Active Directory Federation Services – Part 1 (Installation and Configuration)

Learn how to install and configure Active Directory Federation Services by using an on-premise server. Secure your environment and end users while reducing the need to remember passwords.

The series in split into 4 separate sections.

Table of Contents

Notes

Throughout this series you will see me using cloudrigs.com which is my internal Active Directory Domain. Simply replace this domain name with yours, such as mydomain.tld

Requirements

  • Create a Public Trusted Wild Card Certificate (*.cloudrigs.com). In the guide I used Lets-Encrypt but, due to its short lifespan I do not recommend this option in Production.
  • Create a DNS Alias for your ADFS Farm. (adfs.cloudrigs.com) Even if you build out 1 server, this is highly recommended.
  • Create a Service Account to run ADFS such as “svc_adfs”. Normal low level user privileged account is fine.
  • Create a dedicated Windows Server for ADFS (NYC-ADFS01) with a static IP of 192.168.0.43

Configure DNS

  1. Build a Windows Server which will run the ADFS Service named NYC-ADFS01
  2. Within Windows DNS Manager, create a dns entry called “adfs.cloudrigs.com” point it to the same IP address as NYC-ADFS01 which is 192.168.0.43.
    • You should have 2 Entries in DNS now pointing to the same IP address.
    • nyc-adfs01.cloudrigs.com > 192.168.0.43
    • adfs.cloudrigs.com > 192.168.0.43

Install ADFS on NYC-ADFS01

  1. Open up Server Manager
  2. Click on “Add roles and features”, click next
  3. On “Installation Type” page select “Role-based or feature based installation“, click next
  4. On “Server Selection” page verify the server is correct, click next
  5. On “Server Roles” page select “Active Directory Federation Services“, click next
  6. On “Features” page, click next
  7. On “AD FS” page, click next
  8. On “Confirmation” page select “Restart”, click install.

Activate/Configure ADFS

  1. Open up Server Manager
  2. Click on the “Warning Icon” flag (top menu bar)
  3. Click on “Configure the federation service on this server”
  4. Select “Create the first federation server..” click next,
  5. On “Connect to AD DS” ensure the account your using has the correct permissions and then click next.
  6. On “Specificy Service Properties”
    • SSL Certificate: choose the wild card certificate that you created.
    • Federation Service Name (dns entry you created for the ADFS Farm): adfs.cloudrigs.com
    • Federation Service Display Name (This will be displayed to your end users): ADFS – Your Company
  7. On “Specify Service Account” page
    • We are going to use a standard service account.  Choose the service account you created.  “svc_adfs” and type in the password,
  8. On “Specify Database” page choose “Create a database on this server using Windows Internal Database” this fine for clients with up to 1500 users.  The WID databases will replicate between the ADFS farm members click next
  9. Review the Options, click next
  10. Click “Configure”.

Enable Additional Web Browser Agents

By default only some Web Browsers are allowed to authenticate.  In order to activate others like Google Chrome run the following commands.

Shows Current Web Browser Agent Strings

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

Enables Google Chrome / Mozilla / MS Edge

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Firefox" + "=~Windows\s*NT.*Edge" + "Mozilla/5.0")

Restarts AD FS Service and applies settings

Restart-Service -Name adfssrv

Reset AD FS Browser Agents to Defaults (If you want to revert back to defaults)

Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client")

Group Policy – WhiteList Settings (missing content)

  • Google Chrome ADMX Template
    • User or Computer Policy > Admin Templates > Google Chrome > HTTP Authentication > Authentication server whitelist
      • *cloudrigs.com,cloudrigs.com
  • Internet Explorer/Edge
    • User or Computer Policy > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > IE > Site to Zone Assignment

AD FS Verification

Verify you are able to access the IDP Initated SignOn page.

https://adfs.cloudrigs.com/adfs/ls/idpinitiatedsignon.aspx

**Important Server 2016 and Server 2019 Deployments**

This page is disabled by default.  In order to access this page you must run the following command in an elevated PowerShell prompt.

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Restarts AD FS Service and applies settings

Restart-Service -Name adfssrv

You now have installed AD FS.  

4 comments On Active Directory Federation Services – Part 1 (Installation and Configuration)

  • Hi,

    Thanks for such a nice post and Step by step process..

    This SSL certificate will expire after 90 Day.. then what??
    How to auto renew and auto install on ADFS and WAP??

    any pointer on that??

    • You would need to re-cert the ADFS instance as well as work with each IDP Provider to change the key material for each vendor you have setup. The Let’s Encrypt was really just to test and show the capabilities of ADFS. Having to change and re-key certificate material every 90 or less days would be difficult. It is recommended you purchase a Public Certificate from a Certificate Authority like DigiCert or similar with a longer lifespan.

  • Hi – I would like to request Let’s Encrypt certificate for ADFS. Can you share the steps on how to complete Let’s Encrypt.

    I am aware should run ACME client and follow the prompts – bit confused what to select from the prompts.

    Thanks

    Ram

    • Hi Ram, please check out this video I made for generating a Let’s Encrypt certificate for the private network domain. Just keep in mind I own the domain cloudrigs.com and when you see the DNS Challenge Part I actually take that DNS value and put in into my DNS Provider configuration settings. Have patience during this process as you can limited to just a few like .. 3 requests per hour.

      I know it isn’t as detailed as my other documentation but should help assist.

      https://youtu.be/mg4zpRT86OI

Leave a reply:

Your email address will not be published.

Site Footer