Claims Provider Trust Demonstration

In this video, the claims provider trust will be created in Active Directory Federation Services in the HighCostTraining domain on Windows Server 2008 R2. In the previous videos a relying party trust was created in the ITFreeTraining domain. Creating the claims provider trust completes the trust relationship between ITFreeTraining and HighCostTraining.

Show lesson content
1) To create the Claim Provider Trust, login to the server and run AD FS 2.0 Management under Administrative Tools under the start menu.

2) To start the “Add Claims Provider Trust Wizard”, expand down to “Claims Provider Trust”, right click it and select the option “Add Claims Provider Trust”.

3) Once past the welcome screen, on the next screen the source of the data to create the trust needs to be entered in. In this case the computer name ITADFS2008R2.ITFreeTraining.local was used. Conditional DNS forwarders were configured on the DNS server so the server can resolve the IP Address of the other server. In a previous video, a certificate was added to the local store on the server thus allowing a secure connection to be created between the two servers.

4) Once next is press on the “Select data source” screen, the other server will be contacted and the data obtained from it to create the trust. On the next screen a Display Name and Notes can be entered. Descriptive items should be entered in here so other administrators know what the trust relationship is used for.

5) On the “Ready to Add Trust” screen, this will show all the information that will be used to create the trust.

6) Once next is pressed, the trust will be created and the wizard will move on to the last screen of the wizard. By default, the tickbox “Open the edit Claim Rules dialog for this claims provider trust when the wizard closes” will be ticked. This will open the rules for the trust allowing changes to be made if it is left ticked. If you clear this tickbox, this can be opened later on.

7) Once the edit rules dialog has been opened, to add a new rule press the button at the bottom “Add Rule” to stat the “Add Transform Claim Wizard”. There is only the one rule tab “Acceptance Transform Rules” as the trust can only accept claims that are created by another server.

8) From the first screen of the wizard, a template needs to be selected from the pull down list. This will determine the options that will be displayed in the rest of the wizard. In this, the option “Pass Through or Filter an Incoming Claim”. This will essentially take a claim and pass it onto another server; however, it does allow changes to be made to the claim.

9) On the next screen of the wizard a number of fields of data need to be entered in. First a name for the rule needs to be entered in. The next option allows the type of claim that will be accept to be entered in. After this, a decision can be made about which values of the claim should be passed on. There is also the option for the administrator to make changes to the claim values. For example, the administrator is able to change the name of a group that may have been used in the claim. Multiple rules can be used if the administrator wants to make changes to a number of different values in the claim.



Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Federation Services

Active Directory is a system which offers centralized control of your computers.


Active Directory Infrastructure


Group Policy