ADFS20 Federated Authentication step lab environment issue you will run into ( and the solution )

first a note: I know this is the Azure user group but just like everyone has thier pronounciation of the word Azure... I have my own defintion or vision of what Azure is. Azure is the core of a software + services platform. At this point in the game you might be saying DUH.. Whatever. Well let me just whatever your whatever lol.
Azure = S+S = ( Azure Cloud, ServiceBus, Identity Metasystem (ACS/WIF/ADFS20/Cardspace etc), Dublin, WCF, WF, REST, Silverlight, the browser, ASP.net and of course the .net framework )
Its also a set of architectural patterns on top of these technical elements that include SOA, n-tier app dev and all the message based patterns you used in Biztalk server.
and finally it will be this forthcoming modeling layer that sits ontop of EVERYTHING i just mentioned.

and now on to the real reason for this post...
ADFS20 Federated Authentication step lab environment issue you will run into ( and the solution )

there is a document called HowToSetupGenevaServerFederatedCollaborationTestLabEnvironment.pdf
its about 40 pages long and supposed to take 4 hours to complete (YEAH RIGHT!)

anyway.
ive done run through this document for Geneva Beta 1, Beta 2 and the RC.
the last step of setting up this lab, step 8 on page 39 talks about obtaining
a certificate from the CA and setting its private key PIN

but when you try to request a User certificate the MMC barks at you saying that it cannot access the
certificate revocation service.

Im sure there are alot of people like me who were ( or are ) total Newbs when it comes to PKI, CRL, CAs, Certificates, heck maybe even Active Directory Group Policy

But these things are VERY important when setting up this new world of Claims based authentication because they all come into play to enable the infrastructure to do the Client, STS, Relying party dance.

so what happened in the lab demo?
how do you fix a certificate revocation service access problem?
The first thing i did was turn off all my firewalls.
That didnt work.
Then i remembered the previous labs where I had to actually configure something in the CA and then in Active Directory.
seems like these steps were left out of the HowToSetupGenevaServerFederatedCollaborationTestLabEnvironment.pdf
for ADFS20 RC.

but here they are for your pleasure.

please replace the appropriate names for the ones in your environment im not going to sit here and make this perfect for you lol.

Push user certificates to the servers
Configure Group Policy on both the sts1 and sts2 VM computers using the following procedure.

To push computer certificates to the servers
1. Log on to sts1 and sts2
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove Snap-ins dialog box opens.
4. In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK. The Group Policy Wizard opens.
5. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
6. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
7. Click Finish, and then click OK.
8. Double-click Default Domain Policy. In the console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies.
9. Double-click Certificate Services Client - Auto-Enrollment. In Configuration Model, select Enabled.
10. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
11. Select the Update certificates that use certificate templates check box, and then click OK.
12. In the Default Domain Policy console, expand the following path: User Configuration, Policies, Windows Settings, Security Settings, Public Key Policies.
13. Double-click Certificate Services Client - Auto-Enrollment. In Configuration Model, select Enabled.
14. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
15. Select the Update certificates that use certificate templates check box
16. Select the Expiration notification check box, and then click OK.
17. Leave this snap-in open and move to the next procedure.


Configure certificate templates
Configure the domain user certificates in AD CS on the sts1 and sts2 VM computers using the following procedure.
To configure certificate templates
1. Log on to sts1 and sts2
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove Snap-ins dialog box opens.
4. In Available snap-ins, double-click Certification Authority. Select the certification authority (CA) that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning you to the Add or Remove Snap-ins dialog box.
5. In Available snap-ins, double-click Certificate Templates, and then click OK.
6. In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane.
7. In the details pane, right-click the Web Server template, and then click Properties.
8. On the Security tab, click Add, in the Enter the object names to select text box type Domain Computers, and then click OK.
9. In Permissions for Domain Computers, under Allow, select the Read and Enroll check boxes, and then click OK.
10. On the Security tab, click Add, in the Enter object names to select text box type Domain Controllers, and then click OK.
11. In Permissions for Domain Controllers, under Allow, select the Read and Enroll check boxes, and then click OK.
12. In the details pane, right-click the User template, and then click Duplicate Template.
13. In the Duplicate Template dialog box, select Windows Server 2003, Enterprise Edition, and then click OK.
14. On the General tab, in Template display name, type Geneva Users.
15. On the Subject Name tab, unselect the Include e-mail name in subject name and E-mail name check boxes.
16. On the Request Handling tab, make sure that the Allow private key to be exported check box is selected.
17. Click the Security tab. In Group or user names, click Domain Users.
18. In Permissions for Domain Users, under Allow, select the Enroll and Autoenroll permission check boxes, and then click Add.
19. In the left pane of the Microsoft Management Console (MMC), double-click Certification Authority, double-click the CA name, and then click Revoked Certificates.
20. Right-click Revoked Certificates, and then click Properties.
21. On the CRL Publishing Parameters tab, set the CRL publishing interval to 2 years and clear the Publish Delta CRLs check box, and then click OK.
22. In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
23. Click Geneva Users from the list, and then click OK.

Views: 25

Latest Activity

Ani Arth posted an event
Thumbnail

Live! 360 Orlando at Loew's Royal Pacific Resort

November 17, 2014 to November 21, 2014
Live! 360 brings together five conferences, and the brightest minds in IT and Dev, to explore leading edge technologies and conquer current ones. These co-located events will incorporate knowledge transfer and networking, along with out-of-this-world education and training, as you create your own custom conference, mixing and matching sessions and workshops to best suit your needs. Whether you are a developer who uses Visual Studio, SQL Server, and SharePoint;…See More
Jun 6, 2014
Ani Arth posted an event

Visual Studio Live! DC at Washington Marriott at Metro Center

October 6, 2014 to October 9, 2014
To Boldly Code where No Visual Studio Live! has ever Coded Before!That's right. We are transporting Visual Studio Live! to our nation's capital for the first time in 21 years. From Oct 6 – 9, 2014, developer, software architect, engineer and designer pioneers will gather in our country's headquarters for 4 days of cutting-edge education on the Microsoft Platform. Join us on this special journey to explore topics covering all-things WCF, ALM, Web Development, Data Management, Visual Studio and…See More
Mar 31, 2014
Ani Arth posted events
Jan 28, 2014
Mike McKeown is now a member of Azure User Groups
Jun 4, 2013

© 2017   Created by Azure Admin.   Powered by

Badges  |  Report an Issue  |  Terms of Service