SALVADOR HERRERA VALDEZ CARLOS JAIME MONDRAGON PEREZ ASOC GANADERA LOCAL DE AMEALCO SALOMON HERNANDEZ DE JESUS AMELIA ARZATE CARAPIA CONFECCIONES AMEALCO I SA DE CV MARIO ALEJANDRO PENA ALVAREZ J GUADALUPE PEREZ PEREZ COLONOS DEL FRACCIONAMIENTO SAN JOSE DE CAJA AMEALCO QUERETARO S C DE R L PROCESA ALIMENTOS SA DE CV COMISION ESTATAL DE AGUAS MA JUANA ANTONIA PEREZ OVIEDO HUMBERTO LEDESMA TREJO JUDITH HERNANDEZ DIAZ FRANCISCO RENE LEAL OLVERA ACADEMIA CASA HOGAR SOR JUANA INES DE LA SERVICIOS INTEGRALES ATSA SA DE CV FERRE ACEROS Y MATERIALES DE CADEREYTA S LETICIA RUBIO MONTES MA MAGDALENA OLVERA VEGA PINTURAS TREJO SA CV SAMSUNG ELECTRONICS DIGITAL APPLIANCES M COPASER SC SERV CRISTOBAL COLOMI SA CV AGROS SA DE CV POLLO DE QUERETARO SA DE CV SIEMENS SERVICIOS SA DE CV GILDARDO ALFREDO TORRES ALFARO PINTURAS EZEQUIEL MONTES DE QRO SA CV MARGARITO BENITO RAUL PAREDES ARRIOLA MA CARMEN MAYORGA VARGAS PASIONISTAS PROVINCIA DE CRISTO REY A R ASOC DE COLONOS DEL FRACC PUEBLO NVO A C MUEBLES DIASA SA DE CV GRAUTO SA DE CV JESUS RICARDO CORDOBA NILA CONSTRUCCION ADMINISTRACION ASESORIA SA ATEQ CORP SA DE CV JULIO RUIZ ALVAREZ JUAN JOSE PAREDES ARREOLA FAPAGON SA DE CV IGNACIO ENRIQUEZ FERNANDEZ EDNA SALAZAR TORRES OLIVIA ESCALERA QUINTANAR LORENA PEREZ LEDESMA QUERETARO RAZON SOCIAL
Transcript
Microsoft AD Federation ServiceIntegration Guide
Version: 1.1
Date: Friday, December 20, 2019
Copyright 2019 nCipher Security Limited. All rights reserved.
Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.
Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.
Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Information in this document is subject to change without notice.
nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.
Where translations have been made in this document English is the canonical language.
Page 2 of 33 Microsoft AD Federation Service - Integration Guide
Contents
1 Introduction 4
1.1 Configuring AD FS using nShield Hardware Security Modules (HSMs) 4
1.2 Requirements 4
1.3 Pre-requisites 5
1.4 Domain Controller: Create the Group Managed Service Account 5
1.5 Security Worlds and key protection 7
1.6 Application Key Tokens 7
1.7 AD FS Server: Install Security World Software 7
1.8 Install and register the CNG provider 8
1.9 Certificate Authority: Create a TLS certificate template for use by AD FS 14
1.10 AD FS Server: Request a SSL/TLS certificate for use on the AD FS server 19
1.11 Install the AD FS server role. 22
1.12 Configure the AD FS server 23
1.13 Check and enable the AD FS install and sign-on page 23
2 Add nCipher HSM certs to AD FS 25
2.1 Add HSM protected token signing and encryption certificates to the AD FS server 25
3 Uninstalling AD FS HSM protected service 31
Contact Us 32
Europe, Middle East, and Africa 32
Americas 32
Asia Pacific 32
Microsoft AD Federation Service - Integration Guide Page 3 of 33
1 Introduction
1 IntroductionActive Directory Federation Services (AD FS) is an installable component of the Microsoft Windowsoperating System. Once configured it provides the facility for single sign on for credential sharing andaccess control between trusted business partners (known as a federation) and across multiple businessboundaries via a claims based authorization process using standards-based protocols such as https.
The user’s organization has responsibility for authenticating and providing identity information requiredby a trusted partner within an extranet in order to allow its users to transparently connect to a webapplication being hosted by one of the trusted members within a given federation.
Active Directory Federation Services effectively provides and secures a mutually trusted zoneencompassing multiple security domains. Integrating AD FS with nCipher Hardware Security Modulesprovides increased robustness and control between these boundaries by securely managing the highvalue Transport Layer Security (TLS) and Token keys required by AD FS within a fully FIPS approved(FIPS 140-2 level 3) hardware environment.
1.1 Configuring AD FS using nShield Hardware Security Mod-ules (HSMs)This document covers the integration using module protection for the AD FS Token keys.
Module protection utilises an AES 256 bit symmetric key with 128 bit security secured by theSecurity World module key which is stored in the HSM hardware at FIPS 140-2 level 3.The module key derived from the ciphersuite: DLf3072s256mRijndael conforms to NISTSP800-131A. For further information on Security World module keys, please refer to thesupplied documentation.
1.2 RequirementsThis integration guide provides a step by step account detailing the configuration of the Microsoft AD FSfor use with nCipher Hardware Security Modules.
The integration was performed and tested in the lab using the following configuration:
l Microsoft Windows 2016 Domain Controller hosting the AD Certification Authority (CA)
l Microsoft Windows 2016 for AD FS server
l nCipher nShield HSM with Security World software 12.40.2 using CNG Key Storage Provider
Page 4 of 33 Microsoft AD Federation Service - Integration Guide
1.3 Pre-requisites
1.3 Pre-requisitesl Windows Server 2016 minimum will be used for Domain Controller, the AD CA and the AD FS
servers.
l A working Issuing CA
l A Group Managed Service Account for the AD FS service.
l A server is built and added to the domain that can be used as the first AD FS server or the AD FSserver and role has already been installed and configured.
l The AD FS server has the Security World software installed upon it with the CNG wizard available.
l A Security World has already been created and AD FS keys will be module protected. (For detailson installing and registering the nCipher CNG KSP via the installed CNG wizard, see Install andregister the CNG provider on page 8.
For details on installing and configuring the Active Directory Certificate Authority using nCipher HSMs,refer to the Microsoft AD CS and OCSP Integration Guide for Microsoft Windows Server 2016 available athttps://www.ncipher.com/support.
You must create a DNS Value for the AD FS service, as the AD FS service will have a differentname from the AD FS host server.
If you are deploying AD FS across the internet using Web Application Proxy, you will need acertificate issued by a third party whose Root Certificate is installed on all Computers anddevices that will be accessing the service.
1.4 Domain Controller: Create the Group Managed ServiceAccount
1. Create a Key Distribution Services, (KDS) Root Key. Typically this will take the form of:
4. Create DNS forward look up on your Domain Controller to point the AD FS service name to the ADFS host server IP address:
a. Using Server Manager, click on Tools > DNS.
b. Select the Domain controller and then click to expand the Forward Lookup Zones.
c. Click to select <your domain>.
d. Right click either: <your domain> in the left hand pane or right click in the right hand pane topull up a list of options and select New Host (A or AAAA)… (Figure 1.1 Create New Host (Aor AAA)).
Figure 1.1 Create New Host (A or AAA)
e. In the New Host dialogue box enter:
l Name: <AD FS service name> (the FQDN will auto complete)
l IP address: <IP address of the AD FS host server>
f. Click the Add Host button at the bottom of the dialogue box.
Page 6 of 33 Microsoft AD Federation Service - Integration Guide
1.5 Security Worlds and key protection
1.5 Security Worlds and key protectionThis section covers the available options for Security World when configuring AD FS. AD FS uses thenCipher CNG Key Storage Provider; there are certain restrictions on the use of this provider concerningmethods of protection and operations that are available. Supported key protection methods for AD FSand nCipher CNG provider shows the restrictions on HSM key protection methods available when usingthe nCipher CNG KSP.
Security World Type Protection type Supported Works in Pool mode
FIPS 140-2 level2 Module Yes Yes
Softcard No No
Operator Card Set 1/n No No
Operator Card Set k/n No No
Supported key protection methods for AD FS and nCipher CNG provider
1.6 Application Key TokensApplication Key Tokens are an encrypted form of a Security World generated cryptographic key. TheseKey Tokens must not be mistaken for or regarded as being a Key in or of itself. The key is at all timesobfuscated in this encrypted form and is only available for use as a cryptographic key when copied to theFIPS 140-2 level 3 security boundary of a correctly configured nCipher Hardware Security Module.
If you intend to use a Web Application Proxy server you should consider carefully if deployingunder Strict FIPS 140-2 level 3 compatibility mode. Private Keys can only be exported in awrapped state and ACS authorization is required to generate Application keys.
1.7 AD FS Server: Install Security World SoftwareInstall the latest version of Security World Software on the designated AD FS server. For details oninstalling the software, refer to the documentation on the removable media supplied with the HSM.
1. Make sure that %NFAST_HOME%\bin exists on the %Path%. Open a CLI and run >echo %PATH%,make sure that C:\Program Files (x86)\nCipher\nfast\bin is reported.
2. If C:\Program Files (x86)\nCipher\nfast\bin is not visible, add it to the environment variables as follows:
a. Select Control Panel > System > Advanced System Properties and in the lower right handcorner of the Systems Properties dialogue, click on Environment Variables.
b. In the System Variables window scroll down and select Path.
c. When highlighted, click on Edit. In the Edit Environment variable window, click New andenter the full path to the bin folder.
d. Click OK twice to exit the Environment Variables window.
Microsoft AD Federation Service - Integration Guide Page 7 of 33
1 Introduction
e. Click OK to exit System Properties.
f. Open a new CLI and run >echo %PATH%. The NFAST_HOME%\bin folder should now be visible.
If you are using PowerShell you will need to run >echo $Env:PATH
If yu are using the nCipher Java cards, you must make sure that the cardlist file,C:\ProgramData\nCipher\Key Management Data\config\cardlist; has either the relevant card uniquenumber in full or has the wildcard * flag set.
1.8 Install and register the CNG providerIt is possible to use the CNG wizard to either load (reuse) an existing Security World instance or create anew instance. If you are creating a new Security World please refer to the installation guide available inthe document folder on the removable media provided with the HSM for information required whendefining Security World parameters. The HSM must be properly configured before running the CNGinstallation wizard.
To confirm the HSM is available:
1. Open a CLI as Administrator, you must run the cmd with elevated privileges; to do this right clickthe cmd icon and select Run as administrator.
2. Run the command:
>enquiry
Server: and Module #1: should be reported showing the serial number (in form eeee-ssss-nnnn)of the module and hardware status as OK (this can be found at the bottom of the section detailinginformation on the module #).
If you are using an exisiting Security World you can check to make sure it is available byrunning the command nfkminfo. The Security World should be reported as initializedand usable (ie. there should be no ! prefix).
3. Once the Security World software is operational you must run the CNG install wizard to install andregister the nCipher Key Storage Provider (KSP). This can be performed via the CNG install wizardthat can be found in the Apps By name screen of the desktop.
4. Click the Start button and look for the recently added nCipher utilities, double click the CNGconfiguration wizard (Figure 1.2 Install and register nShield CNG provider). If the User AccessControl prompt pops up click YES to continue.
Page 8 of 33 Microsoft AD Federation Service - Integration Guide
1.8 Install and register the CNG provider
Figure 1.2 Install and register nShield CNG provider
Figure 1.3 CNG install Welcome screen
5. The Enable HSM Pool Mode screen (Figure 1.4 Select to enable / disable Pool Mode) prompts youto Enable HSM Pool Mode for CNG Prividers. Leave the default value with the check boxunticked and click Next.
Microsoft AD Federation Service - Integration Guide Page 9 of 33
1 Introduction
Figure 1.4 Select to enable / disable Pool Mode
6. If you already have a Security World that you intend to use for Always Encrypted the next screenwill allow you to select to Use the existing security world. If you do not currently have a SecurityWorld or would like to create a new Security World then check the Create a new Security Worldradio button and click Next (for the purposes of this integration guide we have chosen to use anexisting Security World).
7. If you are creating a new Security World, refer to the nCipher nShield documentation for details oncreating and configuring a new Security World.Make sure that the Set Module States show the available modules as (Figure 1.5 Set ModuleStates):
l Mode = initialisation
l State = (pre)-initialisation
Page 10 of 33 Microsoft AD Federation Service - Integration Guide
1.8 Install and register the CNG provider
Figure 1.5 Set Module States
If state is state is reported as Operational, this can be changed by using the npoclearfail
untility. For example (where x is the module to be used):
nopclearfail -I -Mx
8. Click Next.
9. Leave the Enable this module as a remote target un-checked (Figure 1.6 Optional setting toenable module for remote shares) (this is not to be confused with the nShield RemoteAdministration utility).
Microsoft AD Federation Service - Integration Guide Page 11 of 33
1 Introduction
Figure 1.6 Optional setting to enable module for remote shares
10. For details on Remote Administration setup and configuration, refer to the nShield Documentationon the removable media that came with your nCipher HSM.
11. Click Next. If you are using an existing Security World you must have the World file in the %NFAST_
KMDATA%\local folder. Be prepared to present the quorum of Administrator cards (Figure 1.7Present ACS card when prompted).
Figure 1.7 Present ACS card when prompted
12. When the ACS quorum has been presented, and the Security World loaded/created, return theHSM to Operational mode.
13. Click Next (Figure 1.8 Register CNG Providers).
Page 12 of 33 Microsoft AD Federation Service - Integration Guide
1.8 Install and register the CNG provider
Figure 1.8 Register CNG Providers
14. The nCipher CNG providers will now be installed and the KSP will be registered. To confirm that theKSP has been successfully registered open either a CLI or PowerShell (right click and Run asAdministrator) and run the following command:
You should see the nCipher Security World key Storage Provider listed (highlighted red in theexample above). You will find the provider in the registry at this location:
15. Verify that the nCipher CNG KSP is installed correctly, run the command:
>cnglist.exe –list-providers
Microsoft Key Protection Provider
Microsoft Passport Key Storage Provider
Microsoft Platform Crypto Provider
..
..
nCipher Primitive Provider
nCipher Security World Key Storage Provider
Microsoft AD Federation Service - Integration Guide Page 13 of 33
1 Introduction
1.9 Certificate Authority: Create a TLS certificate template foruse by AD FSCreate a TLS certificate template for use by AD FS as follows:
1. On an Issuing CA, open the Certification Authority management console (Figure 1.9 OpenCertificate Authority Console).
Figure 1.9 Open Certificate Authority Console
2. Expand the Certification Authority node in the left hand pane right click on CertificateTemplates and select Manage (Figure 1.10 Manage Certificate Templates).
Figure 1.10 Manage Certificate Templates
3. In the Certificate Templates Console, locate the Web Server certificate template (Figure 1.11Select Duplicate Web Server Template), right click it and from the context menu select DuplicateTemplate.
Page 14 of 33 Microsoft AD Federation Service - Integration Guide
1.9 Certificate Authority: Create a TLS certificate template for use by AD FS
Figure 1.11 Select Duplicate Web Server Template
4. Click the General tab (Figure 1.12 General tab - Name template). In the Template display namefield, name the template, for example ADFS TLS1. Change the Validity Period to whatever value isdesired.
Figure 1.12 General tab - Name template
5. Select the Compatibility tab and change the Certification Authority to Windows Server 2016and the Certificate Recipient to Windows 10/Windows Server 2016 (Figure 1.13 Compatibilitytab - Select OS).
Microsoft AD Federation Service - Integration Guide Page 15 of 33
1 Introduction
Figure 1.13 Compatibility tab - Select OS
6. Select the Subject name tab and make sure that Supply in the request is selected, as the AD FSservice name will be different form the AD FS Server name, this will need to be specified in therequest.
7. Select the Request handling tab and under Purpose select Signature and encryption (Figure 1.14Request Handling - Select Key permissions).
a. Check the box for Authorize additional service accounts to access the private key.
b. Click the Key Permissions button.
c. In the Permissions for... dialog box, click Add.
d. Click Object Types and then check the boxes for Service Accounts and Computers fromthe listed objects (Figure 1.15 Select to add Object Types).
Page 16 of 33 Microsoft AD Federation Service - Integration Guide
1.9 Certificate Authority: Create a TLS certificate template for use by AD FS
Figure 1.15 Select to add Object Types
e. Click OK.
8. Select the Advanced tab, click Find Now and select the Group Manged Service Account youcreated on your Domain Controller.
a. Click OK to add into the Enter the object names… field.
b. Click OK.
c. Check the box to Allow Full Control.
d. Repeat to add the AD FS server Computer account, make sure that the AD FS serverComputer account has Full Control (Figure 1.16 Add gMSA and AD FS server).
Figure 1.16 Add gMSA and AD FS server
Microsoft AD Federation Service - Integration Guide Page 17 of 33
1 Introduction
e. Click OK.
If you are going to be using a Web Application Proxy server you will need toadditionally check the Allow private key to be exported (see Figure 1.14Request Handling - Select Key permissions on page 16).
If you are using strict FIPS 140-2 level 3 Security World, exporting private keys isforbidden unless they are exported using a wrapping key.
Allowing a Private Key to be exported is not considered best practice but issometimes necessary. Be sure to exercise extreme caution when exportingPrivate Keys doing so could compromise the integrity of your environment.
9. Click on the Cryptography tab:
a. Make sure Key Storage Provider is selected from the drop down list for ProviderCategory.
b. For Algorithm Name, select appropriately from the drop down list, Note that if you do nothave ECC feature activated on your HSM you should choose type: RSA.
c. Set the Minimum Key Size to not less than 2048.
d. Make sure that Requests can use any provider available on the subject’s computer isselected and set Request Hash to at least SHA256.
10. Select the Security tab:
a. Add the following Computer Accounts (make sure both Read and Enrol permissions areallowed):
l Domain Computers
l Group Managed Service account created earlier
l AD FS server computer account.
b. Click to Add. On the pop up screen select Object types and tick the boxes for ServiceAccounts and Computers.
c. Click OK.
d. Click Advanced. On the next screen click Find Now locate the Managed Service Accountpreviously created and double click to enter into the Enter the object names to select:.
e. Click OK, make sure the Enrol box in the Permissions for … account is ticked.
f. Repeat the above steps for the AD FS and Domain Computers.
11. Make sure that Authenticated Users are set with Read and Enrol permissions.
Domain Admins/Enterprise Admins already have these rights and must continue to doso.
12. Once all template configuration has been completed, click Apply and OK then close theCertificate Templates console.
Page 18 of 33 Microsoft AD Federation Service - Integration Guide
1.10 AD FS Server: Request a SSL/TLS certificate for use on the AD FS server
13. Make sure that you are logged into the AD CA as Domain administrator.
14. Open the Certificate Authority console.
15. On the Server Manger Dashboard go to Tools > Certificate Authority.
16. Under Certification Authority (local), expand the Domain (this is presented as a computer with agreen tick next to it).
You may need to restart Active directory Certificate Service to make sure the newtemplate is available.
17. Right click on Certificate Templates (last item from the list in the left hand section).
18. Select New and click on Certificate Template to Issue.
19. Select the certificate template just created, and then click OK. The new template will now appear inthe Certificate templates list.
1.10 AD FS Server: Request a SSL/TLS certificate for use on theAD FS server
The instructions below assume that a certificate for AD FS will be issued from an internal CA. Ifan external (publicly trusted) CA is required, modify the steps below to create a CSR which canbe submitted to a commercial CA. See https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap-2016 for more details.
1. On the AD FS server, open certlm.msc using the theRun command or an administrator levelcommand prompt.
2. From the left hand panel beneath Certificates-Local Computer, right click on Personal folder,select All Tasks > Request New Certificate (Figure 1.17 Request New Certificate).
Figure 1.17 Request New Certificate
3. The Certificate Enrolment wizard will start, Click Next.
Microsoft AD Federation Service - Integration Guide Page 19 of 33
4. On the Select Certificate Enrolment Policy screen, click Next the Request Certificates windowshould display the recently created certificate template, click on the link More information isrequired to enrol for this certificate. Click here to configure settings to continue.
Figure 1.18 Select More information is required
5. If the new certificate template is not visible, try running gpupdate to refresh the Group Policy. Opena CLI (cmd) and type, gpupdate /force:
C:\>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
6. On the Certificate Properties window, set the following:
a. In the Subject Name, Type box choose Common Name (Figure 1.19 Set certificateProperties).
Figure 1.19 Set certificate Properties
b. In the Value box add the FQDN for the AD FS service (e.g. AD FS.domain.com).
c. Click Add.
d. In the Alternative name, Type box, choose DNS.
e. In the Value add the FQDN for the AD FS service (e.g. AD FS.domain.com).
f. Click Add.
g. If you intend on using Device Registration in the same manner as with Windows Server2012 r2 you will need to include < enterpriseregistration.”your_domain”> in the Value field in the
Page 20 of 33 Microsoft AD Federation Service - Integration Guide
1.10 AD FS Server: Request a SSL/TLS certificate for use on the AD FS server
Alternative name, Type box choose DNS and then click Add.
This method of device authentication is deprecated in Windows Server 2016.
h. If you intend on using User Certificate Authentication on port 443 then you need to supply afurther value under Alternative name, Type box choose DNS and add the value<certauth.”full_AD FS_service_name”>.
i. Under the General tab, specify a sensible and recognisable name for the certificate.
j. Select the Private Key tab.
k. Click on Cryptographic Service Provider. Make sure that only the RSA,nCipher SecurityWorld Key Storage Provider is checked.
Only if you intend to install the certificate on a Web Application Proxy server thenyou must make sure that Make private key exportable is ticked. This can befound under the Key options drop down in the “Private Key tab.
l. Click OK to close the Certificate Properties window.
m. On the Certificate Enrollment, Request Certificates window, check the box for thecertificate just requested, and then click Enrol.
n. Once enrolment has successfully completed, click Finish.
7. Open a cmd as Administrator and run nfkminfo.exe –k. This will print the CNG key created via theCertificate template, the key will have been generated using the nCipher Key Storage Provider. It ispossible to use the keys AppName and its Ident to show further details.Example:
name "te-ADFSTLS-3ec97a8c-791a-4139-a0e6-ecbf1e185bd8"
hash 42b4875c0a2fc7af57fa8a904939c4a361c30ff9
recovery Enabled
protection Module
Microsoft AD Federation Service - Integration Guide Page 21 of 33
1 Introduction
1.11 Install the AD FS server role.1. Open Server Manager, click on Manage > Add Roles and Features.
a. On the Before you begin page, click Next.
b. On the Select installation type page, click Role-based or feature-based installation, andthen click Next.
c. On the Select destination server page, click Select a server from the server pool, verifythat the target computer is selected, and then click Next.
d. On the Select server roles page, click Active Directory Federation Services, and thenclick Next.
e. On the Select features page, click Next.
f. On the Active Directory Federation Service (AD FS) page, click Next.
g. After you verify the information on the Confirm installation selections page, select theRestart the destination server automatically if required check box, and then click Install.
h. On the Installation progress page, verify that everything installed correctly, and then clickClose.
Page 22 of 33 Microsoft AD Federation Service - Integration Guide
1.12 Configure the AD FS server
1.12 Configure the AD FS serverClick on the link to configure the AD FS server.
1. Select the option to Create the first federation server in a federation server farm, click Next.
2. Connect to Active Directory Domain Services. Select the account you want to use to perform theconfiguration and click Next.
3. On the Specify Service Properties window:
a. Select the appropriate SSL Certificate from the drop down list (if the certificate is notavailable in this list, select Import and browse to the location of your SSL certificate).
b. To provide a name for your federation service, enter the same value that you provided whenyou enrolled the SSL certificate in Active Directory Certificate Services (AD CS).
c. Enter a meaningful name for your federation service, e.g. Company name AD FS.
4. On the Specify Service Account page, select Use an existing domain user account or groupManaged Service Account, and then specify the gMSA account AD FSgMSA1 that you created onthe domain controller.
5. On the Specify Configuration Database page, select Create a database on this server usingWindows Internal Database, and then click Next.
6. On the Review Options page, verify your configuration selections, and then click Next.
7. On the Pre-requisite Checks page, verify that all prerequisite checks were successfullycompleted, and then click Configure.
8. On the Results page you should see a green tick against This server was successfullyconfigured. You should be informed that a machine restart is required.
9. Click Close to exit the configuration and restart the server.
1.13 Check and enable the AD FS install and sign-on pageThe AD FS sign-on page is not enabled by default in Windows 2016. To enable and allow verification of asuccessful installation, open a PowerShell CLI as Administrator and run the following command:
You should see the AD FS sign in screen, enter your credentials to sign in AD FS (Figure 1.20 Verify ADFS is working).
Microsoft AD Federation Service - Integration Guide Page 23 of 33
1 Introduction
Figure 1.20 Verify AD FS is working
Page 24 of 33 Microsoft AD Federation Service - Integration Guide
2 Add nCipher HSM certs to AD FS
2 Add nCipher HSM certs to AD FS
The Token-decryption and Token-signing certificates are self-signed by default. This sectionadds two new certificates for Token signing and encryption, signed by an Enterprise IssuingCA which improves the security of the solution. When importing the new certificates, youshould make sure that you set the newly imported certs as the 'Primary' certificate but DONOT delete the old self-signed certificates if AD FS has already been used within theorganisation as this will break any existing trusts.
2.1 Add HSM protected token signing and encryption cer-tificates to the AD FS serverThe Subject names of these two certificates can be anything desired. They do not need to reflect theFQDN of the AD FS server.
1. On the AD FS server, open a Powershell command prompt with admin privileges.
3. Open certlm.msc using the Run command or an administrator level command prompt.
4. In the Certificates window for the local computer, right-click on Personal, point to All Tasks andchoose Request New Certificate, click Next.
5. On the Before you Begin screen, click Next.
6. Click next on the Select Certificate Enrolment Policy screen.
7. On the Request Certificates screen, find the AD FS SSL (or TLS if applicable) certificate template(the example below is named FedServer SSL).
8. Click on the link which says More information is required to enroll for this certificate. Clickhere to configure settings (Figure 2.1 Create new AD FS token signing certificate).
Microsoft AD Federation Service - Integration Guide Page 25 of 33
2 Add nCipher HSM certs to AD FS
Figure 2.1 Create new AD FS token signing certificate
9. On the Certificate Properties window set the following:
a. Select the Subject tab in Subject name: select Type,Common Name from the drop downlist. Enter a meaningful name in the Value field, for example HSM sign cert, then click Add.
b. Select the General tab; enter a friendly name for the Certificate.
c. Select the Private Key tab. Expand Cryptographic Service Provider. Make sure that onlythe RSA,nCipher Security World Key Storage Provider is checked.
d. Optional: if using a Web Application Proxy server, make sure that you tick the box to Makeprivate key exportable.
e. Click OK to close the Certificate Properties window.
10. On the Request Certificates window, check the box for the AD FS TLS certificate, then clickEnroll.
11. On the Create new key prompt, click Next. If you have multiple OCS select the required one forprotecting the Signing certificate and click Next.
12. Enter the passphrase when prompted, and click Next. When card reading complete is displayedclick Finish to close the create key wizard
13. Certificate Installation Results should show STATUS: Succeeded (Figure 2.2 Token certificateenrollment success).
Page 26 of 33 Microsoft AD Federation Service - Integration Guide
2.1 Add HSM protected token signing and encryption certificates to the AD FS server
Figure 2.2 Token certificate enrollment success
14. Open the AD FS Management console from the Server Manager this can be found under theTools Menu (Figure 2.3 Open AD FS management Console).
Figure 2.3 Open AD FS management Console
15. Under the AD FS folder click to expand the Services Directory, then click on the Certificatesfolder.
16. From the right hand pane click Add Token-Signing Certificate… (Figure 2.4 Add HSM protectToken-Signing Certificate).
Microsoft AD Federation Service - Integration Guide Page 27 of 33
17. In the Select a token-signing certificate pop-up dialogue box, click on More Choices and selectthe newly created Signing Certificate (Figure 2.5 Select Certificate).
Figure 2.5 Select Certificate
18. A warning will pop up advising you to make sure the Private key is accessible for each server. Youmust install a Securty World on each server in the farm and copy the Application key token across.
19. The new certificate should be visible in the centre pane, right click on the new HSM protectedcertificate. In the right hand pane the option to Set as Primary can be seen, click to select this, butdo not delete the original certificate, this should be marked as Secondary.
20. Click Yes on the information pop-up dialogue warning that this will break trust relationship with anyrelying party. All relying parties will need updating to trust and reflect this newly created certificate.
21. Repeat the process detailed above for the Decryption Certificate, this time select the appropriateDecryption certificate just created (Figure 2.6 Add Token-Decrypting Certificate).
Page 28 of 33 Microsoft AD Federation Service - Integration Guide
2.1 Add HSM protected token signing and encryption certificates to the AD FS server
Figure 2.6 Add Token-Decrypting Certificate
22. Click on More Choices and Select the Decrypting Certificate just created (Figure 2.7 SelectToken-Decrypting Certificate).
Figure 2.7 Select Token-Decrypting Certificate
The two new HSM protected certificates should now be visible in the AD FS management console(Figure 2.8 Set HSM certificates as Primary).
Microsoft AD Federation Service - Integration Guide Page 29 of 33
2 Add nCipher HSM certs to AD FS
Figure 2.8 Set HSM certificates as Primary
23. Right click the new certificates and select to Set as Primary. Do not delete the existing Tokencertificates, leave these as Secondary.
24. Close the AD FS Management Console.
Page 30 of 33 Microsoft AD Federation Service - Integration Guide
3 Uninstalling AD FS HSM protected service
3 Uninstalling AD FS HSM protected serviceTo uninstall a AD FS HSM protected service:
1. Open the AD FS management console from the Server Manager this can be found under the ToolsMenu.
2. Under the AD FS folder click to expand the Services Directory, then click on the Certificates folder.
3. Right click the Signing Certificate and select to set it as Primary certificate. Do the same with theDecrypting Certificate (Figure 3.1 Remove HSM protection on Token certificates).
Figure 3.1 Remove HSM protection on Token certificates
4. Delete any OCS cardsets using the createocs.exe utility:
5. Uninstall the Security World Software using the Control Panel (Figure 3.2 Uninstall Security WorldSoftware).
Figure 3.2 Uninstall Security World Software
Microsoft AD Federation Service - Integration Guide Page 31 of 33
Contact Us
Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.
You can also contact our Support teams by telephone, using the following numbers:
Europe, Middle East, and Africa
United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK
10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong
Page 32 of 33 Microsoft AD Federation Service - Integration Guide
Asia Pacific
About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardwaresecurity module (HSM) market, empowering world-leading organizations by delivering trust,integrity and control to their business critical information and applications. Today’s fast-movingdigital environment enhances customer satisfaction, gives competitive advantage and improvesoperational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet newcompliance mandates. We do this using our same proven technology that global organizationsdepend on today to protect against threats to their sensitive data, network communications andenterprise infrastructure. We deliver trust for your business critical applications, ensure theintegrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com
Microsoft AD Federation Service - Integration Guide Page 33 of 33
