1
00:00:03,090 --> 00:00:08,970
I'm on my Windows ten management VM and where possible this is where we'll be doing the configuration

2
00:00:08,970 --> 00:00:15,570
of the servers from will be using the Windows Admin Center, which is a download from Microsoft as well

3
00:00:15,570 --> 00:00:20,190
as server manager, which is installed using the remote server administration tools.

4
00:00:21,060 --> 00:00:26,640
Let's open up server manager and let's add the domain controller because I've installed Active Directory

5
00:00:26,640 --> 00:00:28,200
Certificate Services there.

6
00:00:29,100 --> 00:00:31,920
All right, click on all servers and add a server.

7
00:00:32,820 --> 00:00:35,850
Because this Windows ten VM is joined to the domain.

8
00:00:35,880 --> 00:00:40,140
I can type in the name of the domain controller, which is DC and it's found.

9
00:00:41,070 --> 00:00:44,610
So let's add this server to the list of servers we want to manage.

10
00:00:45,510 --> 00:00:49,380
It'll take a second to resolve and the server gets added to the list.

11
00:00:50,310 --> 00:00:56,460
Now I can open tools and certificate authorities listed here if you don't see links here for some of

12
00:00:56,460 --> 00:01:02,340
the roles installed on the server, like the DNS role which will be using in the upcoming demo, Microsoft

13
00:01:02,340 --> 00:01:06,210
provides a workaround with some scripts to install the RSA tools.

14
00:01:07,130 --> 00:01:10,010
I've created a short link here to that information.

15
00:01:10,880 --> 00:01:16,490
Let's open up certificate authority and we'll get this error because by default the snap and tries to

16
00:01:16,490 --> 00:01:22,460
attach to the local computer certificate authority and of course Certificate Services isn't installed

17
00:01:22,460 --> 00:01:23,960
on this Windows ten VM.

18
00:01:24,830 --> 00:01:25,700
So let's click.

19
00:01:25,700 --> 00:01:26,270
Okay.

20
00:01:27,100 --> 00:01:33,190
And when the window opens, you right click on the Certification Authority and select re target certification

21
00:01:33,190 --> 00:01:39,340
authority, then select another computer and we could type in the name of the server with Active Directory

22
00:01:39,340 --> 00:01:42,940
Certificate Services installed, which is the domain controller.

23
00:01:43,090 --> 00:01:45,280
But let's clear this and browse instead.

24
00:01:46,150 --> 00:01:49,390
The Certificate Authority installed on the network is picked up.

25
00:01:49,540 --> 00:01:56,830
So let's select that same domain controller computer with ADCs installed and now we can manage the certificate

26
00:01:56,830 --> 00:01:57,520
authority.

27
00:01:58,390 --> 00:02:02,290
Let's go down to certificate templates and right click and select manage.

28
00:02:03,190 --> 00:02:06,070
This opens up the cert template console.

29
00:02:06,940 --> 00:02:11,090
We're going to issue a certificate with the requirements we need for ADF's.

30
00:02:11,170 --> 00:02:14,590
So let's make a copy of another certificate as a starting place.

31
00:02:15,520 --> 00:02:21,430
I'll choose the web server certificate because the ad FS certificate will have most of the same properties.

32
00:02:22,330 --> 00:02:27,220
So let's duplicate this template and I'll go to the general tab and change the display name for the

33
00:02:27,220 --> 00:02:30,910
new certificate template on the subject name tab.

34
00:02:31,060 --> 00:02:35,050
Let's make sure we can supply the subject name in the certificate request.

35
00:02:35,980 --> 00:02:42,070
Now on the security tab, we want to add domain computers, which is a group and Active Directory containing

36
00:02:42,070 --> 00:02:43,690
all the computers in the domain.

37
00:02:44,590 --> 00:02:49,030
Then we'll check the permission so the domain computers can enroll for this certificate.

38
00:02:49,930 --> 00:02:55,330
The extensions we need for this certificate are already included because we created this template by

39
00:02:55,330 --> 00:02:58,030
duplicating the web server certificate template.

40
00:02:58,930 --> 00:03:04,030
Under request handling, we need to check to allow the private key to be exported because when we request

41
00:03:04,030 --> 00:03:08,860
and create the actual certificate, we'll need to exported with the private key and imported into that

42
00:03:08,860 --> 00:03:12,820
add FS server as well as the web application proxy servers.

43
00:03:13,720 --> 00:03:15,670
Now let's click apply and okay.

44
00:03:16,540 --> 00:03:21,850
Now before you can actually request certificates to be created with this template, you need to close

45
00:03:21,850 --> 00:03:23,200
this template console.

46
00:03:24,060 --> 00:03:29,400
And back in the certificate manager console, right click on certificate templates again, but this

47
00:03:29,400 --> 00:03:32,640
time select new certificate template to issue.

48
00:03:33,510 --> 00:03:37,800
There's the ad FS template we just created, so let's select that and click.

49
00:03:37,800 --> 00:03:38,340
Okay.

50
00:03:39,210 --> 00:03:42,870
Now this template is ready to be used to create certificates.

51
00:03:43,770 --> 00:03:44,970
Let's close this.

52
00:03:45,870 --> 00:03:48,580
And I'm still on my Windows ten Management VM.

53
00:03:48,600 --> 00:03:50,250
So let's search for certificates.

54
00:03:51,120 --> 00:03:54,960
And in the search results, select manage computer certificates.

55
00:03:55,860 --> 00:04:01,410
That opens up the Microsoft management console with the certificate snap and loaded and scoped to this

56
00:04:01,410 --> 00:04:03,330
local computer certificate store.

57
00:04:04,230 --> 00:04:09,390
Let's open up the personal store and we're going to use this computer to create a certificate that we'll

58
00:04:09,390 --> 00:04:12,600
export from here and import onto the ADF's server.

59
00:04:13,550 --> 00:04:13,820
So.

60
00:04:13,820 --> 00:04:15,860
All right, click on the personal store.

61
00:04:16,730 --> 00:04:20,150
And under all tasks select to request new certificate.

62
00:04:21,050 --> 00:04:23,720
The certificate enrollment dialog opens.

63
00:04:24,680 --> 00:04:26,390
I'll click next in next again.

64
00:04:26,390 --> 00:04:31,580
And here are the certificate templates that are available to domain computers, including this Windows

65
00:04:31,580 --> 00:04:32,390
ten VM.

66
00:04:33,260 --> 00:04:38,180
Let's choose the ad FS Template Certificate and click the link to configure its settings.

67
00:04:39,130 --> 00:04:44,680
For the subject name, let's choose common name and the value will be the name of the ADF first service.

68
00:04:45,610 --> 00:04:46,870
This is important.

69
00:04:47,800 --> 00:04:53,260
This isn't the name of the server because you can have multiple ADF's servers in a farm and they all

70
00:04:53,260 --> 00:04:55,960
share the same certificate and the same service name.

71
00:04:56,110 --> 00:04:57,910
So we want to use the service name.

72
00:04:58,750 --> 00:05:06,100
The name I'm going to use is asked company dot pre will be creating a DNS record to point this domain

73
00:05:06,100 --> 00:05:09,010
name to the single ADF RFS server in the farm.

74
00:05:09,880 --> 00:05:15,010
Or if there are multiple servers, the DNS record will point to the load balancer.

75
00:05:15,890 --> 00:05:16,790
Let's add this.

76
00:05:16,910 --> 00:05:19,700
And now we need to configure some alternative names.

77
00:05:20,610 --> 00:05:24,030
The first DNS name will be the same as the subject name.

78
00:05:24,900 --> 00:05:31,200
Now these next two subject alternative name DNS values are specific to certain authentication scenarios.

79
00:05:32,110 --> 00:05:36,760
For device registration, you need to include the prefix enterprise registration.

80
00:05:37,600 --> 00:05:43,150
If you plan to use certificate authentication, for example, using smart cards, there's another DNS

81
00:05:43,150 --> 00:05:48,430
value you can add if you want the certificate authentication to take place on Port 443.

82
00:05:48,460 --> 00:05:53,380
There's actually two modes available for certificate authentication either using the same hostname,

83
00:05:53,500 --> 00:05:54,780
but with different ports.

84
00:05:54,790 --> 00:05:58,720
So certificate authentication would use port 49443.

85
00:05:59,590 --> 00:06:03,460
Or another approach is to use the same port with different hostnames.

86
00:06:04,390 --> 00:06:10,960
So certificate authentication can still take place on port 443, which makes it easier for networks

87
00:06:10,960 --> 00:06:16,270
that might have restrictions on non-standard ports and for certificate authentication.

88
00:06:16,300 --> 00:06:21,250
ADF's will use the hostname certain off then the name of your ADF's service.

89
00:06:22,120 --> 00:06:28,180
Okay, let's go to the general tab and give the certificate a friendly name for the interface on the

90
00:06:28,180 --> 00:06:29,230
private key tab.

91
00:06:29,380 --> 00:06:34,600
Let's just make sure the private key is marked as exportable, which it is by default in the template.

92
00:06:35,520 --> 00:06:37,410
Our setup is pretty simple.

93
00:06:38,360 --> 00:06:41,600
So the default enrollment server is already selected.

94
00:06:42,470 --> 00:06:44,330
Now let's click apply and okay.

95
00:06:44,480 --> 00:06:47,000
And let's finish the creation of this certificate.

96
00:06:47,900 --> 00:06:51,260
Now the certificate has been installed on this Windows ten VM.

97
00:06:51,350 --> 00:06:55,010
But of course, this isn't where we want it ultimately installed.

98
00:06:55,910 --> 00:06:58,130
We wanted on the ADF's server.

99
00:06:59,060 --> 00:07:06,230
So let's right click this certificate and select all tasks and export that opens the certificate export

100
00:07:06,230 --> 00:07:06,740
wizard.

101
00:07:07,670 --> 00:07:08,680
I'll click next.

102
00:07:08,690 --> 00:07:13,490
And yes, we want to export the private key because that will be needed on the ADF's server.

103
00:07:14,400 --> 00:07:19,170
Let's export the extended properties and it will be a file that we create.

104
00:07:20,050 --> 00:07:24,340
I'll use a password to protect the private key and leave the default encryption.

105
00:07:25,210 --> 00:07:30,550
Let's save the exported certificate to the desktop to make it easy to find and click save and next and

106
00:07:30,550 --> 00:07:31,060
finish.

107
00:07:31,960 --> 00:07:34,330
It says the export was successful.

108
00:07:35,170 --> 00:07:38,890
Let's just go to the desktop and there's our SSL certificate.

109
00:07:39,790 --> 00:07:46,090
Now let's copy this certificate over to the ad FS server to be used during ad fs configuration.

110
00:07:46,960 --> 00:07:52,780
I created a file share on the ad fs server and gave permissions to my administrator account to access

111
00:07:52,780 --> 00:07:52,960
it.

112
00:07:53,860 --> 00:07:57,850
So I'll type in the share name on the network and now paste in the certificate.

113
00:07:58,750 --> 00:08:03,340
This share was created as a folder at the root of the C drive on the ADF's server.

114
00:08:03,460 --> 00:08:07,780
So we can access the certificate there using PowerShell when we install ADF's.

115
00:08:08,710 --> 00:08:10,660
So let's do that in the next clip.