programming4us
           
 
 
Applications Server

Exchange Server 2010 : Fundamentals and Components of Federated Delegation (part 1)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/10/2010 2:26:38 PM
The primary components of federation delegation are the federation trust, organization relationships, and sharing policies.

1. Federation Trust

The following prerequisites are necessary for creating and managing the federation trust:

  • The domain used for establishing a federation trust must be resolvable from the Internet. This means that the domain must be resolvable via DNS from the Internet and that the domain is registered with a domain registrar. Best practice is to use your primary SMTP domain (for example, contoso.com) rather than your internal Active Directory namespace, which may not be resolvable from the Internet (for example, contosocorp.local).

    • For cross-premises scenarios, where an organization hosts some mailboxes on site and hosts others in the Exchange Online service, it is recommended to use a sub-domain of exchangedelegation.<your primary SMTP domain> to avoid namespace conflicts with the Exchange Online tenant namespace. Your primary SMTP domain should then be added as an additional URI to your federated organization identifier using the Add-FederatedDomain cmdlet.

  • You require a valid X.509 SSL certificate issued by a Certification Authority (CA) trusted by Windows Live to be able to configure a trust with the MFG. The CAs trusted by Windows Live (and, by extension, the MFG) are listed in the "Certificate Requirements for Federation Trust" section of this chapter, along with more details on the subject name requirements.

  • After the federation trust is created, you must provide proof of ownership for the domain specified by creating a TXT resource record in your external DNS. This TXT record contains the application identifier (AppID) provided in the output when the federation trust is created with either the New Federation Trust Wizard or the New-FederationTrust cmdlet.

1.1. Certificate Requirements for Federation Trust

The certificate used for the federation trust must meet the following requirements:

  • The certificate must be issued by a certification authority trusted by the MFG. You can obtain the most current list of trusted root Certification Authorities at http://technet.microsoft.com/en-us/library/ee332350.aspx, but the following CAs are presently trusted:

    • Comodo

    • Digicert Global Root CA

    • Digicert High Assurance EV Root CA

    • Entrust.net CA (2048)

    • Entrust Secure Server CA

    • Go Daddy Secure Certification Authority

  • The certificate must have a subject key identifier field. The X.509 certificates issued by the majority of commercial CAs have this field already.

  • Certificates using Cryptography Next Generation (CNG) cryptographic service providers (CSPs) aren't supported for federation; the certificate must use a CryptoAPI CSP. A CryptoAPI provider is used when you create your certificate request using the Exchange Server 2010 New Certificate Wizard.

  • The certificate must use the RSA signature algorithm.

  • The private key for the certificate must be exportable. This is configured automatically when you create the certificate request using the New Certificate Wizard in the EMC or the New-ExchangeCertificate cmdlet.

  • The certificate must be current and valid; an expired or revoked certificate cannot be used.

  • The certificate must include the enhanced key usage (EKU) type Client Authentication (1.3.6.1.5.5.7.3.2); this usage type is used for proving your identity to a remote computer. The Client Authentication usage type is included by default when you use the New Exchange Certificate Wizard in the EMC or the New-ExchangeCertificate cmdlet to generate the certificate request.

Note:

The certificate used for the federation trust does not have any subject name or subject alternative name requirements; the subject name can be the server's host name or the domain name—or any other name can be specified. When the trust is established, Exchange Server 2010 distributes the certificate to all other Exchange Server 2010 Client Access and Hub Transport servers in the organization automatically, as discussed in the Certificate Distribution section of this chapter.

1.2. Creating the Federation Trust

You create the federation trust by exchanging the X.509 certificate for your organization with the MFG, and retrieving the X.509 certificate and federation metadata from the MFG. These tasks are performed for you when you create the federation trust with the Exchange Server 2010 Exchange Management Console (EMC) or Exchange Management Shell (EMS).

In the EMC, you create the federation trust by selecting the Organization Configuration node and then clicking New Federation Trust on the Actions pane as shown in Figure 1.

Figure 1. Creating a federation trust in the EMC

In the resultant New Federation Trust Wizard (shown in Figure 2), you select the certificate used for the trust and create the trust by clicking New.

Figure 2. The New Federation Trust Wizard

Note:

Creating a federation trust is a one-time configuration; you can only have one federation trust per Exchange Server 2010 organization. After the trust is created, the New Federation Trust option is no longer available in the EMC.

You can also create the federation trust using the New-FederationTrust cmdlet in the EMS. The parameters required for the cmdlet are -Name and –Thumbprint. -Thumbprint is the thumbprint of the certificate being used for the federation trust; to get a list of the certificates available and their thumbprints, use the following cmdlet:

Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $false} | fl

After you obtain the thumbprint, the federation trust is created with the New-FederationTrust cmdlet. An example of this cmdlet for Contoso with a certificate with a thumbprint of AC00F35CBA8359953F4126E0984B5CCAFA2F4F17 is as follows:

New-FederationTrust -Name "Contoso-MFG Trust" -Thumbprint
AC00F35CBA8359953F4126E0984B5CCAFA2F4F17

After the federation trust has been successfully created, an AppID is provided in the output of the New Federation Trust Wizard (or the output of the New-FederationTrust cmdlet, if you created your federation trust using the EMS). This AppID is used in configuring your accepted domains for federation, as explained in the "Managing Federation" section of this chapter. You can also view the AppID for your organization in the Manage Federation Wizard in the EMC or by using the Get-FederationTrust cmdlet.

An example of obtaining the AppID for Contoso using the Get-FederationTrust cmdlet is as follows:

Get-FederationTrust | fl name, appl*

The output of this cmdlet should be similar to the following:

Name                  : Contoso-MFG Trust
ApplicationIdentifier : 000000004001A66A
ApplicationUri        : contoso.com
Other -----------------
- Introduction to Federated Delegation in Exchange Server 2010
- BizTalk Server 2009 : Service-oriented endpoint patterns (part 2)
- BizTalk Server 2009 : Service-oriented endpoint patterns (part 1)
- Exchange Server 2010 : Office Communication Server 2007 R2 Integration (part 3) - Deploying Instant Messaging for OWA
- Exchange Server 2010 : Office Communication Server 2007 R2 Integration (part 2) - Deploying UM and OCS 2007 R2 Integration
- Exchange Server 2010 : Office Communication Server 2007 R2 Integration (part 1) - Integrating OCS 2007 R2 in Exchange 2010 Architecture
- Exchange Server 2010 : Managing Unified Messaging (part 1) - Testing Unified Messaging Functionality
- Exchange Server 2010 : Managing Unified Messaging (part 1)
- Exchange Server 2010 : International Considerations of Unified Messaging
- BizTalk Server 2009 : Service-oriented schema patterns (part 6) - Exploiting generic schemas
- BizTalk Server 2009 : Service-oriented schema patterns (part 5) - Node feature mapping for service clients
- BizTalk Server 2009 : Service-oriented schema patterns (part 4) - Node data type conversion for service clients
- BizTalk Server 2009 : Service-oriented schema patterns (part 3) - Building and applying reusable schema components
- BizTalk Server 2009 : Service-oriented schema patterns (part 2) - Canonical schemas
- BizTalk Server 2009 : Service-oriented schema patterns (part 1) - Designing schemas based on service type
- Exchange Server 2010 : Deploying Unified Messaging (part 3)
- Exchange Server 2010 : Deploying Unified Messaging (part 2)
- Exchange Server 2010 : Deploying Unified Messaging (part 1)
- BizTalk Server 2009 : Types of services
- BizTalk Server 2009 : Identifying Standard Message Exchange Patterns (part 3)
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us