Introduction
Active Directory Federation Services (AD S) in the Windows Server 2012 R2 OS provides flexibility for organizations that want to enable their users to log on to applications that are located on a local network, at a partner company, or in an online service. With ADFS, your company can manage its own user accounts, and users only have to remember one set of credentials. However, those credentials can provide access to a variety of applications, which typically are located in different locations.
Create a DNS record for AD FS
On Domain controller (DC1) server, open DNS console and add new host. In the New Host box, type adfs, in the IP address box, type 172.16.0.10, and then click. Add Host and click OK. Open Server Manager and click Manage -> Add Roles and Features
Role-based or feature-based installation should be selected then click Next:
Select the server you want to install this role then click Next:
Note: Web Application Proxy role and AD FS cannot be installed on the same computer.
Select Active Directory Federation Services then click Next:
No additional Features are needed. Click Next:
The AD FS role does not required a reboot. Click Install:
Now click on Close to complete installation process.
Post-Deployment Configuration
Back on Server Manager under Notifications click the message Configure the federation service on this server. Since this is our first AD FS server select the first option then click Next:
Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:
SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.
Federation Service Name: Give your AD FS a FQDN name.
Federation Service Display Name: Enter a display name
Click Next to proceed.
Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created. Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.
Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates. On the Specify Service Account tab you may get the following message. If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.
PowerShell Commands
Get-Help Add-KdsRootKey
Add-KdsRootKey -EffectiveImmediately – Generate root key
Enter the Service Account you want to use and click Next:
Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.
You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:
Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\
For additional information about using a SQL Server database click here.
Click Next & configure
AD FS is now installed and is ready for testing! Open a web browser and go to the URL below and click Sign In:
https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx
You should get a login box, enter your domain credentials, once logged in you should show the below screen
.
