD FS) SSL and Root Certificates You will need an SSL certificate in.pfx format where the CN matches the federation service/site name (e.g., identity.cloudurl) or the CN is a wildcard for the cloudurl of the environment (e.g., *.cloudurl). Unless it is already installed on the AD FS nodes (as is common practice in some enterprise IT or when using certificates from a commercial provider), you will also need the root certificate used to issue the SSL certificate. Once you have obtained the certificate(s), the following must be performed on each AD FS node: Open the MMC Certificate Snap-in: Open MMC (which should be included on all Windows OS) Under File choose Add/Remove Snap-in Select the Certificates snap-in and click Add. Select Computer account, then click Next. Select Local computer, then click Finish. Click OK to open the snap-in. Import the SSL certificate: Under Certificates (Local Computer), right-click on the Personal folder and select All Tasks > Import to open the Certificate Import Wizard. Click Next. Use the browse functionality to select the SSL certificate, then click Next. Type the password for the certificate and select Mark this key as exportable. Click Next. Choose the option to place all certificates in the Personal certificate store and click Next. Click Finish to complete the process. The certificate will now appear in the Personal > Certificates folder. Grant the AD FS Service Account permission to manage the private keys for the SSL certificate: Right-click on the SSL certificate and select All Tasks > Manage Private Keys. Add the AD FS Service Account to the list of Group or user names. Grant the account Full control.

4 Import the root certificate (issuer of the SSL certificate) as a Trusted Certificate Authority: Under Certificates (Local Computer), right-click on the Trusted Root Certification Authorities folder and select All Tasks > Import to open the Certificate Import Wizard. Click Next. Use the browse functionality to select the root certificate, then click Next. Choose the option to place all certificates in the Trusted Root Certification Authorities certificate store and click Next. Click Finish to complete the process. The certificate will now appear in the Trusted Root Certification Authorities > Certificates folder. Token Signing Certificate and Token Decrypting Certificate For the Token Signing and Token Decrypting certificates, you may provide certificates (recommended) or you may enable the Automatic Certificate Rollover Feature in AD FS, which will create and manage selfsigned certificates. When this feature is enabled, managed certificates hit their expiration date, AD FS will create new self-signed certificates and replace them. You may specify certificates when configuring the AD FS service. Depending on your organizational needs, you may choose to use a separate certificate for each certificate type, or you may choose to simply use the AD FS SSL certificate for the Token Signing and Token Decrypting certificates. We recommend using the certificate that will be used as the Apprenda Platform Signing certificate as the AD FS Token Signing certificate. This certificate may also be used for the Token Decrypting certificate. In all cases, be mindful of any expiration dates on the certificates, as expired certificates that are not managed by AD FS must be replaced. Please Note: The AD FS configuration process will set up a Token Signing certificate as per your specification (either one that you specify or one that is managed by AD FS). After the Apprenda installation completes, however, this certificate will be marked as the Secondary Token Signing certificate, and the Apprenda installer will configure AD FS to use the Apprenda Platform Signing certificate as the Primary Token Signing certificate in AD FS. This is necessary in order for the Apprenda Platform to locate (and therefore control) the certificate that will be used for AD FS Token Signing so that Apprenda workloads can properly validate the source of the claims they receive. Importing Additional Certificates If Automatic Certificate Rollover is disabled and certificates other than the AD FS SSL certificate will be used, they should be imported into the Personal Certificate Store as per the procedures outlined in the Import the SSL Certificate step above. You should also follow the steps outlined in the Grant the AD FS Service Account permission to manage the private keys for the SSL certificate section above for each additional certificate.

5 Locating Certificate Thumbprints Some of the installation steps below require the thumbprint for a certificate. The thumbprint of a certificate can be located as follows: In the MMC Certificate Snap-in, open the Personal > Certificates folder. Right-click on the certificate and select Open. The thumbprint for the certificate is listed on the Details tab. Click on the thumbprint row to view the thumbprint in the lower window (where you can copy it). SQL Server or Windows Internal Database AD FS requires a database to store configuration data. One of the following can be used: Recommended: An instance of SQL Server where an AD FS database can be created. The instance must be configured beforehand (preferably as a failover cluster if HA and/or scale is a concern). The following account permissions are required to use this option: o The account used to install/configure AD FS must have permissions to create the necessary AD FS configuration databases and grant permissions to the AD FS service account. This can be achieved by granting the SQL Server sysadmin role during AD FS installation. o The AD FS Service Account must be given access to the SQL Server instance; it will be granted permission to read the necessary AD FS configuration databases. o The SQL instance must be configured to Allow Remote Connections. Windows Internal Database, which is included with the AD FS installation. It should be noted that this option limits the total number of servers allows in an AD FS farm to five. SQL Server is recommended as it offers HA and scalability when a failover cluster is used. It also allows for future addition/removal of AD FS nodes by removing ties to a Windows Internal Database instance on a given AD FS node. For this reason, the Windows Internal Database options should be used only in lab environments where upgrading to a different version of AD FS will not be a concern. As per Microsoft s documentation, the following versions of SQL can be used with AD FS 3.0: SQL Server 2008 /R2 SQL Server 2012 SQL Server 2014 AD FS 3.0 Installed AD FS 3.0 is available on Windows Server 2012 R2 only. To install, simply add the Active Directory Federation Services Role through the Server Manager. Please note that all AD FS nodes within an AD FS Web Farm must run the same version of AD FS.

6 CONFIGURATION FOR AN AD FS FEDERATION SERVER FARM The instructions below outline the configuration steps for an AD FS Farm using SQL Server for the AD FS Configuration database. Checklist: DNS entry or entries have been configured. A dedicated AD FS Service Account has been created; Group Policy grants this account Log on as a Service rights. Credentials for a domain administrator account that can be used to configure AD FS; this user should also have local administrator privileges on the AD FS nodes. A dedicated SQL instance for the AD FS Configuration DB has been set up. o The install user has sysadmin permissions for the duration of AD FS installation and configuration. o The AD FS Service Account has read access to the instance. All certificates you will use are installed on the machine as noted above. The thumbprint for the identity SSL certificate you will use (see the Certificates section above) is on hand. If you are not installing using an account with domain admin permissions, the thumbprints for the Token Signing and Token Decrypting certificates are also on hand. AD FS has been installed on all AD FS nodes. Install the First Node in the Federation Farm PERFORM INITIAL AD F S CONFIGURATION STEP S The initial AD FS Configuration for the first node of a Federation Farm can be performed through the AD FS GUI Wizard or via AD FS Powershell commands. Both options are described below. Initial Configuration Option 1: AD FS GUI Wizard The AD FS GUI Wizard can be used to configure the initial AD FS node. Use this option only if you want AD FS to manage the Token Signing and Decrypting Certificates. If you want to specify the Token Signing and Token Decrypting certificates, use the Powershell Option below. 1. Launch the AD FS Configuration Wizard. This can be done through the Configure the federation service on this server option under the Notifications flag in the Server Manager console:

7 2. Select Create the first federation server in a federation server farm and click Next. 3. If the executing user (the user account under which you logged in to the server) is not a domain administrator, provide the credentials for an account that has domain administrator privileges and then click Next.

8 4. Specify the AD FS Service Properties: a. Select the certificate that will be used for the identity SSL certificate. b. If the certificate CN has a wildcard prefix (i.e., *.cloudurl), adjust the Federation Service Name so that it matches the Federation Service Name for which the DNS entry was configured (e.g., identity.cloudurl). If the certificate does not have a wildcard prefix (i.e., identity.cloudurl), the Federation Service Name will update automatically to match the CN of the SSL certificate. c. Specify a friendly name for the Federation Service Display Name. d. Click Next. 5. Select User an existing domain user account or group Managed Service Account. Specify the credentials for the AD FS Service Account you will use and click Next. 6. Select Specify the location of a SQL Server database. a. In the Database Host Name field, type the name of the server that houses the SQL Server instance that you will host the AD FS configuration databases. b. If using a named instance (i.e., not the default instance), type the instance name in the Database Instance field. c. Click Next.

9 7. The Wizard will now summarize the options; review these options, and use the Previous buttons in the installer to make changes if anything is amiss. If you wish, you may click on the View script button in order to export a Powershell script that can be used for automating additional installations. Click Next. 8. The Wizard will now run a series of pre-requisite checks in order to validate your configuration options. Once it has passed successfully, the Configure button will become enabled. Click on the Configure button to complete the installation. 9. Proceed to the Finalize AD FS Service Configuration section below. Initial Configuration Option 2: Powershell The initial AD FS node may alternately be configured using AD FS Powershell commands. The examples below specify the Token Signing and Token Decrypting certificates. If you prefer to let AD FS manage these certificates, simply omit the SigningCertificateThumbprint and DecryptionCertificateThumbprint parameters. Please note that full documentation on AD FS Powershell cmdlets can be found at https://technet.microsoft.com/en-us/%5clibrary/dn479343(v=wps.630).aspx OPTION 2A: IF THE AD FS SERVICE ACCOUNT IS A DOMAIN ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. If the AD FS Service Account is a domain account, run the following command, which will prompt you to enter the credentials for the AD FS Service Account user: $fscredential = Get-Credential 3. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Install-AdfsFarm CertificateThumbprint XX -FederationServiceName XX -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=SQLHost;Integrated Security=True" -SigningCertificateThumbprint XX -DecryptionCertificateThumbprint XX OverwriteConfiguration -FederationServiceName should be the name of the service (identity.cloudurl) $fscredential will retrieve the AD FS Service Account information stored in the previous command SQLHost corresponds to the SQL Server instance in which the AD FS databases will be stored. NOTE: -OverwriteConfiguration will wipe and any existing AD FS database that you already have in the specified SQL Server instance.

10 Example Install-AdfsFarm CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -FederationServiceName identity.apprenda.fedtest -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" -SigningCertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -DecryptionCertificateThumbprint cf2e5064c521d625c8d53536bc98aa8e08f5f2ad -OverwriteConfiguration 4. Run the updated command 5. Proceed to the Finalize AD FS Service Configuration section below. OPTION 2B: IF THE AD FS SERVICE ACCOUNT IS A GROUP MANAGED SERVICE ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Install-AdfsFarm CertificateThumbprint XX -FederationServiceName XX -GroupServiceAccountIdentifier DOMAIN\Account -SQLConnectionString "Data Source=SQLHost;Integrated Security=True" -SigningCertificateThumbprint XX -DecryptionCertificateThumbprint XX OverwriteConfiguration -FederationServiceName should be the name of the service (identity.cloudurl) -GroupServiceAccountIdentifier specifies AD FS Service Account SQLHost corresponds to the SQL Server instance in which the AD FS databases will be stored. NOTE: -OverwriteConfiguration will wipe and any existing AD FS database that you already have in the specified SQL Server instance. Example Install-AdfsFarm CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -FederationServiceName identity.apprenda.fedtest -GroupServiceAccountIdentifier CONTOSO\GroupAccount01 -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" -SigningCertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed -DecryptionCertificateThumbprint cf2e5064c521d625c8d53536bc98aa8e08f5f2ad -OverwriteConfiguration 3. Run the updated command. 4. Proceed to the Finalize AD FS Service Configuration section below.

11 FINALIZE AD FS SERVI CE CONFIGURATION FOR THE FIRST NODE 1. Open the AD FS Manager and click on Edit Federation Service Properties. 2. Change the Federation Service identifier to match the following pattern (the final slash is critical): https://identity.cloudurl/adfs/

12 3. Click on Apply when done. 4. Restart the Federation Service via the Windows Services window. It is listed as Active Directory Federation Services. Join Additional Nodes to the Federation Server Farm Additional AD FS nodes can be joined to an existing Federation Server Farm through the AD FS GUI Wizard or via AD FS Powershell commands. Both options are described below. Join Additional Nodes to the Federation Server Farm Option 1: AD FS GUI Wizard 1. Launch the AD FS Configuration Wizard. This can be done through the Configure the federation service on this server option under the Notifications flag in the Server Manager console:

13 2. Select Add a federation server to a federation server farm and click Next. 3. If the executing user (the user account under which you logged in to the server) is not a domain administrator, provide the credentials for an account that has domain administrator privileges and then click Next. 4. Select Specify the database location for an existing farm using SQL Server. a. In the Database Host Name field, type the name of the server that houses the SQL Server instance that hosts the AD FS configuration databases. b. If using a named instance (i.e., not the default instance), type the instance name in the Database Instance field. 5. Select the certificate that will be used for the identity SSL certificate. Click Next. 6. Select the AD FS Service account (the same account that was used for the first node in the farm). As needed, type in the password for the account. Click Next. 7. The Wizard will now summarize the options; review these options, and use the Previous buttons in the installer to make changes if anything is amiss. If you wish, you may click on the View script button in order to export a Powershell script that can be used for automating additional installations. Click Next. 8. The Wizard will now run a series of pre-requisite checks in order to validate your configuration options. Once it has passed successfully, the Configure button will become enabled. Click on the Configure button to complete the installation. 9. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/.

14 Join Addition Nodes to the Federation Server Farm Option 2: Powershell Please note that full documentation on AD FS Powershell cmdlets can be found at https://technet.microsoft.com/en-us/%5clibrary/dn479343(v=wps.630).aspx OPTION 2A: IF THE AD FS SERVICE ACCOUNT IS A DOMAIN ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. If the AD FS Service Account is a domain account, run the following command, which will prompt you to enter the credentials for the AD FS Service Account user: $fscredential = Get-Credential 3. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=SQLHost;Integrated Security=True" CertificateThumbprint XX $fscredential will retrieve the AD FS Service Account information stored in the previous command SQLHost corresponds to the SQL Server instance in which the AD FS databases are be stored. Example Add-AdfsFarmNode -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed 4. Run the updated command 5. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/. OPTION 2B: IF THE AD FS SERVICE ACCOUNT IS A GROUP MANAGED SERVICE ACCOUNT 1. Open Powershell as a user with Domain Administrator privileges. 2. Update the following command by replacing the X placemarkers with the values specific to your AD FS setup: Add-AdfsFarmNode -GroupServiceAccountIdentifier DOMAIN\Account -SQLConnectionString "Data Source=SQLHost;Integrated Security=True" CertificateThumbprint XX -FederationServiceName should be the name of the service (identity.cloudurl) -GroupServiceAccountIdentifier specifies AD FS Service Account

15 SQLHost corresponds to the SQL Server instance in which the AD FS databases are stored. Example Add-AdfsFarmNode -GroupServiceAccountIdentifier CONTOSO\GroupAccount01 -SQLConnectionString "Data Source=Server01\Instance01;Integrated Security=True" CertificateThumbprint 8169c52b4ec6e77eb2ae17f028fe5da4e35c0bed 3. Run the updated command 4. Open AD FS manager and confirm Federation Service Identifier matches identity.rooturl/adfs/ls/. INSTALL APPRENDA WITH AN AD FS FEDERATION SERVER FARM At this point we have configured the Federation portion of the installation. Let s go ahead and install the Platform. Because the installer is not designed to accommodate a Federation Server Farm, we will do the following: Select all AD FS Nodes as Application Servers, which will install and configure the Windows Host service. Configure the first AD FS node in the Federation Server Farm as the Apprenda Managed AD FS Host. Manually configure the remaining AD FS Nodes as Apprenda Managed AD FS Hosts. Configure AD FS Nodes as Application Servers in the Apprenda Installer 1. Open the Apprenda Installer. 2. Select the Install option. 3. Select Multi Server and Show Advanced Options. 4. Fill out the necessary information until you reach the What Servers Should We Start Off With? page. 5. In addition to your environment s other servers, be sure to add all AD FS nodes as Application Servers. Configure the first AD FS Node as an Apprenda Managed AD FS Host 1. Continue and fill out the necessary information until you reach the Apprenda Security page. 2. Do not select the Require Authorization to access the System Operations Center (SOC), as skipping this at install will permit authentication troubleshooting. SOC Authorization can be reenabled at a later time. 3. Fill out the Federation Information as follows: a. Apprenda Managed ADFS Host is the name of the first AD FS node in the farm. b. The endpoint is the Federation Service Identifier configured in ADFS.

16 4. Complete the Apprenda installation. Grant the AD FS Service Account permission to manage the private keys for the Apprenda Platform Signing Certificate Apprenda Platform installation will add the Apprenda Signing certificate to the certificate store on the AD FS nodes. The AD FS Service Account must have read permissions to the private key for this certificate. Perform the following on all AD FS Nodes. Open the MMC Certificate Snap-in: Open MMC (which should be included on all Windows OS) Under File choose Add/Remove Snap-in Select the Certificates snap-in and click Add. Select Computer account, then click Next. Select Local computer, then click Finish. Click OK to open the snap-in. Grant the AD FS Service Account permission to manage the private keys for the Apprenda Platform Signing certificate: Under Certificates (Local Computer), open the Personal>Certificates folder and locate the Apprenda Platform Signing certificate. Its name should match the pattern cloudurl Signing (e.g., apprenda.fedtest Signing ). Right-click on the Apprenda Signing certificate and select All Tasks > Manage Private Keys. Add the AD FS Service Account to the list of Group or user names. Grant the account Read permissions.

17 Manually configure the remaining AD FS Nodes Repeat these steps for each additional AD FS node in the farm. Copy Apprenda AD FS Artifacts to the New AD FS Nodes 1. On the first ADFS node; you will find an AdfsBoostrapper directory in the Apprenda install drive\folder (by default, this will be C:\ApprendaPlatform). 2. Copy the AdfsBootstrapper folder to ApprendaPlatform folder on the additional AD FS node. 3. On the additional AD FS node, look in the AdfsBootstrapper\AttributeStore3.0 folder and locate the Apprenda.Federation.AttributeStore.3.0.dll 4. Copy the Apprenda.Federation.AttributeStore.3.0.dll to the C:\Windows\ADFS directory 5. Restart the AD FS Service. Update the SaaSGrid Core DB 1. Connect to the SaaSGrid Core DB (you can use the install credentials). 2. Look in the Artifact_Host table and get the ID for the additional node. 3. In the Host_Tag table, add a line where host_id= the id of the new node from the Artifact Host table, and tag_id=3 4. In the SOC, deploy the federation service to the additional node. Optional: Configure Application Deployment Policy If desired, move any unneeded services off the federation nodes and set up a deployment policy to only allow the federation service.

18 APPENDIX 1: UNDERSTANDING AD FS TRUST RELATIONSHIPS AD FS uses trust relationships to manage how claims are accepted and issued (see Microsoft s AD FS documentation for an explanation of the types of trusts and related terminology used in AD FS). Below is a list of AD FS trust relationships that are either created by Apprenda or must be created manually for certain Apprenda Platform authentication configurations to work. It should be noted that existing claims for an AD FS instance can be viewed in AD FS Manager under the Trust Relationships folder. Trust Relationships Created at Apprenda Platform Installation/UI Deployment Claims Provider Trust (created by Apprenda) When the Apprenda Platform is installed on an environment with AD FS nodes, the installer will create a Claims Provider Trust between the AD FS nodes and the Apprenda Platform. The trust will be located on the Apprenda AD FS nodes: Location: Apprenda AD FS nodes. Type: Claims Provider Trust. Display Name: Apprenda The claim provider s federation metadata field will point to a URL that is dynamically generated by the Apprenda Platform s authentication UI (and depends on the subdomain and cloudurl that has been configured for the Platform): o Format: https://subdomain.cloudurl/authentication/federationmetadata.xml o Example: https://apps.apprenda.fedtest/authentication/federationmetadata.xml Relying Party Trusts (created by Apprenda) When each UI is deployed on the Apprenda Platform (as either part of the Apprenda Platform portals or as part of a guest application), a corresponding Relying Party Trust will be created on the Apprenda AD FS nodes. Location: Apprenda AD FS nodes. Type: Relying Party Trust. The Display Name will typically correspond to the URL of the UI. Trust Relationships for Configuring Apprenda to Work with a Secure Token Service After installation of the Apprenda Platform with AD FS is complete, it is typically configured to work with a Secure Token Service (STS). This involves the following trust relationships.

19 Claims Provider Trust (created by Apprenda) PLATFORM-WIDE FEDERATION (WITH A SINGLE STS): Platform-wide federation (typically used to federate against a single external user store) is configured through the User Store page in the System Operations Center. Part of the setup entails entering the federation metadata URL for the STS in the appropriate input box or uploading a metadata file: The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information from the STS metadata URL or file: Location: Apprenda AD FS nodes. Type: Claims Provider Trust. Display Name: Apprenda Platform The claim provider s federation metadata field will point to the metadata URL for the Secure Token Service (if a metadata file is used, the URL information will be extracted from the file). ACCOUNT-LEVEL FEDERATION (WITH ONE STS PER TENANT): The Apprenda Platform can be configured to allow each Tenant account to authenticate against a different STS. In such cases, federation for each Tenant is configured through the Account Portal, where the federation metadata URL for the STS must be entered into the appropriate input box. The Platform will create a Claims Provider Trust on the Apprenda AD FS nodes using the information from the STS metadata URL: Location: Apprenda AD FS nodes.

20 Type: Claims Provider Trust. Display Name: the Tenant alias of the corresponding Tenant account. The claim provider s federation metadata field will point to the metadata URL for the STS. Relying Party Trusts (must be created manually) In most cases a Relying Party Trust must be manually configured between the Apprenda AD FS nodes and the STS. Although the setup process will vary depending on the STS used, instructions for configuring a Relying Party Trust in AD FS can be found in Microsoft s online documentation: https://technet.microsoft.com/en-us/library/dn486828.aspx Typically, your organization will already have an STS in place (along with administrators practiced in managing it). If this is the case, please provide your STS administrator with the metadata URL for the Apprenda AD FS nodes, which can be found in the Configure Identity Federation section of the User Store page in the System Operations Center (for Platform-wide Federation):

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information