How to setup Microsoft Active Directory Federation Services [AD FS]

In this post I will be installing and configuring the Active Directory Federation Services [AD FS] server role. AD FS is able to provide Single-Sign-On [SSO] capabilities to multiple web application using a single Active Directory account.

vBoring Blog Series:

  1. How to setup Microsoft Active Directory Federation Services [AD FS]
  2. How to setup Microsoft Web Application Proxy

Install the AD FS Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

AD FS 1 - Add Roles and Features

Click Next:

AD FS 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

AD FS 3 - Installation Type

Select the server you want to install this role then click Next:

Note: Web Application Proxy role and AD FS cannot be installed on the same computer.

AD FS 4 - Server Selection

Select Active Directory Federation Services then click Next:

AD FS 5 - Server Roles

No additional Features are needed. Click Next:

AD FS 6 - Features

Click Next:

AD FS 7 - AD FS

The AD FS role does not required a reboot. Click Install:

AD FS 8 - Confirmation

Once complete click Close:

AD FS 9 - Results

Post-Deployment Configuration:

Back on Server Manager under Notifications click the message Configure the federation service on this server:

AD FS 10 - Configure FS on this server

Since this is our first AD FS server select the first option then click Next:

AD FS Configuration 11 - Welcome

Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:

AD FS Configuration 12 - Connect to AD DS

SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. I have a wildcard certificate I bought from StartSSL, I am going to use it by clicking Import and selecting it. Ensure you have it in .PFX format.

Federation Service Name: Give your AD FS a FQDN name.

Federation Service Display Name: Enter a display name

Click Next to proceed:

AD FS Configuration 13 - Specify Service Properties

Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.

Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.

AD FS Configuration 13-1 - Ensure DNS record for ADFS name

Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates.

AD FS Configuration 13-2 - Wildcard Cert

On the Specify Service Account tab you may get the following message:

 

If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.

AD FS Configuration 14 - Specify Service Account Message

PowerShell Commands:

Get-Help Add-KdsRootKey – Read about the command

Add-KdsRootKey -EffectiveImmediately – Generate root key

AD FS Configuration 14-1 - Add-KdsRootKey PowerShell

Enter the Service Account you want to use and click Next:

Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.

AD FS Configuration 14-2 - Specify Service Account

You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:

Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\

For additional information about using a SQL Server database click here.

AD FS Configuration 15 - Specify Database

Click Next:

AD FS Configuration 16 - Review Options

If everything checks out click Configure:

AD FS Configuration 17 - Prerequisite Checks

Once complete click Close:

AD FS Configuration 18 - Results

AD FS is now installed and is ready for testing!

How to ensure AD FS is working:

Open a web browser and go to the URL below and click Sign In:

https://ADFS_FQDN/adfs/ls/ldpintiatedSignOn

AD FS Configuration 18-1 - Test Page Sign In

You should get a login box, enter your domain credentials, once logged in you should show the below screen:

AD FS Configuration 18-2 - Test Page Results

You are now ready to use AD FS in your environment!

3 thoughts on “How to setup Microsoft Active Directory Federation Services [AD FS]

  1. In Server 2016 (ADFS 4.0) IdPIntiatedSignOn page is disabled by default and must be turned on manually with Administrative PS shell after deployment to be used:

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

Leave a Reply