Claims-based authentication: Finishing Configuration of Virtual Machine and Setting up Kentico


In the first part of the series we prepared a virtualized environment and started to configure some  services that are necessary for AD FS service. In the second part, we will finish the configuration of the virtual machine and we will configure Kentico to use claims-based authentication. So let’s get started.

More configuration of the virtual machine

There is one more thing we need to ensure before installing Active Directory Federation Services. We are going to create a certificate for SSL server authentication. This is necessary because AD FS uses certificates for the purpose of encrypting and digitally signing tokens. First, we need to install Active Directory Certificate Services. We do the installation in exactly the same way as we did in the case of other Server Roles.

On the Role Services tab, select only Certification Authority (default option) and click Next. After the installation has been completed we need to do post-deployment configuration for the AD CS— click on the Configure Active Directory Certificate Services on the destination server link.

On the Role Services tab, select Certification Authority and click Next. It is not necessary to change anything else on the configuration screens—you can leave the default values. Once you get to the Confirmation screen, click Configure and then close the windows when the configuration is done.

Before we can request a SSL certificate for AD FS, we need to set up an appropriate SSL template in the Certification Authority. We need to open Server Manager, select the Tools option in the menu and click Certification Authority. Locate the Certificate Templates folder in the navigation tree, right-click it and select the Manage option.

It is not necessary to create a new template from scratch. We will clone the existing one. Find the template with the Template Display name Web Server, right-click it and select the Duplicate Template option. Navigate to the General tab and choose some name for the template. I will use ADFSCert as the template display name. Click the Security tab and select Authenticated Users from Group or user names and then select Enroll in the Permissions for Authenticated Users. In the Subject Name tab, select Build from this Active Directory information, choose Common Name as the Subject name format, and check DNS name is an alternate subject name. After this is done, close the Certificate Templates console. The next step is to create a new certificate template. Right-click the Certificate Templates folder, select New and then Certificate Template to Issue.

On the following screen select the certificate template we created before—in my case, that will be ADFSCert. After this is done we can now request a certificate for AD FS server. Simply open the command prompt and issue the MMC command, this will open the MMC console. Go to the File menu and click the Add/Remove Snap-in option.  Select Certificates and click the Add button. In the dialog select Computer account and Local computer, and click Finish and then click OK. In the navigation tree, expand Certificates, right-click Personal, select All Tasks, and then Request New Certificate. On the Request Certificates screen, check your certificate (in my case ADFSCert) and click Enroll.

Finally, we can now move on and install Active Directory Federation Services. See the screenshot below.

You can leave the default options and on Confirmation screen, click the Install button. Once again, after the installation is finished, we need to perform post-deployment configuration for the AD FS. In order to do that click Configure the federation service on this server link.

On the Welcome screen, select an option to Create the first federation server in a federation server farm and click Next. On the Connect to AD DS interface, proceed with Next. On the Specify Service Properties, select the SSL Certificate from the drop-down list—you need to select a certificate we previously created in the MMC console. For Federation Service Display name use, for example, ADFSTestServer. On the next screen, for the Account Name select the adfsService account we created before. On the Specify Configuration Database interface, leave the selected option Create a database on this server using Windows Internal Database, and then click Next. Review the options and then click on Configure button.

If you got the following warning during the configuration “An error occurred during an attempt to set the SPN for the specified service account” you can ignore this and close the screen.

At this point AD FS should be configured and in order to verify that we need to add HTTPS binding in IIS. Open the Internet Information Services (IIS) Manager, expand the navigation tree, and select your site. In the right column click on the Bindings link. For more information on how to configure HTTPS binding see the screenshot below.

Now you should be able to browse your website using HTTPS protocol. Since you are using your own certificate, most probably you will get a certificate error and you will need to add an exception, but for our purpose that is completely fine. To verify the AD FS functionality open the web browser and visit the following URL, . If the file loads successfully, that means the AD FS is configured properly. Note that you will need to change the IP address in the URL and use the IP address of your machine. The other way to check whether the AD FS is configured properly is to visit the following URL,  and after the page loads click the Sign in button. We will use the credentials of the testUser we created before. You should see a screen similar to the picture below.

After you verified that AD FS is configured properly, open Server Manager, choose Tools from the menu, and select AD FS Management. In the left navigation tree Expand Trust Relationships and select Relying Party Trusts. In the right column click Add Relying Party Trusts.

On the Welcome interface click Start. On the Select Data Source interface choose the option Enter data about relying party manually and click Next. Next, specify a display name for the relying party. On the interface, Choose Profile, select AD FS Profile. After you move to the Configure URL interface, enable support for the WS-Federation Passive protocol and insert the URL. In my case, I am going to use https://localhost/Kentico_9_test. On the Configure Multi-Factor Authentication Now? interface, select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next. On the Choose Issuance Authorization Rules interface, select the option Permit all users to access this relying party and go Next. At this point, the relying party should be added. After you click the Close button, it will open the Edit Claim Rules dialog for that relying party.

In the newly opened dialog window click the Add Rule button. On the Choose Rule Type interface select Pass Through or Filter an Incoming Claim from the drop-down list as the rule template and click Next. On the next screen choose a name for the rule (in my case I will use simply, MyRule, as a rule name), set incoming claim type to Name, select the Pass through all claim values option, and click the Finish button.

At this point, our AD FS is configured and there is one more thing we need to do on the virtual machine. We are going to export the certificate which we created before and use it on the machine with Kentico. In order to do that, stay in the AD FS Management application, expand the Service folder, and click the Certificates folder. In the Token-signing section, there should be a certificate we created. If that is the case double-click it.

In the Certificate dialog, switch to the details tab and click Copy to File—you can leave the default option and export the file. After you transfer the certificate file from the virtual machine, you can switch to the Kentico box.

Configuration of the host machine

During the next steps, we will need to install the previously exported signing certificate. For this purpose, we will run the mmc.exe command. After you run the MMC application, click File, then Add/Remove Snap-in, select Certificates, and click Add button. In the Certificates snap-in dialog, choose the Computer account option and click Next. On the next screen select Local computer, click the finish button, and click OK.

Now in the Console Root tree select the installation location if the Certificate validator is set to Chain trust—select Certificates, then Local Computer, Trusted People, and Certificates folder. If the Certificate validator is NOT set to Chain trust, then select Certificates, Local Computer, Personal, and Certificates folder. At this point, we did not set the certificate validator yet. We will do it in the Kentico administration interface, so if you are not sure what option to use, you can import the certificate in both locations. As for the import process itself, you will need to click More action in the right column, then All Tasks, and select Import. Then all you need to do is select the location in which you stored the certificate and finish the process.

There is one more thing we are going to do in the MMC application. We need to get a certificate thumbprint. Open the imported certificate by double-clicking it, switch to the Details tab, select the Thumbprint in the list-box and copy the thumbprint.

Before we can start configuring claims-based authentication in Kentico, we need to make sure that our site is configured to use SSL. For more information how to configure your site to use SSL please check the previous section to see how we configured it on the virtual machine or visit the following link for more information.

Configuration of claims-based authentication in Kentico

The last step is ahead of us—we need to configure Kentico to use claims-based authentication. Sign-in to Kentico and in the administration interface, open the Settings application and go to the Security & Membership, Authentication, and Claims-based authentication section. In the first place you need to enable WIF authentication, then you need to configure the Identity provider URL, in my case that would be (make sure that you use the correct IP address). Security realm and Allowed audience URIs will be set to https://localhost/Kentico_9_test in both cases. Then we will need to copy our certificate thumbprint and select the Certificate validator—this option is based on where you imported the certificate in the MMC application.

And that is all. We have completed claims-based authentication in Kentico from scratch. From now on if you try to sign-in you will be authenticated against AD FS server. In my case, I will use VIRTUAL\testuser as the username. In the last part of this series, we will take a look at some of the most common issues which are related to claims-based authentication in Kentico.

Share this article on   LinkedIn