Today I wanna talk about my last experience with Sharefile Storage Zone and Microsoft Active Directory Federation Services (ADFS) 3.0. There are some little things you have to take care about.

Our proof of concept consists of two servers:

  • 1 x Storage Zone Controller

    Microsoft Windows Server 2012R2 , 2 vCPU, 8 GB RAM, 60 GB system partition, 80 GB data partition.

  • 1 x ADFS Server

    Microsoft Windows Server 2012R2, 2 vCPU, 8 GB RAM, 60 GB System partition

Further the following tasks and prerequisites should be available before starting:

  • Citrix Sharefile Control Plane (and subdomain) with at least one administrator account
  • A public DNS entry for your Citrix Storage Zone, with translated to Netscaler content switch IP
  • A public certificate for your Citrix Storage zone name (ex. Sharefile.demo.de)
  • A public DNS entry for the ADFS Service, with translated to Netscaler content switch IP
  • A public certificate for the ADFS Service name (ex. adfs.demo.de)
  • A service account for Sharefile
  • A service account for ADFS services

All other infrastructure components, like file server and Active Directory are already in place, as we are in a productive environment.

PLEASE NOTE:

  • The Netscaler configuration is not part of this article. If you have some questions about the configuration, please contact me or leave a comment.
  • The demo installation was done on server systems in German language. I’ve tried to translate all messages and menus, but some menus may look different on English systems.

Prepare Storage Zone Controller for Installation

First of all we need to prepare a network share, where all Sharefile data will be stored and managed. We also need an IIS web server for the StorageZone management services.

010216_1550_PoCSharefil1.png Create a folder for your Storage Zone Controller. This folder will represent the central store for all files in the on-premise zone.

NOTE: This share can also be placed on a central storage system.

010216_1550_PoCSharefil2.png Now give your Sharefile service account „full access“ to this folder. Leave all other rights on default.
010216_1550_PoCSharefil3.png Next step is to create a network share for this folder and give „Everyone“ reading permissions and your service account full access to this share.
010216_1550_PoCSharefil4.png Note the name of the share. You need this later to configure the StorageZone web service.
010216_1550_PoCSharefil5.png Now install the server role „Web Server“.
010216_1550_PoCSharefil6.png Accept also the additional management features as suggested.
010216_1550_PoCSharefil7.png Add ASP.NET 4.5 Feature.
010216_1550_PoCSharefil8.png Enable the Basic Authentication and Windows Authentication.
010216_1550_PoCSharefil9.png Expand the Devolpement tools.
010216_1550_PoCSharefil10.png Select the ASP.NET 4.5 feature.
010216_1550_PoCSharefil11.png Accept the additional features required by ASP.NET 4.5
010216_1550_PoCSharefil12.png In the IIS Manager console, click Default Web Site and then click Bindings. Select the certificate you want to use for the IIS web server.

Installing and Configuring Storage Zone Controller

Now we want to install the StorageZone Controller components on the Server for StorageZone

010216_1550_PoCSharefil13.png After downloading the components from citrix.com, start the installation with administrative priviledges.
010216_1550_PoCSharefil14.png Click „Next“ to start the installation.
010216_1550_PoCSharefil15.png Accept the EULA.
010216_1550_PoCSharefil16.png Choose your preferred installation location.
010216_1550_PoCSharefil17.png Click „Next“ to start the installation process.
010216_1550_PoCSharefil18.png Uncheck the „Launch StorageZone Controller Configuration Page“ and click „Finish“
010216_1550_PoCSharefil19.png Now restart the server.
010216_1550_PoCSharefil20.png Try to access the website https://localhost and you should see the page from the screenshot.
010216_1550_PoCSharefil21.png

If you can see this Sharefile page, go to the site https://localhost/configservice/login.aspx and login with your Sharefile Admin account.

Note: You need internet access to connect the control plane of your Sharefile subdomain. If you are using a proxy server select the „Networking“ menu to configure your proxy settings.

010216_1550_PoCSharefil22.png If you have connected to your control plane you can select „Create new Zone“.
010216_1550_PoCSharefil23.png

Fill out the required fields:

  • Hostname: <<yourServername>>
  • External Addess: https://sharefile.demo.de
  • Storage Repository: Local Network share
  • Network Share Location: SERVERSharefile
  • Account is your Service Account.
  • Enable encryption for the zone.
010216_1550_PoCSharefil24.png

If you scroll down, you can select allowed connectors and paths.

You also have to create Passphrase.

To finish click „Register“.

010216_1550_PoCSharefil25.png If the registration was successful you should see this overview.

Installing ADFS

The Microsoft Active Directory Federation Services will be the authentication service for your Sharefile employees. This service needs an existing Active Directory and the web server must be available from the internet on port 443 / HTTPS.

010216_1550_PoCSharefil26.png Open Windows Server Manager and select install „Roles and Features“ and „Roled based installation“.
010216_1550_PoCSharefil27.png Select „Active Directory Federations Services“ and „Webserver“
010216_1550_PoCSharefil28.png The „Feature“ installation can be done with the default settings.
010216_1550_PoCSharefil29.png Select „Next“ for the ADFS installation.
010216_1550_PoCSharefil30.png Select „Next“ for the Web server installation.
010216_1550_PoCSharefil31.png You don’t need any additional features.
010216_1550_PoCSharefil32.png Click on installation to start the installation.
010216_1550_PoCSharefil33.png Wait for the installation to complete.
010216_1550_PoCSharefil34.png

If the installation was successful you see an exclamation mark in the server manager, with notices you to complete the ADFS installation.

Click on this note to start the ADFS wizard.

010216_1550_PoCSharefil35.png In our case this is the first ADFS service, so we have to select „First server“ and click next.
010216_1550_PoCSharefil36.png In the next dialog you have to insert an account with domain administration privileges to integrate the ADFS in the active directory.
010216_1550_PoCSharefil37.png Type your admin account and „Click“ ok.
010216_1550_PoCSharefil38.png In this page you need to specify a certificate for ADFS. In my case this a wildcard certificate. The Name of the service is adfs.domain.lab.
010216_1550_PoCSharefil39.png Now specify the service account for the ADFS service. In my case the account was admin.adfs
010216_1550_PoCSharefil40.png Create the database for ADFS on your ADFS server or specify a SQL server.
010216_1550_PoCSharefil41.png Click on „Next“ to do a pre-check for the ADFS integration.
010216_1550_PoCSharefil42.png If all pre-checks were successful you can click on „Configure“.
010216_1550_PoCSharefil43.png Wait for the installation to complete.
010216_1550_PoCSharefil44.png If the installation is completed click on close.
010216_1550_PoCSharefil45.png Start the ADFS Management Tool
010216_1550_PoCSharefil46.png Click right on „Relying Party Trusts“ and select „Add Relying Party Trust“
010216_1550_PoCSharefil47.png Start the Wizard by clicking on „Start“
010216_1550_PoCSharefil48.png

Select „Enter data about the relying party manually“ and click on „next“

010216_1550_PoCSharefil49.png I usually use my Sharefile subdomain site as display name and identifier, e.g. https://DEMO.sharefile.eu/saml/acs
010216_1550_PoCSharefil50.png Specify AD FS- Profile and click on „Next“.
010216_1550_PoCSharefil51.png You can use the default settings for certificate and click on „next“.
010216_1550_PoCSharefil52.png Select the checkbox „Enable support for the SAML 2.0 WebSSO protocol“ and enter the URL e.g. https://demo.sharefile.eu/saml/acs
010216_1550_PoCSharefil53.png Type in your identifier for the site.
010216_1550_PoCSharefil54.png Select „Do not want to configure multi-factor authentication settings for this relying party trust at this time“ and click on „Next“.
010216_1550_PoCSharefil55.png Permit all users to access this relying party.
010216_1550_PoCSharefil56.png Click on „Next“.
010216_1550_PoCSharefil57.png Check the box to open the Claim Rules after finishing the wizard.
010216_1550_PoCSharefil58.png Click on „Add rules“.
010216_1550_PoCSharefil59.png For the first rule use the template „Send LDAP Attributes as Claims“.
010216_1550_PoCSharefil60.png Enter AD to Email for the Claim rule name.
Choose Active Directory for the Attribute store.Choose E-Mail-Addresses for the LDAP Attribute.Choose E-Mail Address for the Outgoing Claim Type.Then click „Finish“.
010216_1550_PoCSharefil61.png Click on „Add rules“ to add a second rule.
010216_1550_PoCSharefil62.png Use the template „Transform an Incoming Claim“. Then, choose „Next“.
010216_1550_PoCSharefil63.png

For Claim rule name, enter „Email to Name ID“.

Incoming claim type, choose E-Mail Address.
Outgoing claim type, choose Name ID.
Outgoing name ID format, choose Email. Click on „Finish“.

010216_1550_PoCSharefil64.png Click „OK“ to return to the AD FS management.
010216_1550_PoCSharefil65.png Under „Trust Relationships“ open „Relying Party Trusts“, click right on the created trust and select „properties.
010216_1550_PoCSharefil66.png In the Advanced tab change the Secure hash algorithm to SHA-1 and apply.
010216_1550_PoCSharefil67.png Go to „Endpoints“ tab and add the SAML endpoint as shown in the screenshot.
010216_1550_PoCSharefil68.png Select the folder „Authentication Policies“ and click on „Edit Global Primary Authentication“.
010216_1550_PoCSharefil69.png Select Forms Authentication for both categories. Make sure all other types of authentication are unchecked. Choose OK.
010216_1550_PoCSharefil70.png In the AD FS management console, navigate to „Service“ and select „Certificates“. Choose the Token-signing certificate. Choose „View Certificate“ from the right click menu.
010216_1550_PoCSharefil71.png Open the „Details“ tab and click on the „Copy to File“ button to export the certificate.
010216_1550_PoCSharefil72.png Start the wizard by clicking on „Next“.
010216_1550_PoCSharefil73.png Select the Base-64 coded file and click on „Next“.
010216_1550_PoCSharefil74.png Browse a file location and type a name for the export file.
010216_1550_PoCSharefil75.png „Finish“ the wizard.
010216_1550_PoCSharefil76.png Accept the successful message.
010216_1550_PoCSharefil77.png If you plan to use Firefox or Chrome you also need to the Extented Protection Token to none, as this is not supported by other browsers than IE.

Setting up Trust with Sharefile and ADFS Service

The last step is to setup the AD FS services for Sharefile as SAML provider. Please make sure the service is available for public access from the internet. I recommend a Netscaler Loadbalancer with open ports on 443/HTTPS. When you are sure the service is accessible login to your Sharefile control plane with an administrative account.

010216_1550_PoCSharefil78.png

Click on „Admin“ in the top level menu. Then, choose „Configure Single Sign-On“.

010216_1550_PoCSharefil79.png
  • For SP-Initiated SSO Certificate, choose „HTTP Redirect with no signature“.
  • For SP-Initiated Auth Context, choose Password Protected Transport and Minimum.
    Finally, choose Save.
010216_1550_PoCSharefil80.png Now we need to install the ShareFile User Management Tool. This will allow you to synchronize which users in AD will have access to ShareFile. You will need to obtain a copy of this tool from the Citrix website.
010216_1550_PoCSharefil81.png

Configure a rule for synchronizing the AD users to sharefile. Make sure the e-mail attribute for all users is configured correctly.

http://docs.citrix.com/en-us/sharefile-user-management-tool/1-7/sf-umt-provision-accts.html

You can also schedule this job to do this synchronization e.g. every hour.

I also recommend to create a Sharefile User Group in AD and use this group for the rule.

Start an initial sync now!

010216_1550_PoCSharefil82.png For a logon test, open a browser and Navigate to the following URL:
https://demo.sharefile.eu/saml/login
NOTE: „demo“ is your ShareFile subdomain.Now you should be redirected to you ADFS logon page.Enter AD credentials for one of the users that you Choose Sign On.NOTE: AD username must be entered like „email@domain.com“ or „domainuser“.
010216_1550_PoCSharefil83.png After a correct logon you will be redirected to your Sharefile file box.
010216_1550_PoCSharefil84.png Verify also that the logout in functional.

Customizing ADFS Services

In some cases, is it useful to customize the default ADFS webpage with text or logos. Here are some examples how to use. All these settings have to be done via Powersehll:

Show all current designs: Get-AdfsWebTheme

Create your custom design on local file system:

New-AdfsWebTheme –Name custom –SourceName default

Export Design: Export-AdfsWebTheme -Name default -DirectoryPath c:ADFSTheme

Insert Logo:

Set-AdfsWebTheme -TargetName custom -Logo @{path=“C:ADFS-Designlogo.png“}

Activate the custom design:

Set-AdfsWebConfig -ActiveThemeName custom

Insert custom links on the Logon Page: Set-AdfsGlobalWebContent -HomeLink http://www.hompage.de -HomeLinkText Home
Set-AdfsGlobalWebContent -HelpDeskLink https://myfile.sharefile.eu -HelpDeskLinkText Sharefile-Startseite
 

Use your own onscript.js for logon:

 

Set-AdfsWebTheme -TargetName custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js‘;path=“c:ADFSThemescriptonload.js“}

Automatic insertion of the domain in the user name field. You have to insert these script into the onscript.js if (typeof Login != ‚undefined‘){
Login.submitLoginRequest = function () {
var u = new InputUtil();
var e = new LoginErrors();
var userName = document.getElementById(Login.userNameInput);
var password = document.getElementById(Login.passwordInput);
if (userName.value && !userName.value.match(‚[@\]‘))
{
var userNameValue = ‚contoso.com‚ + userName.value;
document.forms[‚loginForm‘].UserName.value = userNameValue;
}
if (!userName.value) {
u.setError(userName, e.userNameFormatError);

return false;

}

if (!password.value)

{

u.setError(password, e.passwordEmpty);

return false;

}

document.forms[‚loginForm‘].submit();

return false;

};

}

Change the logon text: var loginMessage = document.getElementById(‚loginMessage‘);
if (loginMessage)
{
// loginMessage element is present, modify its properties.
loginMessage.innerHTML = ‚Bitte melden Sie sich mit Ihrem Windows Benutzernamen an:‘;
}

 

Hope this can help somebody of you, if you also have to install Sharefile Storage Zone with AD FS 3.0.

Any feedback is welcome, so do not hesitate leaving a comment on this site or contact me directly.

5 Thoughts to “PoC: Sharefile StorageZone with ADFS 3.0 on premise”

  1. Michal Kasper

    Hi Marco,

    great article, do you have also nestcaler part to configure this implementation ?

    Thanks
    Michal

    1. Hi Michal, sure – I try to publish the steps this. But I am not sure if there is enough time. Are you interested in specific part or in general?

      1. Michal kasper

        Hi Marco,

        to be honest in general if you have some docu will really appreciate. Seems to be that doing some mistake.
        Thanks Michal

  2. balamurali chemirthi

    Hi Marco,

    Good day!

    Kindly clarify me on below:

    You have mentioned that ,both Storaze zone DNS and ADFS DNS should point to same Netscaler content switching IP?
    Is this true?
    or we need to create 2 NSCS VIPs?
    Thank you,
    balamurali chemirthi

    1. Hi,
      in most cases we use two public IPs. But in general we can build a Netscaler CS for this use case and just need to set rules for based an Host names and the ADFS URL Paths.

      Best Regards,
      Marco

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.