In this post I will be installing and configuring the Active Directory Federation Services [AD FS] server role. AD FS is able to provide Single-Sign-On [SSO] capabilities to multiple web application using a single Active Directory account.
vBoring Blog Series:
- How to setup Microsoft Active Directory Federation Services [AD FS]
- How to setup Microsoft Web Application Proxy
Install the AD FS Server Role:
Open Server Manager and click Manage -> Add Roles and Features:
Role-based or feature-based installation should be selected then click Next:
Select the server you want to install this role then click Next:
Note: Web Application Proxy role and AD FS cannot be installed on the same computer.
Select Active Directory Federation Services then click Next:
No additional Features are needed. Click Next:
The AD FS role does not required a reboot. Click Install:
Once complete click Close:
Back on Server Manager under Notifications click the message Configure the federation service on this server:
Since this is our first AD FS server select the first option then click Next:
Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:
SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. I have a wildcard certificate I bought from StartSSL, I am going to use it by clicking Import and selecting it. Ensure you have it in .PFX format.
Federation Service Name: Give your AD FS a FQDN name.
Federation Service Display Name: Enter a display name
Click Next to proceed:
Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.
Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.
Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates.
On the Specify Service Account tab you may get the following message:
If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.
Get-Help Add-KdsRootKey – Read about the command
Add-KdsRootKey -EffectiveImmediately – Generate root key
Enter the Service Account you want to use and click Next:
Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.
You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:
Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\
For additional information about using a SQL Server database click here.
If everything checks out click Configure:
Once complete click Close:
AD FS is now installed and is ready for testing!
How to ensure AD FS is working:
Open a web browser and go to the URL below and click Sign In:
You should get a login box, enter your domain credentials, once logged in you should show the below screen:
You are now ready to use AD FS in your environment!