Skip to content

Active Directory Federation Services (AD FS)


This is not a setup-guide for a production environment. This is mostly a guide for my self for testing/development. This is a guide for setting up a standalone AD FS.

For Windows Server 2012 R2 look here:

For Windows Server 2016 look here:

  1. Obtain and Configure an SSL Certificate for AD FS (Google: create certificate for adfs)
  2. Then it is rather intuitive (or do I not have the time to write anything)


  • Windows Server 2012 (in this case Windows Server 2012 Standard)
  • Active Directory Domain Services – installed
  • DNS Server – installed
  • Active Directory Certificate Services – installed

1. Add role – Active Directory Federation Services

Use default settings. This will also add the required IIS role.

2. Configure AD FS

Create a Stand-Alone Federation ServerWhen you select the Stand-alone federation server option in the AD FS Federation Server Configuration Wizard, the service account associated with this Federation Service will automatically be assigned to the NETWORK SERVICE account. Using NETWORK SERVICE as the service account is only recommended in situations where you are evaluating AD FS in a test lab environment.

  • Server ManagerDashboard – you will se a yellow warning up to the right by the Notifications flag – click Run the AD FS Management snap-in
  • AD FS Management – click AD FS Federation Server Configuration Wizard
  • Welcome – select Create a new Federation Service – click Next
  • Select Deployment Type – select Stand-alone federation server – click Next
  • Federation Service Name – select the default certificate machinename.domain created by AD CS – click Next
  • Summary – click Next
  • Results – click Close

3. Verify

Verify That a Federation Server Is Operational

Browse to https://machinename.domain/adfs/fs/federationserverservice.asmx, if the page returns xml it is OK.


AD FS Deployment Guide in Windows Server 2012

Deploying Federation Servers

Create a Stand-Alone Federation Server

AD FS 2.0: How to Change the Local Authentication Type (look for WAUTH, in the comments, for a way to have multiple choices for howto authenticate)

Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

WAUTH parameters

4. Notes 2017-03-08

Notes to put in later.


ADFS-machine: XX-ADFS-01 (, IP=

Make sure to create an “adfs”-entry (, or some other preferred name) in DNS pointing to so you can use it when setting the service-principal-names for LOCAL\adfs-service.

  • setspn -s HOST/adfs LOCAL\adfs-service
  • setspn -s HOST/ LOCAL\adfs-service

It is important to use the “HOST” service-class. If you do not use the “adfs” entry but use the machine-name “XX-ADFS-01” instead, you get problems. There will be conflicts with the spn’s for the “XX-ADFS-01” machine. When it is added to the domain it gets the following spn’s automatically:

Registered ServicePrincipalNames for CN=XX01-ADFS-01,CN=Computers,DC=local,DC=net:

  • HOST/
  • RestrictedKrbHost/XX-ADFS-01
  • RestrictedKrbHost/
  • WSMAN/

You can not solve it by removing:

  • HOST/

Then you will get problems with the XX-ADFS-01 machine in the domain, it will not be trusted in the domain.


Obtain and Configure an SSL Certificate for AD FS

You do this on the ADFS server. In the following part: Request and enroll a new SSL certificate for AD FS -> Request New Certificate…

Common name:


Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: