Masterclass: Administering and Configuring Active Directory Federation Services and Claims & Managing Active Directory Federation Services for Multiple Organizations (ADFS) – Virtual Class with Michael Grafnetter

Live Virtual Class – CQURE Workshop with Labs!
April 12th – 16th, 2021 (9:00am – 4:00pm CET Monday to Wednesday)

Inquire about next class


This is an international Live Virtual Class, which means you will share the learning experience in a group of IT pros from around the world! The class is taught in English by Michael Grafnetter – one of the top experts in the field! Remember that this course is limited to 12 participants total to ensure the highest quality and unique learning experience! During this course you will have an opportunity to interact with the instructor and get Michael’s help with any problems you might encounter, just as if it was a regular workshop.

About the course
Active Directory Federation Services and Claims workshop is the best way to learn how to implement the most business oriented server role! Federated Identity and claims based applications are becoming more and more popular – they simplify the resource access both for your employees and business partners.

The course focuses on implementation scenarios, including practice in the newest technologies and solutions delivered with Windows Server 2019.

Exploits are not the only way to get to the systems! We will go through the operating systems’ builtin problems and explore how they can be beneficial for hackers! One of the most important things to conduct a successful attack is to understand how the targets work. To the bones! Afterwards everything is clear and the tool is just a matter of our need.

When the world becomes more focused on solving ‘Bring Your Own Device’ issues, it is time to become more up to date with the newest technology capabilities: Active Directory Federation Services and Active Directory Domain Services have been extended to comprehend the most popular mobile devices and provide conditional access and access policies. With these policies in place, you can control access based on users, devices, locations, and access times.

Federated Identity is the most discussed topic in terms of organization cooperation right now, and with this course you will get all the knowledge you will need when you are planning to host services that will connect users across different organizations.

As a CQURE course, we will focus on security of ADFS, and show a way to solve common access problems – from hacking the user identity, to solving permission problems.

A good enterprise implementation is not complete if we do not think about backup and scripting – so after implementing business partner connectivity, we will focus on scripting the implementation, which will not only allow us to quickly backup and restore our servers, but also allow us to prepare automatic configuration scripts for remote party.
The last part of this course is focused on large ADFS implementations, where load-balancing client traffic is a must. You will not only learn how to load balance ADFS farm, but also get to known Microsoft load balancer included in IIS.

At the end of the course you will be able to:
▪ Design AD Federation Services infrastructure and identify the implementation requirements
▪ Deploy AD Federation Services to provide claims-aware authentication in a single organization
▪ Implement AD Federation Services high availability
▪ Deploy Web Application Proxy (previous: AD Federation server proxy) to securely publish web applications
▪ Deploy Device Registration Service to enable control of user devices
▪ Deploy Claims-enabled ACLs on File Servers
▪ Deploy AD Federation Services to provide claims-aware authentication for multiple organizations.
▪ Implement AD Federation Services high availability and load balancing.
▪ Implement Claims filtering and processing, to secure multi-organization enabled application.
▪ Script and backup ADFS environment.
▪ Automate business partner setup procedure for ADFS.
▪ Configure Active Directory for ADFS.

Unique exercises:
All exercises are based on newest Windows Server 2019 and Windows 10.

This course is intended for IT professionals who would like to implement and administer Active Directory Federation Services within the organization. Prerequisite for the course is to have a medium level knowledge about Active Directory Domain Services, basic knowledge of Windows PowerShell and DNS. To attend this training, you should have good hands-on experience in administering Windows infrastructure.

This course is ideal for:
Enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.

Exercises, presentation slides with notes.

Platform and Technical Requirements:
To participate in the course you need a Stable internet connection. For the best learning experience we also need you to have a webcam, headphones and a microphone. Open RDP port 3391 for the connection to the Lab environment is needed as well. We will setup a secure Zoom classroom for every day of the course – we will send you a safe link to join the conference by e-mail.

After finishing the course, you will be granted a CQURE Certificate of Completion. Please note that after completing the course you will also be eligible to claim CPE points!

Course Syllabus

Module 1

Module 1:

  • a) Introduction
  • b) Legacy and modern authentication protocols
  • c) What are Claims
  • d) Dynamic Access Control
  • e) Services Accounts threats, attack and working with GMSA

Module 2

Module 2:

  • a) PKI overview and ADFS certificate consideration
  • b) Working with certificates and ADFS
  • c) Designing Modern Authentication

Module 3

Module 3:

  • a) ADFS Overview
  • b)Installation, availability and security consideration
  • c) Working with ADFS Cluster

Module 4

Module 4:

  • a) Working with ADFS – claims aware applications
  • b) ADFS Basics – Rules and Rule flow
  • c) Configuring Issuing rules
  • d) Claim rules language

Module 5

Module 5:

  • a) Thick applications, and working with multiple Relaying Parties
  • b) Troubleshooting thick applications
  • c) Additional attribute Stores
  • d) Using groups in authorization rules

Module 6

Module 6:

  • a) Web Application Proxy
  • b) Working with claims-aware application in WAP
  • c) Configure pass-through application in WAP
  • d) WAP advanced scenarios

Module 7

Module 7:

  • a) Modern ADFS customization
  • b) Advanced troubleshooting ADFS
  • c) Monitoring ADFS security and performance

Module 8

Module 8:

  • a) Working with MFA
  • b) Enabling Device Registration Service
  • c) Windows Hello for business
  • d) Integration with Azure cloud

Module 9

Module 9:

  • a) Working with external parties
  • b) ADFS in Forest/Domain trust environment
  • c) Federating with different ADFS versionss

Module 10

Module 10

  • a)Home Realm Discovery
  • b) Hacking ADFS Claims
  • c) Additional user authorization
  • d) Claim pipeline for multiple IdP MFA in multi IdP environment

Module 11

Module 11

  • a) WPowerShell Scripting for ADFS
  • b) Backup and Restore ADFS Config
  • c) Exporting and Importing RP and IdP

Module 12

Module 12:

  • a) Working with clients
  • b) Creating automated Claim Provided Trust configuration for clients
  • c) Working with third party IdP

Module 13

Module 13:

  • a) Load Balancing ADFS
  • b) Using IIS ARR to load-balance ADFS
  • c) Advance Clustering and load balancing
Inquire about next class

Click here to browse the modules:

Your teacher

Michael Grafnetter

Cybersecurity Expert

Michael is an expert on Windows Security and PowerShell and holds a master’s degree in Software Engineering. He is the author of the open-source Directory Services Internals (DSInternals) PowerShell module and Thycotic Weak Password Finder, tools used by security auditors and penetration testers worldwide. His unique DSInternals Framework exposes many undocumented Active Directory security features and it has already been integrated into multiple 3rd-party solutions for Identity Management and Active Directory Disaster Recovery.