Update Sptember, 23 2014
1. Install AD FS server
2. Install and configure SharePoint 2013 server
3. Configure ADFS
3.1 Create the claim rule
3.2 Export the Token-Signing certificate
4 Configure SharePoint 2013
4.1 Configure web application
4.2 Modify the SharePoint web application web.config
4.3 Remove authentication type request
9. Usefull link
The used lab environment are:
DC01 – Domain Controller and Federation Server
SQL01 – SQL Server 2012 Standard with Reporting Services
SHP01 – SharePoint 2013 SP 1 Enterprise
On all server is installed Windows Server 2012 R2 Standard.
Install Federation Server on the Domain Controller is not a good think!
1. Install and configure an AD FS server
Install the ADFS Service on Windows 2012 R2 (see link at point 9). In our case the fully qualify domain name of the machine is DC01.intra.zzlab.com and we use the external name sts.zzlab.com. So we need to add all the two name to the registry key as reported in this Microsoft KB article
2. Install and configure the SharePoint 2013 server
You need to use SharePoint 2013 with SP1 for installing on Windows Server 2012 R2. The setup of SharePoint is standard setup. SharePoint need to be SSL enabled. Add in the Intranet zone of internet explorer in the SharePoint server the address of the ADFS Server and the SharePoint web application.
3. Configure relay party on ADFS
On the ADFS Server open the AD FS Management tools and under the Trust Relationships folder on the left pane right click on Relying Party Trusts and select Add Relying Party Trust…
A. Welcome page
B. Select Data Source
Select the option “Enter data about the relying party manually”
C. Specify Display Name
Insert the Display name. I have used the FQDN of the SharePoint Server (shp01.intra.zzlab.com)
D. Choose profile
Use AD FS Profile
E. Configure certificate
This certificate are used for token encryption and need to be stored on the “Computer account” certificate store. I have used the SSL certificate of the SharePoint Server (shp01.intra.zzlab.com).
F. Configure URL
Select the option “Enable support for WS-Federation Passive Protocol” and insert the URL of the SharePoint Trust Service (https://<sharepoint server FQDN>/_trust/)
G. Configure identifiers
Add the uniform resource name (URN) (is the historical name for a uniform resource identifier (URI)) of your SharePoint in the standard form urn:sharepoint:<Any string>.
In my case I have used urn:sharepoint:zzlab
F. Configure Multi-Factor Authentication Now?
I have selected “I do not want to configure …”
G. Choose Issuance Authorization Rule
This is the standard authentication rule. I have select “Permit all users to access this relying party”
H. Ready to add trust
Is the review of the configuration
I. Finish
3.1 Create the claim rule
After the configuration wizard the system automatically open the rule control windows and we need add some rule (Issuance Transform Rules) to complete the Claims token. SharePoint use EmailAddress for authentication so we add a rule to send User Principal Name as Email Address
I have created this rules:
| R1 | Rule template: Pass Through or Filter an Incoming Claim Claim rule name: Pass Through UPN (or something descriptive) Incoming claim type: UPN Pass through all claim values |
| R2 | Rule template: Pass Through or Filter an Incoming Claim Calim rule name: Pass Through Primary SID (or something descriptive) Incoming claim type: Primary SID Pass through all claim values |
| R3 | Rule template: Transform an incoming Claim Claim rule name: Transform Windows Account Name to Name (or something descriptive) Incoming claim type: Windows account name Outgoing claim type: Name (or *Name) Pass through all claim values |
| R4 | Rule template: Send LDAP Attributes as Claims Calim rule name: Send UPN as Email Address (or something descriptive) Attribute store: Select “Active Directory” “Mapping of LDAP attributes to outgoing claim types” select: LDAP Attribute: User-Principal-Name Under Outgoing Claim Type: E-Mail Address |
3.2 Distribute the certificate
Export the certificate used by AD FS for token sign and save it on the SharePoint server (we don’t need the certificate private key) inside the Computer certificate store.
SharePoint also need access to the private key of the certificate used for token encryption selected in the relay party configuration (3. Configure relay party on ADFS, point E). So if you have used a different certificate need to export with private key and import inside SharePoint server (SHP01) computer certificate store.
4 Configure SharePoint 2013
First step is import the token-signing certificate on the SharePoint server. For do this we need to use the “SharePoint management shell”. First copy the exported certificate on the SharePoint server. In my case I have saved the certificate in C:\Temp so my <PathToTokenSignCert> is C:\Temp\TokenSignCert.cer.
After that use the command:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<FullPathOfTheTokenSignCertFile>")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Is important to import all the certificate chain with the same command
After that register the claim provider in SharePoint:
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" -IncomingClaimTypeDisplayName “SID” -SameAsIncoming
$realm = “urn:sharepoint:zzlab”
$signInURL = “https://sts.zzlab.com/adfs/ls"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ZZLAB AD Federation" -Description “ZZLAB AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType
4.1 Configure web application to use ADFS
Using the SharePoint Central Administration web site enable the use of the newly created SPTrustedIdentityTokenIssuer. Go to Manage web applications and select the desired web application from the list. Select the Authentication Providers button and the desired SharePoint zone. Select the Trusted Identity Provider and the newly registered.
4.2 Modify the SharePoint web application web.config
We have used an encrypted token in ADFS and we have used an encryption certificate so we need to explain how decrypt the token. For decrypt the token we need access to the private key of the encryption certificate. SharePoint web application access the key using the same user of the Application Pool for the IIS web site. Using the Certificates snap-in look for the Computer account and find the certificate. Right click on it and using the All tasks > Manage private key … add the application pool user and give it the Read permission. For this reason we need to modify the web.config of the web application. Open the web.config with notepad and find the <microsoft.identityModel> section (in my case is the last section of the file who end just before the </configuration> tag. Inside the <securityTokenHandlers> add the path name for manage encrypted token <add type=”Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ /> After that we need to explain at SharePoint what is the certificate used for encrypt the token, to do this we need add just before the tag </service>:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="<ThumbprintOfTheCertificate>" storeLocation="LocalMachine" storeName="My"/>
</serviceCertificate>
4.3 Remove authentication type request
At this point SharePoint ask with kind of authentication use: Federation Server or Windows You will likely want to remove this step and have all login efforts go directly to ADFS instead. Change the web application login page. Select “Custom Sign In Page” and use the url /_trust/default.aspx Save and wait.
9. Usefull link
AD FS Deployment documentation
Deploying ADFS 3.0 for SharePoint 2013 in a perimeter network
Lorenzo Soncini - My blog 