If you would like to read the other parts in this article series please go to:
- Windows Server 2012 R2 and BYOD (Part 1)
- Windows Server 2012 R2 and BYOD (Part 2)
- Windows Server 2012 R2 and BYOD (Part 3)
- Windows Server 2012 R2 and BYOD (Part 4)
- Windows Server 2012 R2 and BYOD (Part 5)
- Windows Server 2012 R2 and BYOD (Part 7)
- Windows Server 2012 R2 and BYOD (Part 8)
- Windows Server 2012 R2 and BYOD (Part 9)
Introduction
Now that we have installed the Windows Identity Foundation and Internet Information Services, we have just a little bit more work to do in order to make our Web server act like a Web application that we can use for testing purposes. We need to wrap up the configuration process by installing the Windows Identity Foundation SDK, setting up a simple Web app, and creating the necessary relaying party trust on the ADFS server.
Installing the Windows Identity Foundation SDK
In the previous article, we installed IIS and some supporting components onto our Web server. Now, we need to install the Windows Identity Foundation SDK. The first step in the process is to make sure that the server is configured with a valid certificate. To do so, open the IIS Manager (you can find it on the Server Manager’s Tools menu).
When the console opens, select the container that corresponds to the name of your Web server and then double click the Server Certificates icon. On the following screen, click the Create Certificate Request link. This will cause Windows to display the Request Certificate dialog box. You can enter anything that you want for most of the dialog box’s fields, but the Common Name field must contain the Web server’s Fully Qualified Domain Name (make sure that it matches the server’s name exactly). You can see an example of this in Figure A.
Figure A: The common name must match the server’s fully qualified domain name.
Click Next and you will be prompted to choose a cryptographic service provider. Click Next to accept the defaults. Now, enter a path and a filename for the certificate request and click Finish.
Once the certificate request file has been created, you will have to send the request to your enterprise certificate authority. To do so, open your Web Browser (make sure that the enhanced security configuration is turned off) and go to http://<your certificate authority>/Certsrv. For example, my certificate authority is on a server named DC.BYOD-Lab.com, so I used the URL DC.BYOD-Lab.com/CertSrv.
After entering the URL, you will be prompted to log into the certificate authority with administrative credentials. After doing so, you should arrive at the Active Directory Certificate Services Web site.
Click the Request a Certificate link. After doing so, you will see a screen asking if you want a user certificate or if you want to submit an advanced certificate request. Choose the Advanced Certificate Request option. On the following screen, choose the option to submit a certificate request by submitting a base 64 encoded file.
At this point, you must open the certificate request file that you created earlier. I recommend opening the file in Notepad. Once open, copy the file’s contents, and then paste it into the Saved Request box. Make sure to set the Certificate Template option to Web Server, as shown in Figure B.
Figure B: Your certificate request should look like this.
Click the Submit button to submit your certificate request. When the request completes, you will have the opportunity to download the certificate. Download the certificate and save it to your server’s hard disk.
Now, switch back over to the IIS Manager and click the Complete Certificate Request link. Provide the path and the file name for the certificate that you just downloaded. Provide a friendly name for the certificate and accept the default certificate store, as shown in Figure C. Click OK to import the certificate.
Figure C: This is how you complete the certificate request.
Now that the certificate is in place, we can install the Windows Identity Foundation SDK. You can download the SDK here. The download link on this page allows you to download multiple versions of the SDK. You must download and install version 3.5.
Configuring a Web App
Now that the SDK has been installed, we need to put together a simple app that we can use to test the workplace join feature. To do so, create a folder on the server’s hard disk named C:\inetpub\Claimapp. Now, copy the contents of C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\Samples\Quick Start\Web Application\PassiveRedirectBasedClaimAwareWebApp to the folder that you just created.
We just copied a sample Web app from the SDK to a folder that we can use to host a Web site that will be based on the app. Even so, we can’t use the app in its current form. We need to make a couple of minor modifications.
Go to the C:\Inetpub\Claimapp folder and open the Default.aspx.cs file in Notepad. Now, search the file for the second occurrence of the phrase ExpectedClaims. You must comment out this line by adding // to the beginning of the command. You can see what this looks like in Figure D. When you are done, save and close the file.
Figure D: You must comment out the ExpectedClaims line.
We need to make one more modification, but this time it’s the Web.config file that must be modified. For this file you must delete the entire MicrosoftIdentityModel section, as shown in Figure E.
Figure E: You must delete the MicrosoftIdentityModel section.
Now that we have appropriately modified the app, we can turn it into a Web site. To do so, open the IIS Manager. Expand the ApplicationPools container and then right click on the DefaultAppPool and choose the Advanced Settings command from the shortcut menu, as shown in Figure F. Change the Load User Profile value to True, and click OK.
Figure F: Right click on the DefaultAppPool and select the Advanced Settings command from the shortcut menu.
Now, right click on the DefaultAppPool again, but this time, choose the Basic Settings command. When the Edit Application Pool dialog box appears, change the .NET CLR Version to version 2.0.50727, and click OK.
Now we need to modify the site’s bindings to use the certificate that we installed earlier. To do so, expand the Sites container, right click on the Default Web Site, and select the Edit Bindings command from the shortcut menu. When the Edit Bindings window appears, click the Add button and then choose the HTTPS option from the Type drop down menu. Make sure that the port number is set to 443, and then select your certificate from the SSL Certificate drop down list, as shown in Figure G. When you are done, click OK, followed by Close.
Figure G: You must create an SSL binding that uses your Web server certificate.
The last step in the process is to define our Web application. To do so, right click on the Default Web Site container and select the Add Application command from the shortcut menu. Enter Claimapp into the Alias field, and set the physical path to C:\Inetpub\Claimapp, as shown in Figure H. Click OK to complete the process.
Figure H: Set ClaimApp as the alias and specify the physical path.
Conclusion
We have now created a Web app that we can use for testing purposes. However, we still need to make our federation server aware of the app that we just deployed. I will show you how to do that in Part 7.
If you would like to read the other parts in this article series please go to:
- Windows Server 2012 R2 and BYOD (Part 1)
- Windows Server 2012 R2 and BYOD (Part 2)
- Windows Server 2012 R2 and BYOD (Part 3)
- Windows Server 2012 R2 and BYOD (Part 4)
- Windows Server 2012 R2 and BYOD (Part 5)
- Windows Server 2012 R2 and BYOD (Part 7)
- Windows Server 2012 R2 and BYOD (Part 8)
- Windows Server 2012 R2 and BYOD (Part 9)
