Skip to content

Active Directory Federation Services (AD FS)

Important

This is not a setup-guide for a production environment. This is mostly a guide for my self for testing/development. This is a guide for setting up a standalone AD FS.

For Windows Server 2012 R2 look here:

For Windows Server 2016 look here:

  1. Obtain and Configure an SSL Certificate for AD FS (Google: create certificate for adfs)
  2. Then it is rather intuitive (or do I not have the time to write anything)

Prerequisite

  • Windows Server 2012 (in this case Windows Server 2012 Standard)
  • Active Directory Domain Services – installed
  • DNS Server – installed
  • Active Directory Certificate Services – installed

1. Add role – Active Directory Federation Services

Use default settings. This will also add the required IIS role.

2. Configure AD FS

Create a Stand-Alone Federation ServerWhen you select the Stand-alone federation server option in the AD FS Federation Server Configuration Wizard, the service account associated with this Federation Service will automatically be assigned to the NETWORK SERVICE account. Using NETWORK SERVICE as the service account is only recommended in situations where you are evaluating AD FS in a test lab environment.

  • Server ManagerDashboard – you will se a yellow warning up to the right by the Notifications flag – click Run the AD FS Management snap-in
  • AD FS Management – click AD FS Federation Server Configuration Wizard
  • Welcome – select Create a new Federation Service – click Next
  • Select Deployment Type – select Stand-alone federation server – click Next
  • Federation Service Name – select the default certificate machinename.domain created by AD CS – click Next
  • Summary – click Next
  • Results – click Close

3. Verify

Verify That a Federation Server Is Operational

Browse to https://machinename.domain/adfs/fs/federationserverservice.asmx, if the page returns xml it is OK.

Information

AD FS Deployment Guide in Windows Server 2012

Deploying Federation Servers

Create a Stand-Alone Federation Server

AD FS 2.0: How to Change the Local Authentication Type (look for WAUTH, in the comments, for a way to have multiple choices for howto authenticate)

Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

WAUTH parameters

4. Notes 2017-03-08

Notes to put in later.

SPN

ADFS-machine: XX-ADFS-01 (XX-ADFS-01.local.net), IP=10.0.0.20

Make sure to create an “adfs”-entry (adfs.local.net, or some other preferred name) in DNS pointing to 10.0.0.20 so you can use it when setting the service-principal-names for LOCAL\adfs-service.

  • setspn -s HOST/adfs LOCAL\adfs-service
  • setspn -s HOST/adfs.local.net LOCAL\adfs-service

It is important to use the “HOST” service-class. If you do not use the “adfs” entry but use the machine-name “XX-ADFS-01” instead, you get problems. There will be conflicts with the spn’s for the “XX-ADFS-01” machine. When it is added to the domain it gets the following spn’s automatically:

Registered ServicePrincipalNames for CN=XX01-ADFS-01,CN=Computers,DC=local,DC=net:

  • HOST/XX-ADFS-01
  • HOST/XX-ADFS-01.local.net
  • RestrictedKrbHost/XX-ADFS-01
  • RestrictedKrbHost/XX-ADFS-01.local.net
  • TERMSRV/XX-ADFS-01
  • TERMSRV/XX-ADFS-01.local.net
  • WSMAN/XX-ADFS-01
  • WSMAN/XX-ADFS-01.local.net

You can not solve it by removing:

  • HOST/XX-ADFS-01
  • HOST/XX-ADFS-01.local.net

Then you will get problems with the XX-ADFS-01 machine in the domain, it will not be trusted in the domain.

Certificate

Obtain and Configure an SSL Certificate for AD FS

You do this on the ADFS server. In the following part: Request and enroll a new SSL certificate for AD FS -> Request New Certificate…

Common name: adfs.local.net

DNS:

  • adfs.local.net
  • certauth.adfs.local.net
  • enterpriseregistration.local.net
Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: