Tag Archives : Windows Server


Building a Claims Aware Environment using ADFS 2.0 and WCF

Introduction

This is going to be a multi-part series of articles with the end goal of producing a solution which handles security/identity claims across domain boundaries using WCF services and Active Directory Federation Services 2.0 (with a federation trust) and Active Directory.  In order to demonstrate an approach to handling claims, we need an environment which is capable of supporting the infrastructure configuration we require.

Network Design

I strongly recommend that you put the time and effort into understanding the network topography.  When designing a key foundation of your approach to security, it’s critical that you have a working knowledge of the kind of trust you are placing in your trusted sub-systems.  For the next few articles, I’m going to rely on the following network design, which you can (not without some effort) establish for yourself using virtual machines:

image
Basic Network Design

Host Configuration

To keep resource usage to a minimum, I’ve designed my test environment to reuse hosts for key roles.  In practice, you might not normally mix roles in a production environment – refer to the appropriate ‘best practices’ to properly plan your infrastructure and deployment of critical roles!  Here’s a view of what is on each host:

image
Host Configuration

Installation and Configuration

You’ll need a minimum of two server installs to make this happen, although I’m using four to separate ADFS 2.0 and to configure an Enterprise Certificate Authority rather than a standalone CA.  You’ll also need the Windows Identity Foundation (WIF) SDK installed with your copy of Visual Studio (Visual Studio can be installed elsewhere – not on your test servers). 

I’ll be using Visual Studio 2010 for this, but I’m sure there’s a solution for Visual Studio 2012.  To streamline your configuration, I’ve provided links two some excellent walkthroughs on the MSDN blog site – the one you need to pay attention to is the ADFS 2.0 installation and configuration.

My Mobile Configuration

Since this is a fairly intensive number of operating systems, I’ve put together a fairly decent local configuration which I can take with me.  I’m using a 480 GB SanDisk SSD in an eSATA external enclosure (my laptop does not support USB 3 at the moment).  I’m running VM images off the SSD and getting very respectable performance.  No problems running four VMs in parallel.

 

Kit

How to Get Up and Running

My best advise is to follow the links below.  You’ll need a fair amount of stuff downloaded, so better jump on that.  Once you have some clean OSes and the installation packages, my best advise is to follow the walkthroughs.  Be careful not to accidentally skip anything, the configuration is a bit tricky at times, but if you follow the walkthrough closely you should have a working environment in about half a day or less.  My configuration varies to the walkthrough (as I have two domains), but if you duplicate the configuration for two different directories you should have something which can work.

Links Galore

If you’re going to build a test environment (frankly, just do it – it’s the best way) budget at least a day to get everything configured properly.  Don’t cut corners, it’ll only hurt you later.
Check back soon for the next article, where we’ll start to get familiar with the environment, and build a claims-aware application.

Important Downloads

.NET Framework 4.0 Runtime
http://www.microsoft.com/en-au/download/details.aspx?id=17718

.NET Framework 4.0.3 Update
http://www.microsoft.com/en-au/download/details.aspx?id=29053
Update 4.0.3 for Microsoft .NET Framework 4 – Design-time Update for Visual Studio 2010 SP1
http://www.microsoft.com/en-au/download/details.aspx?id=29054

Active Directory Federation Services 2.0 (RTW)
http://www.microsoft.com/en-us/download/details.aspx?id=10909&hash=Hx4OGpwvFzmf7%2bC7rR1nq18CYhcY%2bSE4ok1ifL%2fvSkYIpezfAxg6ePR2zpfAplmm6g%2fUyL1VU7RtmnuR6T4NWg%3d%3d

Windows Identity Foundation (Runtime)
http://www.microsoft.com/en-us/download/details.aspx?id=17331

Windows Identity Federation SDK
http://www.microsoft.com/en-us/download/details.aspx?id=4451

 

Installation and Configuration Walkthroughs

ADFS 2.0 Installation Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/installing-a-stand-along-adfs-service.aspx
Establishing a Federation Trust Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/establish-federation-trust.aspx

Building a Claims-aware Web Application Walkthrough
http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx

These walkthroughs really helped! 

Finally.. If you hit problems with your STS certificate – check the HTTPS bindings of your local IIS:

http://www.shutuplaura.com/journal/2010/1/5/adfsv2-rc-iis-certificates.html


Hyper-V 2012 Review: VHDX Disks

Microsoft will be introducing a new file format (VHDX) for virtual hard disks as part of Hyper-V in Windows Server 2012.  The original format (VHD) has been around for many years, the new format provides a host of additional benefits.

At a glance, the new format supports up to 64 terabytes, so this will help in situations where large volumes of data need to be catered for.  The sector alignment and increased block sizes mean disk utilization is improved, and makes more efficient usage of modern disk drives.  There’s also a logging mechanism to reduce the impact of power outages.

Here’s the main info from Technet:

[1] The main new features of the VHDX format are:

  • Support for virtual hard disk storage capacity of up to 64 TB.
  • Protection against data corruption during power failures by logging updates to
           the VHDX metadata structures.
  • Improved alignment of the virtual hard disk format to work well on large sector
           disks.

The VHDX format also provides the following features:

  • Larger block sizes for dynamic and differencing disks, which allows these disks to
           attune to the needs of the workload.
  • A 4-KB logical sector virtual disk that allows for increased performance when
           used by applications and workloads that are designed for 4-KB sectors.
  • The ability to store custom metadata about the file that the user might want to 
           record, such as operating system version or patches applied.
  • Efficiency in representing data (also known as “trim”), which results in smaller file
           size and allows the underlying physical storage device to reclaim unused space.
           (Trim requires physical disks directly attached to a virtual machine or SCSI disks,
           and trim-compatible hardware.)

I’m going to be writing more about the new edition of Hyper-V in coming articles.  Check back for more, including the following:

  • Hyper-V Replica
  • Expanded processor and memory support
  • Dynamic Memory Improvements
  • Network adapter improvements

[1] http://technet.microsoft.com/library/hh831446.aspx


Enabling remote administration of a Windows Server Core installation

If you have a Windows Server 2008 installation of the Server Core, you might run into a few nasty surprises when it comes time to administer the nuts and bolts of the configuration. 

The reliance on GUI tools causes some pain from an administration perspective, and when you come to remotely administer the machine you might fund some surprises in store.


Common Error Messages

A common error message (when trying to access Device Manager remotely) is:

Unable to access the computerComputerName” Make sure that this computer is on the network, has remote administration enabled, and is running the “Plug and Play” and “Remote registry” services.

The error was: Access Denied

Another common error message, when trying to view the server’s Event Log:

Event Viewer cannot connect to computer “ComputerName”. The error reported is: The RPC server is unavailable

..or how about the Disk Management view?

Disk Management could not start Virtual Disk Service (DS) on “ComputerName”. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall.

Which requires some changes to the Core installation configuration. 

Configuring Remote Administration – Firewall Rules

You’ll need local Administration rights and if the machine is on a Domain, you’ll need a domain account (but not necessarily Domain Administration rights).  You can also be a member of the Network Operators group, provided you have delegated permission to run netsh advfirewall commands.

To set the firewall rules, you’ll need shell access to the remote system.  Once at the command prompt, you can issue the following netsh commands to allow remote access through the server firewall.

To enable remote firewall administration:

Netsh advfirewall firewall set rule group=”Windows Firewall Remote Management” new enable =yes

To enable remote administration:

Netsh advfirewall firewall set rule group=”remote administration” new enable=yes

To allow remote management via specific MMC snap-ins, run the following command:

Netsh advfirewall firewall set rule group=”<rulegroup>” new enable=yes

So, for example, to enable Remote Volume Management:

Netsh advfirewall firewall set rule group=”Remote Volume Management” new enable=yes

Additional Configuration

Now, we’re not exactly out of the woods yet.  Believe it or not, there are some extra settings for some remote access.  In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

Device Manager

To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy

1. On another machine open an MMC console (easiest way is Start->Run->mmc <enter>), start the Group Policy Object MMC snap-in (you might need to add it)

2. Connect to the Server Core installation

3. Navigate to Computer Configuration\Administrative Templates\System\Device Installation

4. Enable “Allow remote access to the PnP interface”

5. Restart the Server Core installation

Disk Management

You must first start the Virtual Disk Service (VDS) on the Server Core installation

IPSec Mgmt

On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

Cscript \windows\system32\scregedit.wsf /im 1


Driver Installation

While we’re discussing it – driver installation is a little tricky too on Windows Server Core.  To install, you’ll need to get shell access (RDP works well) and then you’ll need to copy the drivers somewhere (preferably onto the system).

  • Navigate to the folder containing the INF files, and type in this command:
  • pnputil -i -a C:\Drivers\LAN\filename.inf – where filename.inf is the name of the file containing the driver
  • If you’re not sure which file it is, you can use a wildcard, like this: pnputil.exe -i -a C:\Drivers\LAN\*.inf – this will install all INF files.
  • You can also do pnputil /? to see all the options
  • References:

    http://blogs.technet.com/b/askds/archive/2008/06/05/how-to-enable-remote-administration-of-server-core-via-mmc-using-netsh.aspx
    http://blogs.technet.com/b/server_core/archive/2008/01/14/configuring-the-firewall-for-remote-management-of-a-workgroup-server-core-installation.aspx
    http://social.technet.microsoft.com/Forums/en/winservercore/thread/48542fe8-a365-4306-bac6-a71cab867cc5
    http://ortuno2k.wordpress.com/2011/02/11/installing-drivers-on-windows-server-core/