Skip to content
February 21, 2011

Secure Application Access by using AD FS and UAG – Strong Authentication

In the last two posts on this subject I showed to you how to use UAG with Forms Based Authentication and as ADFS Proxy. Todays demonstration shows how to use it with Strong Authentication – Certificate Authentication. The topology in this configuration is very similar to the FBA topology, but it requires additional configuration on the UAG to require certificate authentication and we have to utilize Kerberos Constrained Delegation to access ADFS server. KCD is required because when user authenticates to the UAG portal, he never provides his UserID/Password, so if we want to have SSO then UAG must be able to impersonate user by using KCD, and provide Kerberos ticket on the behalf of the user to the AD FS server.

This demonstration was created to satisfy the following requirements for our fictitious Woodgrove Bank Corp:

  • Woodgrove Bank must provide secure access to documents on its Extranet SharePoint site to remote employees.
  • SharePoint site was designed to accept Claims based authentication.
  • Remote employees must use Smart Cards for accessing the site (certificate authentication). 
  • Limit access to client computers that do not meet the company policy.

As always, for best user experience please watch this demo in Full screen and enable HD. Let me know if you have any questions.

1 Comment
February 18, 2011

Microsoft U-Prove Community Technology Preview R2 Released

In case you missed, a few days ago Microsoft released U-Prove Community Technology Preview R2, you can get the official page  with more information about it and related downloads: https://connect.microsoft.com/site1188

At the time of this release it was also announced that Windows Card Space 2.0 will no longer ship. Here is the link to this announcement: http://blogs.msdn.com/b/card/archive/2011/02/15/beyond-windows-cardspace.aspx

Leave a Comment
February 17, 2011

Secure Application Access by using AD FS and UAG – UAG acting as ADFS Proxy Topology

In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into  such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications.

Today’s demonstration shows a different UAG/ADFS topology, with UAG configured as ADFS proxy is exposes ADFS server for authentication and then it can provide you with UAG portal or directly route to the target application.

This demonstration was created to satisfy the following requirements for our fictitious Woodgrove Bank Corp:

  • Woodgrove Bank must provide secure access to documents on its Extranet SharePoint site to remote employees.
  • SharePoint site was designed to accept Claims based authentication.
  • Woodgrove Bank plans to allow access to SharePoint site to its partners using Claims based Federation technologies.
  • Limit access to client computers that do not meet the company policy.

As always, for best user experience please watch this demo in Full screen and enable HD. Let me know if you have any questions.

2 Comments
February 15, 2011

Secure Application Access with ADFS and UAG – UAG providing FBA

More and more companies wish to provide secure access to their applications from external locations. At the same time, many of these applications starting to adopt new authentication technologies, for example, like Claims based authentication. The following demonstration shows how companies can use Forefront UAG 2010 and AD FS 2.0 to provide secure access to different types of internal applications, all published via single unified portal and providing Single Sign-On experience to their users.

The solution in this demonstration shows UAG implemented to use FBA as main authentication mechanism and it ability to access Claims based applications.

This solution created to satisfy the following requirements for our fictitious Woodgrove Bank corporation:

  • Woodgrove Bank must provide secure access to documents on its Extranet SharePoint site to remote employees. It also wants to provide access to other internal resources.
  • SharePoint site was designed to accept Claims based authentication.
  • Other resources require standard UserID/password combination.
  • Woodgrove Bank employees should have SSO experience when accessing documents on Woodgrove Bank Extranet SharePoint site and other resources.
  • Limit access to client computers that do not meet the company policy.

For best viewing experience please watch it in Full screen with High Definition ON. Let me know if you have any questions.

Leave a Comment
February 8, 2011

Microsoft Business Ready Security–Secure Collaboration for Roaming Users with Unified Access Gateway

Did you know that you can download virtual labs to your own host system and test Microsoft Business Ready Security (BRS) solutions? It is available to anyone on the Internet. Go check it out for yourself: http://go.microsoft.com/fwlink/?LinkId=190269

If for some reason you can not download those labs, don’t have time to set it all up , don’t have capable hardware/OS to run it or you need extra explanation on how these solutions work then you are in the right place. Here is one of the solutions that are enabled by Microsoft BRS.

The following demo shows solution created to satisfy the following business and technical requirements:

  • Provide access to internal network to roaming users from the Internet.
  • Limit access to client computers that do not meet the company policy.

For best viewing experience please watch it in Full screen with High Definition ON. Let me know if you have any questions.

Leave a Comment
February 7, 2011

Microsoft Business Ready Security–Secure Collaboration with Partners by using AD FS

Did you know that you can download virtual labs to your own host system and test Microsoft Business Ready Security (BRS) solutions? It is available to anyone on the Internet. Go check it out for yourself: http://go.microsoft.com/fwlink/?LinkId=190269

If for some reason you can not download those labs, don’t have time to set it all up , don’t have capable hardware/OS to run it or you need extra explanation on how these solutions work then you are in the right place. Here is one of the solutions that are enabled by Microsoft BRS.

The following demo shows solution created to satisfy the following business and technical requirements:

  • Woodgrove Bank and TreyEngineering are working on a joint project.
  • Woodgrove Bank must provide access to some documents on its Extranet SharePoint site to employees of TreyEngineering who was assigned to this project.
  • Woodgrove Bank will not create accounts for TreyEngineering employees in its user domain.
  • TreyEngineering employees should have SSO experience when accessing documents on Woodgrove Bank Extranet SharePoint site.
  • SharePoint must be protected from documents with known viruses.

For best viewing experience please watch it in Full screen with High Definition ON. Let me know if you have any questions.

2 Comments
February 4, 2011

Implementing FIM 2010 Certificate Management (Part 4)

This is the fourth and final  installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the previous three parts by going to each presentation:

  1. Implementing FIM 2010 Certificate Management (Part 1)
  2. Implementing FIM 2010 Certificate Management (Part 2)”
  3. Implementing FIM 2010 Certificate Management (Part 3)

If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

  • Configure Service Connection Point Permissions
  • Delegate Profile Template Permissions
  • Configure Permissions on Certificate Sponsor
  • Create SSL Profile Template
  • Configure Profile Details
  • Configure Enroll Policy
  • Configure Revoke Policy
  • Define Permissions on the SSL Profile Template
  • Request Certificate for FIM CM Portal
  • Fixing FIM 2010 CM Configuration (AES and CSP)
  • Request Certificate again
  • Installation of issued Certificate on the FIM 2010 CM
  • Set SPN for the new URL
  • Final test of the new Portal

For better experience please watch it in Full screen and enable HD.

1 Comment
February 3, 2011

Implementing FIM 2010 Certificate Management (Part 3)

This is the third installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the first part of this series by going to the “Implementing FIM 2010 Certificate Management (Part 1)” and the second part at “Implementing FIM 2010 Certificate Management (Part 2)”. If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

  • Installation of FIM 2010 CM CA modules on the Issuing CA
  • Configuration of Exit Module
  • Check that CA is registered in SQL
  • Configuration of FIM 2010 CM Policy Module with CLM Agent Thumbprint
  • Enable Constrained Delegation for the FIM 2010 CM Computer Account
  • Enable Constrained Delegation for clmWebPool account
  • Adding Subject Module and SubjectAltName Module on CA
  • Configure SSL Templates
  • Configure Subject Policy Module
  • Configure SubjectAltName Policy Module

For better experience please watch it in Full screen and enable HD.

2 Comments
February 3, 2011

Implementing FIM 2010 Certificate Management (Part 2)

This is the second installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the first part of this series by going to the “Implementing FIM 2010 Certificate Management (Part 1)”. If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

  • Performing Initial Configuration via FIM 2010 CM Configuration Wizard
  • Designating pre-enrolled Agent Certificates in the FIM 2010 CM web.config file
  • Disable Kernel mode Authentication in IIS
  • Create Accounts for Issuing CA in FIM 2010 CM SQL database
  • Open Firewall on the FIM 2010 CM for SQL Communication

For better user experience please watch this in Full screen and in HD.

1 Comment
February 1, 2011

Implementing FIM 2010 Certificate Management (Part 1)

Did you have a chance to watch demonstration on how to use FIM 2010 CM for manual certificate issuance? If not, you can watch it here.

If you are interested to learn how I configured FIM 2010 CM environment to be able to provide shown functionality then start watching the following demonstration. I broke down entire implementation into four parts and here is the first part of the series. Parts 2-4 are coming in the near future.

In this demonstration we will do the following tasks to prepare environment for FIM 2010 CM installation:

  • Modify AD Schema with FIM 2010 CM extensions
  • Create Required Accounts and Groups
  • Create Certificate Templates for FIM 2010 CM Agents
  • SQL Installation
  • Installation of IIS and disabling SSL 2.0
  • Installation of SMTP Service
  • FIM 2010 CM software installation
  • Enable Logon Locally for Agent Accounts
  • Deployment of Agent Certificates on the FIM 2010 CM Server

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

6 Comments
« Older Entries
Newer Entries »