Configuring Active Directory Federation Services (AD FS 2.0) for Lync Server 2013
Topic Last Modified: 2013-07-03
The following section describes how to configure Active Directory Federation Services (AD FS 2.0) to support multi-factor authentication. For information on how to install AD FS 2.0, see AD FS 2.0 Step-by-Step and How To Guides at https://go.microsoft.com/fwlink/p/?LinkId=313374.
Note
When installing AD FS 2.0, do not use the Windows Server Manager to add the Active Directory Federation Services role. Instead, download and install the Active Directory Federation Services 2.0 RTW package at https://go.microsoft.com/fwlink/p/?LinkId=313375.
To configure AD FS for two-factor Authentication
Log in to the AD FS 2.0 computer using a Domain Admin account.
Start Windows PowerShell.
From the Windows PowerShell command-line, run the following command:
add-pssnapin Microsoft.Adfs.PowerShell
Establish a partnership with each Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Director, Enterprise Pool, and Standard Edition server that will be enabled for passive authentication by running the following command, replacing the server name specific to your deployment:
Add-ADFSRelyingPartyTrust -Name LyncPool01-PassiveAuth -MetadataURL https://lyncpool01.contoso.com/passiveauth/federationmetadata/2007-06/federationmetadata.xml
From the Administrative Tools menu, launch the AD FS 2.0 Management console.
Expand Trust Relationships > Relying Party Trusts.
Verify that a new trust has been created for your Lync Server 2013 with Cumulative Updates for Lync Server 2013: July 2013 Enterprise Pool or Standard Edition server.
Create and assign an Issuance Authorization Rule for your relying party trust using Windows PowerShell by running the following commands:
$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");'
Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth -IssuanceAuthorizationRules $IssuanceAuthorizationRules
Create and assign an Issuance Transform Rule for your relying party trust using Windows PowerShell by running the following commands:
$IssuanceTransformRules = '@RuleTemplate = "PassThroughClaims" @RuleName = "Sid" c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);'
Set-ADFSRelyingPartyTrust -TargetName LyncPool01-PassiveAuth -IssuanceTransformRules $IssuanceTransformRules
From the AD FS 2.0 Management console, right click on your relying party trust and select Edit Claim Rules.
Select the Issuance Authorization Rules tab and verify that the new authorization rule was created successfully.
Select the Issuance Transform Rules tab and verify that the new transform rule was created successfully.