1 00:00:06,590 --> 00:00:14,150 Idiom first allows computers to communicate in a security enhanced manner, even though they might be 2 00:00:14,150 --> 00:00:15,800 in different locations. 3 00:00:16,460 --> 00:00:25,340 In this scenario, most of the communications between computers pass through the Internet to help provide 4 00:00:25,340 --> 00:00:27,410 security for the network traffic. 5 00:00:27,770 --> 00:00:32,240 All communications are encrypted by using SSL. 6 00:00:32,750 --> 00:00:40,460 This factor means that it is important to correctly choose and for scientists to sell certificates to 7 00:00:40,460 --> 00:00:45,500 the ADA for servers to provide SSL encryption aid. 8 00:00:45,650 --> 00:00:53,240 First servers use certificates as servers, communications certificates, token signing certificates 9 00:00:53,240 --> 00:00:56,770 and token decrypt and certificates. 10 00:00:58,370 --> 00:01:06,200 So let's talk about service communications certificates fill it in first helps to secure all communication 11 00:01:06,200 --> 00:01:10,070 by using SSL, which requires a certificate. 12 00:01:10,610 --> 00:01:14,330 All computers that communicate with the radio first. 13 00:01:14,660 --> 00:01:20,630 So you must trust the certificate used for service communication. 14 00:01:21,110 --> 00:01:29,540 If all of the computer or sound devices that contact your radio first server are joined to the domain, 15 00:01:29,930 --> 00:01:35,810 you can consider using an internally generated certificate for aid efforts. 16 00:01:36,680 --> 00:01:45,410 However, in most cases at least, some communication is between the of a server and external computers 17 00:01:45,410 --> 00:01:47,540 or partner organizations. 18 00:01:48,110 --> 00:01:56,480 In that case, you should use a certificate from a third party certification authority or C you can 19 00:01:56,480 --> 00:01:57,950 use the certificates. 20 00:01:58,070 --> 00:02:04,400 Snap-On and the ADF has management console to manage all certificates. 21 00:02:04,910 --> 00:02:11,630 Please know that if you change the service communication certificate after the initial configuration, 22 00:02:12,290 --> 00:02:21,620 you must change it on all nodes in the server forum and and and ensure that the area of a service is 23 00:02:21,620 --> 00:02:25,070 granted permission to the private key. 24 00:02:25,070 --> 00:02:27,080 All the certificate on each? 25 00:02:27,080 --> 00:02:27,500 No. 26 00:02:28,950 --> 00:02:32,140 Now some words about token sign certificates. 27 00:02:32,780 --> 00:02:41,710 Any offense uses a token signing certificate to assign every token that is a for duration server issue. 28 00:02:42,390 --> 00:02:51,260 This certificate is critical in their first deployment because the token signature indicates reach for 29 00:02:51,270 --> 00:02:54,030 duration server issued the token. 30 00:02:54,480 --> 00:03:04,740 The claims provider uses this certificate to identify itself and the Reliant Bar to use it uses it to 31 00:03:04,770 --> 00:03:10,020 verify that the token came from a trusted federation partner. 32 00:03:10,920 --> 00:03:20,610 The ruling party also requires a token signing certificate to sign the tokens that it prepares for any 33 00:03:20,610 --> 00:03:29,850 affairs where applications for the destination applications to validate those these tokens they rely 34 00:03:29,850 --> 00:03:34,830 on purchased token sign and certificate must release date this token. 35 00:03:35,550 --> 00:03:44,160 When you configure it for duration server, the server assigns a self signed certificate as the token 36 00:03:44,160 --> 00:03:45,480 signing certificate. 37 00:03:45,990 --> 00:03:53,010 In most cases, you do not need to update this certificate with a certificate from a third party to 38 00:03:53,010 --> 00:04:01,440 see when I do first create a federation trust it configures the trust of this certificate. 39 00:04:01,440 --> 00:04:09,180 At the same time, you can configure multiple tokens, sign in certificates on the Federation server, 40 00:04:09,540 --> 00:04:14,100 but it first uses only the primary certificate. 41 00:04:15,900 --> 00:04:16,290 No. 42 00:04:16,470 --> 00:04:18,680 Token decrypt and certificates. 43 00:04:19,360 --> 00:04:21,090 It first uses. 44 00:04:21,090 --> 00:04:24,300 Token decrypt and certificates to ensure. 45 00:04:26,070 --> 00:04:34,560 Encryption the entire user token before transmitting the token across the network from the claims provider 46 00:04:34,560 --> 00:04:38,940 federation server to the ruling party for duration server. 47 00:04:39,630 --> 00:04:47,100 To provide this functionality, it first provides the public key from the ruling party for duration 48 00:04:47,100 --> 00:04:52,080 server certificate to the claims provider for duration server. 49 00:04:52,710 --> 00:04:55,650 The certificate is sent without the private key. 50 00:04:56,220 --> 00:05:04,530 The claims provider's server uses the private key from the certificate to encrypt the user token. 51 00:05:05,100 --> 00:05:13,950 When the claims provider a server returns the token to the ruling party for duration server, it uses 52 00:05:13,950 --> 00:05:19,080 the private key from the certificate to decrypt the token. 53 00:05:19,590 --> 00:05:27,390 This provides an extra layer of security enhancement when transmitting the certificates across them. 54 00:05:27,750 --> 00:05:29,250 Untrusted Network. 55 00:05:30,230 --> 00:05:32,120 Such as the internet. 56 00:05:32,720 --> 00:05:41,030 When you configure for duration server, the server sensor itself sign certificate as the token decrypt 57 00:05:41,030 --> 00:05:41,990 and certificate. 58 00:05:42,680 --> 00:05:50,600 In most cases, you're not required to update the certificate or the certificate from a third party 59 00:05:50,600 --> 00:05:54,620 to see it when it first creates a federation trust. 60 00:05:54,980 --> 00:05:58,880 It configures the trust of this certificate at the same time. 61 00:06:00,160 --> 00:06:05,320 The Federation server, Brooks is requiring only an SSL certificate. 62 00:06:05,710 --> 00:06:14,440 The Federation server uses the certificate to enable SSL communication for all client connections. 63 00:06:15,860 --> 00:06:20,910 And some words about choosing to see it first. 64 00:06:21,190 --> 00:06:31,610 Federation servers can use Self-Sovereign certificates certificates from an internal private C or certificate 65 00:06:31,610 --> 00:06:38,990 that have been purchased from an external public C in most ayda field deployments. 66 00:06:39,290 --> 00:06:50,360 The most important factor that when choosing certificates is that they are trusted by all the parties 67 00:06:50,360 --> 00:06:51,140 involved. 68 00:06:51,680 --> 00:07:00,020 This means that if you configure and add a first deployment, then that interacts with other organizations. 69 00:07:01,090 --> 00:07:10,570 You almost certainly will use a public C for the SSL certificate on A for duration server proxy because 70 00:07:10,770 --> 00:07:13,120 there are certificates issued by the public. 71 00:07:13,120 --> 00:07:21,850 So you are automatically trusted by all partners if you're deployed first just for your organization 72 00:07:22,390 --> 00:07:30,040 and all the servers and client computers are under your control, you can consider using a certificate 73 00:07:30,040 --> 00:07:40,750 from an internal private C, but if you deploy an internal enterprise C in Windows Server 2016, you 74 00:07:40,750 --> 00:07:49,450 can use group policy to help ensure that all the computers in the organization automatically draft the 75 00:07:49,450 --> 00:07:52,600 certificates issued by the internal C. 76 00:07:53,470 --> 00:08:00,190 Using internal C can significantly decrease the cost of certificates. 77 00:08:01,640 --> 00:08:10,250 Please know that deploying an internal see by using Active Directory Certificate Services is a straightforward 78 00:08:10,250 --> 00:08:17,060 process, but it is critical that you carefully plan and implement the deployment. 79 00:08:17,780 --> 00:08:21,500 Next up, we'll be talking about four duration server roles.