How to setup Microsoft Active Directory Federation Services [AD FS]

In this post I will be installing and configuring the Active Directory Federation Services [AD FS] server role. AD FS is able to provide Single-Sign-On [SSO] capabilities to multiple web application using a single Active Directory account.

vBoring Blog Series:

  1. How to setup Microsoft Active Directory Federation Services [AD FS]
  2. How to setup Microsoft Web Application Proxy

Install the AD FS Server Role:

Open Server Manager and click Manage -> Add Roles and Features:

AD FS 1 - Add Roles and Features

Click Next:

AD FS 2 - Before you Begin

Role-based or feature-based installation should be selected then click Next:

AD FS 3 - Installation Type

Select the server you want to install this role then click Next:

Note: Web Application Proxy role and AD FS cannot be installed on the same computer.

AD FS 4 - Server Selection

Select Active Directory Federation Services then click Next:

AD FS 5 - Server Roles

No additional Features are needed. Click Next:

AD FS 6 - Features

Click Next:

AD FS 7 - AD FS

The AD FS role does not required a reboot. Click Install:

AD FS 8 - Confirmation

Once complete click Close:

AD FS 9 - Results

Post-Deployment Configuration:

Back on Server Manager under Notifications click the message Configure the federation service on this server:

AD FS 10 - Configure FS on this server

Since this is our first AD FS server select the first option then click Next:

AD FS Configuration 11 - Welcome

Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:

AD FS Configuration 12 - Connect to AD DS

SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.

Federation Service Name: Give your AD FS a FQDN name.

Federation Service Display Name: Enter a display name

Click Next to proceed:

AD FS Configuration 13 - Specify Service Properties

Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.

Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.

AD FS Configuration 13-1 - Ensure DNS record for ADFS name

Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates.

AD FS Configuration 13-2 - Wildcard Cert

On the Specify Service Account tab you may get the following message:

 

If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.

AD FS Configuration 14 - Specify Service Account Message

PowerShell Commands:

Get-Help Add-KdsRootKey – Read about the command

Add-KdsRootKey -EffectiveImmediately – Generate root key

AD FS Configuration 14-1 - Add-KdsRootKey PowerShell

Enter the Service Account you want to use and click Next:

Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.

AD FS Configuration 14-2 - Specify Service Account

You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:

Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\

For additional information about using a SQL Server database click here.

AD FS Configuration 15 - Specify Database

Click Next:

AD FS Configuration 16 - Review Options

If everything checks out click Configure:

AD FS Configuration 17 - Prerequisite Checks

Once complete click Close:

AD FS Configuration 18 - Results

AD FS is now installed and is ready for testing!

How to ensure AD FS is working:

Open a web browser and go to the URL below and click Sign In:

AD FS Configuration 18-1 - Test Page Sign In

You should get a login box, enter your domain credentials, once logged in you should show the below screen:

AD FS Configuration 18-2 - Test Page Results

You are now ready to use AD FS in your environment!

26 thoughts on “How to setup Microsoft Active Directory Federation Services [AD FS]”

  1. Pingback: Configure ADFS Web application proxy for two domains * Security Howto
  2. In Server 2016 (ADFS 4.0) IdPIntiatedSignOn page is disabled by default and must be turned on manually with Administrative PS shell after deployment to be used:

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    Reply
  3. I am having hard time with ADFS install and configure. Followed all the steps – yet getting this error when, I tried to test ADFS weblink to see if the install was successful.

    •Activity ID: 154cccb7-aae9-45d2-1800-0080000000b8
    •Error time: Mon, 24 Jul 2017 14:10:39 GMT
    •Cookie: enabled
    •User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko

    Reply
  4. You can ignore above message. I was able to fix ADFS install and configure issue. Just one question to Daniel – How were you able to configure SAN name on your wildcard certificate (that is Common Name, DNS on the wildcard certificate)?

    Reply
  5. You need to fix that broken URL… I wasted half a morning trying to fix an error message (similar to ramg above) that was caused by a simple typo in your example. The URL you provide is:
    https://ADFS_FQDN/adfs/ls/ldpintiatedSignOn
    but it should be:
    https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx
    Note the “i” instead of an “l” (as Petr mentions above) and another missing “i”. The .aspx is optional, but I have copied/pasted the working URL from my setup to ensure complete accuracy.
    The instructions you’ve blogged here are fantastic, but this simple syntax error renders your whole blog post ineffective because your instructions cannot be successfully tested. And, more than a month after Petr mentioned the error, you still haven’t fixed it.

    Reply
  6. Where does the cert come from that is Imported on the “Specify Service Properties” dialog? Is it generated by the same DC I am setting up ADFS on?

    Reply
  7. I cannot see the certificates in drop down. I have also created the self signed certificate and tried to import but it does not load.
    Did you face any issue or what can be wrong if I see this issue ?

    Reply
  8. In the instructions you say: Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.

    Is it a requirement to have a separate name for the Federation Service Name or is it ok to use the same FQDN as what the DC has? Will it cause problems if I use the same name?

    Reply
  9. If you enabled:

    https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx

    via:

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

    (Get-AdfsProperties).EnableIdPInitiatedSignonPage

    and want seamless sign-on to work (so not even needing to press “sign-in” make sure to add your adfs server’s adfs-url to the intranet zone in internet explorer, it will send you current username+password+domain to the adfs server for authentication.

    Reply
  10. Excellent write up! I shall use this for the work i am doing now while setting up ADFS to work with AWS. I’m glad you made this article.

    Reply
  11. I followed the steps above to setup my ADFS. When I tried to login via idpinitiatedsignon.aspx, using the correct credential, I keep seeing the same login page which says “Sign in with your organizational account” and the “Sign In” button, instead of a page saying “You are signed in” with the “Sign Out” button, as shown in the screenshot in this post. I know the login is successful, because if the login fails, I will see an error message saying “Incorrect user ID or password. Type the correct user ID and password, and try again.” and also can see the failed login attempt in Windows Event log. I tried re-install and re-configure ADFS a few times but am still not able to get the correct successful login behaviour. Can you advise what could the cause be? Thank you.

    Reply
    • Hi: Did you fix this issue, I create a adfs environment and having exactly the same issue described by you. If you already fixed it, can you please let me know how you did it?
      Thanks

      Reply
  12. Really Great documentation. I followed and complete the settings. Page is opening for me but the signing options not going through. Repeatedly the signing options coming after providing the correct credentials. Do you have any Idea on that ?

    Reply

Leave a Reply