Active Directory Trust Lab Manual
It is well know fact that if you want Kerberos to work over the trust you need to have forest trust. It is possible to have Kerberos working over domain trust too but there are several things you need to setup which is out of the scope of this article. By default, Kerberos will normally work over forest trust between two forests. What makes Kerberos work over forest trust, among other things, is a possibility of UPN suffix routing which allows SPN queries and locating of services in another forest. Backwards, resource forest will be able to identify from which forest the client is coming by looking into its UPN suffix.
It is worth mentioning that authentication always happen in the forest or more specifically in the domain where client is located. Once forest trust is established on the trust properties it is possible to see the list of suffixes which are routing.
Mar 11, 2016 Lab for cross forest AD two way trust Lab for cross forest AD two way trust Network Configuration for AD DC for domain abc.com ===== Network Configuration for AD DC for domain xyz.com Network configura. Lab for cross forest AD two way trust virtual LAB environment.docx. Favorites Add to favorites. Category Active Directory.
The article I am writing now is focusing on the problem where there are two forests with the same ending in the name which will confuse Kerberos. So I worked in the lab on the scenario which will identify and explain the problem and also provide the solution to it. Scenario Forests: Fabrikam.com Contoso.com Australia.contoso.com Trusts: Two way forest trust with forest wide authentication is configured as follows: List of domain trusts: 0: CONTOSO contoso.com (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: 0x8 ) 1: AUSTRALIA australia.contoso.com (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: 0x8 ) 2: FABRIKAM Fabrikam.com (NT 5) (Forest Tree Root) (Primary Domain) (Native) Contoso.com forest has 3 child domains:. Apac.contoso.com.
- View Lab Report - Lab15 from CMIT 372 at University of Maryland, College Park. Infrastructure Lab Manual Worksheet LAB 15 IMPLEMENTING A FOREST AND. A Trust Relationship Exercise 15.3 Installing the Active Directory Migration.
- May 31, 2017 - Walkthrough Guide: Manage Risk with Conditional Access Control. Install the AD DS role service and install Active Directory Domain Services (AD DS) to make your. Create a relying party trust on your federation server.
Emea.contoso.com. Us.contoso.com Fabrikam.com is single domain forest. Australia.contoso.com is single domain forest. Trust Creation We created trust between fabrikam.com and contoso.com first, and everything went fine. We have a list of UPNs being routed for Kerberos authentication. Note that on the contoso.com side name suffixes are listed as.contoso.com which means anything before contoso.com is routed as the name suffix of the contoso.com forest.
When.contoso.com name suffix is selected, by clicking on Edit all child name suffixes which are routed are displayed as seen in the screenshot below. The list of enabled name suffixes can be seen by running below command: Netdom trust fabrikam.com /domain:contoso.com /namesuffixes:contoso.com The output along with the notes: Ok, now the second forest trust between fabrikam.com and australia.contoso.com needs to be created. We go to Active Directory Domains and Trusts console, click on New trust, select forest trust, two way, forest wide, verify inbound, verify outbound and we are done.
There is the message displayed: We have a conflict. Australia.contoso.com UPN belongs to contoso.com TLD. The trusts will work, but for AUSTRALIA, NTLM will be used and we will never be able to use all the beauties of Kerberos authentication.
Name Type Status Notes.australia.contoso.com Name Suffix Conflicting With contoso.com australia.contoso.com Domain DNS name Enabled AUSTRALIA Domain NetBIOS name Enabled For australia.contoso.com S-1-5-659 Domain SID Enabled For australia.contoso.com If you netmon what happens while you try to access resources in australia.contoso.com and contoso.com you will notice the following: Access to contoso.com and its child domains works as expected using Kerberos authentication. Before starting to capture clear your cached Kerberos tickets with klist purge to make sure that you will see what is happening. Great, I am geting my TGS tickets for us.contoso.com But when we try to access australia.contoso.com we get totally different picture.
Purge all tickets – klist purge And here are the results: Principal unknown – of course it is, since australia.contoso.com is totally different forest. We need to make sure that Kerberos can be used for authentication on both forest trusts. The solution to this is to tell the system that australia.contoso.com doesn’t belong to contoso.com forest and its UPN shouldn’t be routed to contoso.com. We will exclude australia.contoso.com from routing on contoso.com forest trust.
Active Directory Trust Relationships
We are still not done! We need to enable suffix routing on the trust with australia.contoso.com. We couldn’t do this until now since it was in conflict with contoso.com. When you open the suffix tab you will see that it is in conflict. Just hit refresh and here it is. Go ahead and enable it. And here are my tickets: Here it is.
I have two forests with conflicting UPNs but we made Kerb to work. So, as long as you don’t have completely same names you are good to go with this solution. Or just use NTLM.
Note We do not recommend that you install the web server and the federation server on the same computer. To set up this test environment, complete the following steps:. Step 1: Configure the domain controller (DC1) For the purposes of this test environment, you can call your root Active Directory domain contoso.com and specify pass@word1 as the administrator password. Install the AD DS role service and install Active Directory Domain Services (AD DS) to make your computer a domain controller in Windows Server 2012 R2. This action upgrades your AD DS schema as part of the domain controller creation. For more information and step-by-step instructions, see.
Create test Active Directory accounts After your domain controller is functional, you can create a test group and test user accounts in this domain and add the user account to the group account. You use these accounts to complete the walkthroughs in the walkthrough guides that are referenced earlier in this topic. Create the following accounts:. User: Robert Hatley with the following credentials: User name: RobertH and password: P@ssword. Group: Finance For information about how to create user and group accounts in Active Directory (AD), see.
Add the Robert Hatley account to the Finance group. For information on how to add a user to a group in Active Directory, see. Create a GMSA account The group Managed Service Account (GMSA) account is required during the Active Directory Federation Services (AD FS) installation and configuration. To create a GMSA account. Open a Windows PowerShell command window and type: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com Step 2: Configure the federation server (ADFS1) by using Device Registration Service To set up another virtual machine, install Windows Server 2012 R2 and connect it to the domain contoso.com. Set up the computer after you have joined it to the domain, and then proceed to install and configure the AD FS role. For a video, see.
Install a server SSL certificate You must install a server Secure Socket Layer (SSL) certificate on the ADFS1 server in the local computer store. The certificate MUST have the following attributes:. Subject Name (CN): adfs1.contoso.com.
Subject Alternative Name (DNS): adfs1.contoso.com. Subject Alternative Name (DNS): enterpriseregistration.contoso.com For more information about setting up SSL certificates, see. Install the AD FS server role To install the Federation Service role service.
Log on to the server by using the domain administrator account administrator@contoso.com. Start Server Manager.
To start Server Manager, click Server Manager on the Windows Start screen, or click Server Manager on the Windows taskbar on the Windows desktop. On the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. On the Before you begin page, click Next. On the Select installation type page, click Role-based or feature-based installation, and then click Next.
On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next. On the Select server roles page, click Active Directory Federation Services, and then click Next. On the Select features page, click Next.
On the Active Directory Federation Service (AD FS) page, click Next. After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install. On the Installation progress page, verify that everything installed correctly, and then click Close.
Configure the federation server The next step is to configure the federation server. To configure the federation server. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
The Active Directory Federation Service Configuration Wizard opens. On the Welcome page, select Create the first federation server in a federation server farm, and then click Next. On the Connect to AD DS page, specify an account with domain administrator rights for the contoso.com Active Directory domain that this computer is joined to, and then click Next. On the Specify Service Properties page, do the following, and then click Next:.
Import the SSL certificate that you have obtained earlier. This certificate is the required service authentication certificate.
Browse to the location of your SSL certificate. To provide a name for your federation service, type adfs1.contoso.com. This value is the same value that you provided when you enrolled an SSL certificate in Active Directory Certificate Services (AD CS). To provide a display name for your federation service, type Contoso Corporation.
On the Specify Service Account page, select Use an existing domain user account or group Managed Service Account, and then specify the GMSA account fsgmsa that you created when you created the domain controller. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database, and then click Next.
On the Review Options page, verify your configuration selections, and then click Next. On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed, and then click Configure. On the Results page, review the results, check whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. Configure Device Registration Service The next step is to configure Device Registration Service on the ADFS1 server. For a video, see. To configure Device Registration Service for Windows Server 2012 RTM. Important The following step applies to the Windows Server 2012 R2 RTM build.
Open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration When you are prompted for a service account, type contosofsgmsa$. Now run the Windows PowerShell cmdlet. Enable-AdfsDeviceRegistration. On the ADFS1 server, in the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. Add Host (A) and Alias (CNAME) Resource Records to DNS On DC1, you must ensure that the following Domain Name System (DNS) records are created for Device Registration Service.
Entry Type Address adfs1 Host (A) IP address of the AD FS server enterpriseregistration Alias (CNAME) adfs1.contoso.com You can use the following procedure to add a host (A) resource record to corporate DNS name servers for the federation server and Device Registration Service. Membership in the Administrators group or an equivalent is the minimum requirement to complete this procedure. Review details about using the appropriate accounts and group memberships in the HYPERLINK ' Local and Domain Default Groups.
To add a host (A) and alias (CNAME) resource records to DNS for your federation server. On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.
In the console tree, expand DC1, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA). In Name, type the name you want to use for your AD FS farm. For this walkthrough, type adfs1.
In IP address, type the IP address of the ADFS1 server. Click Add Host. Right-click contoso.com, and then click New Alias (CNAME). In the New Resource Record dialog box, type enterpriseregistration in the Alias name box. In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com, and then click OK. Important In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS. Step 3: Configure the web server (WebServ1) and a sample claims-based application Set up a virtual machine (WebServ1) by installing the Windows Server 2012 R2 operating system and connect it to the domain contoso.com.
After it is joined to the domain, you can proceed to install and configure the Web Server role. To complete the walkthroughs that were referenced earlier in this topic, you must have a sample application that is secured by your federation server (ADFS1). You can download Windows Identity Foundation SDK (, which includes a sample claims-based application. You must complete the following steps to set up a web server with this sample claims-based application.