How to setup Microsoft Active Directory Federation Services [AD FS]

In this post I will be installing and configuring the Active Directory Federation Services [AD FS] server role. AD FS is able to provide Single-Sign-On [SSO] capabilities to multiple web application using a single Active Directory account.

vBoring Blog Series:

  1. How to setup Microsoft Active Directory Federation Services [AD FS]
  2. How to setup Microsoft Web Application Proxy

Install the AD FS Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

AD FS 1 - Add Roles and Features

Click Next:

AD FS 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

AD FS 3 - Installation Type

Select the server you want to install this role then click Next:

Note: Web Application Proxy role and AD FS cannot be installed on the same computer.

AD FS 4 - Server Selection

Select Active Directory Federation Services then click Next:

AD FS 5 - Server Roles

No additional Features are needed. Click Next:

AD FS 6 - Features

Click Next:

AD FS 7 - AD FS

The AD FS role does not required a reboot. Click Install:

AD FS 8 - Confirmation

Once complete click Close:

AD FS 9 - Results

Post-Deployment Configuration:

Back on Server Manager under Notifications click the message Configure the federation service on this server:

AD FS 10 - Configure FS on this server

Since this is our first AD FS server select the first option then click Next:

AD FS Configuration 11 - Welcome

Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:

AD FS Configuration 12 - Connect to AD DS

SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.

Federation Service Name: Give your AD FS a FQDN name.

Federation Service Display Name: Enter a display name

Click Next to proceed:

AD FS Configuration 13 - Specify Service Properties

Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.

Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.

AD FS Configuration 13-1 - Ensure DNS record for ADFS name

Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates.

AD FS Configuration 13-2 - Wildcard Cert

On the Specify Service Account tab you may get the following message:

 

If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.

AD FS Configuration 14 - Specify Service Account Message

PowerShell Commands:

Get-Help Add-KdsRootKey – Read about the command

Add-KdsRootKey -EffectiveImmediately – Generate root key

AD FS Configuration 14-1 - Add-KdsRootKey PowerShell

Enter the Service Account you want to use and click Next:

Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.

AD FS Configuration 14-2 - Specify Service Account

You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:

Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\

For additional information about using a SQL Server database click here.

AD FS Configuration 15 - Specify Database

Click Next:

AD FS Configuration 16 - Review Options

If everything checks out click Configure:

AD FS Configuration 17 - Prerequisite Checks

Once complete click Close:

AD FS Configuration 18 - Results

AD FS is now installed and is ready for testing!

How to ensure AD FS is working:

Open a web browser and go to the URL below and click Sign In:

https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx

AD FS Configuration 18-1 - Test Page Sign In

You should get a login box, enter your domain credentials, once logged in you should show the below screen:

AD FS Configuration 18-2 - Test Page Results

You are now ready to use AD FS in your environment!

10 thoughts on “How to setup Microsoft Active Directory Federation Services [AD FS]

  1. In Server 2016 (ADFS 4.0) IdPIntiatedSignOn page is disabled by default and must be turned on manually with Administrative PS shell after deployment to be used:

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

  2. I am having hard time with ADFS install and configure. Followed all the steps – yet getting this error when, I tried to test ADFS weblink to see if the install was successful.

    •Activity ID: 154cccb7-aae9-45d2-1800-0080000000b8
    •Error time: Mon, 24 Jul 2017 14:10:39 GMT
    •Cookie: enabled
    •User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko

  3. You can ignore above message. I was able to fix ADFS install and configure issue. Just one question to Daniel – How were you able to configure SAN name on your wildcard certificate (that is Common Name, DNS on the wildcard certificate)?

  4. You need to fix that broken URL… I wasted half a morning trying to fix an error message (similar to ramg above) that was caused by a simple typo in your example. The URL you provide is:
    https://ADFS_FQDN/adfs/ls/ldpintiatedSignOn
    but it should be:
    https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx
    Note the “i” instead of an “l” (as Petr mentions above) and another missing “i”. The .aspx is optional, but I have copied/pasted the working URL from my setup to ensure complete accuracy.
    The instructions you’ve blogged here are fantastic, but this simple syntax error renders your whole blog post ineffective because your instructions cannot be successfully tested. And, more than a month after Petr mentioned the error, you still haven’t fixed it.

Leave a Reply