Website under construction

Download 13,37 Mb.

Pdf ko'rish

bet	72/131
Sana	27.03.2022
Hajmi	13,37 Mb.
	#512480

1 ... 68 69 70 71 72 73 74 75 ... 131

Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

Figure 2-83
Figure 2-84

Defining the claims
Although defining claims isn’t a function of the Web Application Proxy role in Windows Server 2016,
it’s important to understand the role that claims play in a transaction. Claims are defined in the
Outlook Web App section of the Actions pane on the AD FS server, as shown in Figure 2-83.
Figure 2-83:
Editing claim rules

80
CHAPTER 2 | Software-defined datacenter
Select the relying party trust that you want to define claims for, and then, in the Actions pane, click
Edit Claims.
In a claims-based identity model, AD FS issues a token that contains a set of claims. Claims rules
govern the decisions with regard to the claims that AD FS issues. Claim rules and all server
configuration data are stored in the AD FS configuration database.
To publish Outlook Web App and the Exchange Admin Center in this example, you need to make
three custom claim rules:

Active Directory user SID

Active Directory group SID

Active Directory UPN
When you configure the custom claims rules, you need to use the claim rule language syntax for this
rule. Specifically, for the ActiveDirectoryUserSID claim rule, use the following:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory",
types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"),
query = ";objectSID;{0}", param = c.Value);
When you are finished, the resulting rule will include the claim rule name and custom rule text, as
depicted in Figure 2-84.
Figure 2-84:
Editing a claim rule
Next, configure the following ActiveDirectoryGroupSID claim rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory",
types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"),
query = ";tokenGroups(SID);{0}", param = c.Value);
And finally, configure the following ActiveDirectoryUPN claim rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"),
query = ";userPrincipalName;{0}", param = c.Value);
When you’re finished, click Apply, and then OK. The transform rules display the rule names on the
Issuance Transform Rules tab of the Edit Claim Rules dialog box, as shown in Figure 2-85.

81
CHAPTER 2 | Software-defined datacenter

Download 13,37 Mb.

Do'stlaringiz bilan baham:

1 ... 68 69 70 71 72 73 74 75 ... 131