Windows Server 2012 R2 and BYOD (Part 5)

By /

If you would like to read the other parts in this article series please go to:

Introduction

In the previous article in this series, we deployed the Active Directory Federation Service. Although the Active Directory Federation Service is up and running, there is still a little bit of configuration work that needs to be done in order to finish the configuration.

Completing the Active Directory Federation Service Configuration

Although you were able to complete the bulk of the Active Directory Federation Service configuration through the configuration wizard, you will have to delve into PowerShell to finish the configuration process. To do so, open PowerShell on your ADFS server and enter the following command:

Initialize-ADDeviceRegistration

When you do, you will be prompted to provide a service account name. Enter the name of the service account that you created earlier in this series. As you may recall, the name of the service account that we created earlier in this series was FSGMSA. You will have to enter the service account in domain\username format. If you have been using the same naming conventions that I have then the name will be BYOD-Lab\FSGMSA$. Don’t forget to specify the dollar sign at the end of the service account name otherwise the procedure won’t work.

After entering the service account name, you will see a prompt asking you if you want to continue with preparing the Active Directory to host the Device Registration Service. Go ahead and press Y to initialize the Active Directory Device Initialization Service.

The service will take about twenty seconds to initialize and then you will be returned to the PowerShell prompt. Now, you must enter the following command:

Enable-AdfsDeviceRegistration

You can see what the full process looks like in Figure A.

Image
Figure A: You will have to initialize the Device Registration Service through PowerShell.

At this point, you will need to enable device authentication on your ADFS server. To do so, close PowerShell and open Server Manager. Next, select the AD FS Management command from Server Manager’s Tools menu. This will cause Windows to open the AD FS Management Console. Now, right click on the Authentication Policies container and select the Edit Global Primary Authentication command from the shortcut menu, as shown in Figure B.

Image
Figure B: Right click on the Authentication Policies container and select the Edit Global Primary Authentication policies option from the shortcut menu.

Windows will now display the Edit Global Authentication Policy dialog box. Select the Enable Device Authentication checkbox as shown in Figure C, and click OK.

Image
Figure C: Select the Enable Device Authentication checkbox.

Modifying Your DNS Entries

The next thing that you will have to do is to make some modifications to your DNS so that client machines can find the Device Registration Service. To do so, switch to your Domain Controller and open the DNS management console (you can access the console through the Server Manager’s Tools menu).

When the DNS management console opens, navigate through the console tree to DNS | <your domain controller> | Forward Lookup Zones | <your domain>. Now, right click on the container representing your domain, and choose the New Host (A or AAA) command from the shortcut, as shown in Figure D.

Image
Figure D: Right click on your domain and choose the New Host (A or AAA) command from the shortcut menu.

The next screen that you will see asks you to provide a host name and an IP address. You will need to provide a name for your ADFS farm. For the sake of this article series, I am going to call my farm BYOD-ADFS. The IP Address field should contain the ADFS server’s IP address, as shown in Figure E. Click Add Host to complete the process.

Image
Figure E: Enter the name of your ADFS farm and your ADFS server’s IP address.

Now we need to set up an alias. To do so, right click on the container representing your domain and choose the New Alias (CNAME) command from the shortcut menu. When the New Resource Record dialog box appears, enter enterpriseregistration into the Alias name box. The Fully Qualified Domain Name of the Target Host field should contain the fully qualified domain name for the host record that you previously created. For example, my host name was BYOD-ADFS and my domain name is BYOD-Lab.com. Therefore, my fully qualified domain name would be BYOD-ADFS.BYOD-Lab.com, as shown in Figure F.

Image
Figure F: The resource record should look something like this.

Configuring the Web Server

Right now all of the necessary ADFS configuration work is done. However, we still need a way to prove that it is working. As you may recall, at the very beginning of this article series we set up a Web server that we have not yet done anything with. We will set up a simple claim app within IIS on this Web server and use it as a way of proving that BYOD devices are able to access corporate applications.

The first thing that we will need to do on the Web server is to install Windows Identity Foundation and IIS. To do so, log into the server and open Server Manager. Select the Add Roles and Features command from the Manage menu.

When the Add Roles and Features Wizard appears, click Next to bypass the Welcome screen. Next, you will see the Installation Type screen. Choose the Role Based or Feature Based Installation option. Click Next, and you will be taken to the Server Selection screen. Make sure that your Web server is selected and click Next.

At this point, you will see the Server Roles screen. Choose the Web Server (IIS) role. When you do, you will be prompted to add some additional features. Click the Add Features button.

Click Next and you will be taken to the Features page. Select the Windows Identity Foundation 3.5 feature and click Next.

You will now see an explanatory screen for the Web Server role. Click Next to bypass this screen.

The next screen that you will see is the Role Services screen. Scroll down until you see the Application Development role service. Expand the Application Development container and then select the ASP.NET 3.5 option, as shown in Figure G. When you do, you will be prompted to add some additional features. Simply click the Add Features button to install the required features. Click Next, followed by Install to install the required features. When the installation process completes, click Close.

Image
Figure G: Install the ASP.NET 3.5 role service.

Conclusion

Now that we have installed the Windows Identity Foundation and Internet Information Services, we have just a little bit more work to do in order to make our Web server act like a Web application that we can use for testing purposes. In the next article in this series, we will wrap up the configuration process by installing the Windows Identity Foundation SDK, setting up a simple Web app, and creating the necessary relaying party trust on the ADFS server.

If you would like to read the other parts in this article series please go to:

About The Author

Brien Posey is a freelance technology author and speaker with over two decades of IT experience. Prior to going freelance, Brien was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network engineer for the United States Department of Defense at Fort Knox. In addition, Brien has worked as a network administrator for some of the largest insurance companies in America. To date, Brien has received Microsoft’s MVP award numerous times in categories including Windows Server, IIS, Exchange Server, and File Systems / Storage. You can visit Brien’s Website at: www.brienposey.com.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top