AD FS 2.0 Workshop – Installation
This article is part of AD FS 2.0 Workshop – High-availability platform complete walkthrough
1. Installation
1.1. Federation Servers
1.1.1. Installation of the AD FS 2.0 Software
- Locate the AdfsSetup.exe setup file that you downloaded to the computer, and then double-click it.
- On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
- On the End-User License Agreement page, read the license terms.
- Select the I accept the terms in the License Agreement check box, and then click Next.
- On the Server Role page, select Federation server, and then click Next.
- On the Install Prerequisite Software page, click Next.
- On the Completed the AD FS 2.0 Setup Wizard page, verify that the Start the AD FS 2.0 Management snap-in when this wizard closes checkbox is selected, and then click Finish to open the AD FS 2.0 management console.
- Run the installer for ADFS 2.0 Rollup 3 or higher if available (http://support.microsoft.com/kb/2790338/en-us).
1.1.2. SSL certificates requirements creation for the federation service
Federation servers require the following certificates:
- A standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers, clients and federation server proxy computers.
- A standard X.509 certificate that is used for securely signing all tokens that the federation server issues and that the cloud service will accept and validate.
Federation server proxies require the following certificate:
- A standard Secure Sockets Layer (SSL) certificate that is used for securing communications between federation servers, clients and federation server proxy computers.
Before configuring AD FS, we’ll ensure the correct certificate is in place on both servers so that during configuration we’re able to select it when prompted. As we’ve got IIS installed, we’ll import the certificate using the IIS Management Console.
- Launch the IIS Management Console and click on the server node itself, then double-click on Server Certificates.
- Then choose the Import option to import the certificate.
- Add a site binding for https on the Default Web Site.
- Select the imported SSL certificate.
1.1.3. Creation of the first federation server in a new federation server farm
Since SQL Server is used to store the configuration in database, the configuration can’t be done with the AD FS Management console. The configuration has to be done from the command line, with the fsconfig utility.
The tool is located in ‘C:\Program Files\Active Directory Federation Services 2.0’
- Open a command prompt as Administrator and run the following command:
- Check if everything is OK by browsing the following URL:
FSConfig.exe CreateSQLFarm /ServiceAccount FEDERATION\svc_adfs /ServiceAccountPassword P@$$w0rd /SQLConnectionString "database=AdfsConfiguration;server=vm-adfs-s1.federation.local;integrated security=SSPI" /CleanConfig /FederationServiceName fedservice.federation.local /AutoCertRolloverEnabled
If everything ran OK, the following output will be displayed:
https://localhost/FederationMetadata/2007-06/FederationMetadata.xml
1.1.4. Addition of the second federation server in the existing federation server farm
The first thing to do is to export the service communication certificate (with its private key) used on the first AD FS server of the farm. This certificate needs to be the same across all AD FS servers in the farm. For the Token signing and Decrypting certificates, self-signed certificates which were generated during the configuration of the first AD FS server are used.
- Open the Certificate MMC console of the first AD FS server.
- Expand “Certificates (Local Computer)”, then expand “Personal” and highlight “Certificates”.
- Right click on the certificate to be exported (ie adfs.federation.local), select “All Tasks” then “Export” from the menu.
- Click “Next” on the “Welcome to the Certificate Export Wizard” screen.
- On the “Export Private Key” screen Select “Yes, Export Private Key” and click “Next”.
- On the “Export File Format” screen Select the “Personal Information Exchange = PKCS #12 (.PFX)” radio button and Check off “Include all certificates in the certification path if possible” and “Export all extended properties”.
- On the “Password” screen, enter a password and make note of it (This is the password you will use when importing the cert to the new server).
- On the “File to Export” enter a name and location for the file and click “Next”.
- On the “Completing the Certificate Wizard” screen review your settings and Click “Finish”.
- Retrieve the exported certificate file and copy it to the second AD FS server of the farm.
- Open the Certificate MMC console of the second AD FS server.
- Expand “Certificates (Local Computer)”, then expand “Personal” and highlight “Certificates”.
- Right click on the “Certificates” container, select “All Tasks” then “Import” from the menu.
- Click “Next” on the “Welcome to Certificate the Import Wizard” screen.
- On the “File to Import” screen, browse to the cert file you exported and copied over to this server and Click “Next”.
- On the “Password” screen, enter the password created when the certificate was exported. Check off “Include all extended properties”. Select “Mark Key as Exportable” and click “Next”.
- On the “Certificate Store” screen, make sure that “Personal” is selected (If not then browse to it). Click “Next”.
- On the “Completing the Certificate Wizard” screen review your settings and Click “Finish”.
- Launch the IIS Management Console and click on the server node itself, then double-click on Server Certificates.
- Add a site binding for https on the Default Web Site.
- Select the imported SSL certificate.
- Open a command prompt as Administrator and run the following command:
- If everything ran OK, the following output will be displayed:
- Check if everything is OK by browsing the following URL:
Make sure “Delete the private key if export is successful” is deselected. Click “Next”.
Since a self-signed certificate is used as service communications certificate, there is need to complete the steps again for importing the certificate to “Trusted Root Certificate Authorities” store.
Since SQL Server is used to store the configuration in database, the configuration can’t be done with the AD FS Management console. The configuration has to be done from the command line, with the fsconfig utility.
The tool is located in ‘C:\Program Files\Active Directory Federation Services 2.0’
FSConfig.exe JoinSQLFarm /ServiceAccount FEDERATION\svc_adfs /ServiceAccountPassword P@$$w0rd /SQLConnectionString "database=AdfsConfiguration;server=vm-adfs-s1.federation.local;integrated security=SSPI"
https://fedservice.federation.local/FederationMetadata/2007-06/FederationMetadata.xml
1.1.5. Installation of the Windows Network Load-Balancing feature
Since we have two AD FS servers, we install them into a farm configuration. Even though the AD FS servers are installed in a farm configuration, we still need to network load balance them.
1.1.5.1. Installation of the NLB service
1.1.5.2. Configuration of the NLB service
1.2. Federation Server Proxies
1.2.1. SSL Certificate installation
- Open an MMC console though the console:
- Click on Start menu
- Click on Run… option
- In the new window, enter the following command line: mmc
- Open the Certificate Management console for Computer:
- Select menu File
- Select Add/Remove Snap-in…
- Select the snap-in called Certificates and click on the button Add >
- On the appearing window, select the radio button called Computer account and click on Finish
- Click on the OK button to open the console
- Deploy the tree under Certificates (Local Computer) to see the Personal folder/catalog
- Right click on the Personal folder/catalog, and then select the menu All Tasks and the option Import…
- On the new window, click on the Next > button
- Through the Browse… button, select the certificate to install on the server and click on the Next > button
- Enter the password as requested and be sure the option to make the key exportable is unchecked
- Click on the Next > button
- Select the option Place all certificates in the following store and Browse to select the Personal storage, then click on the Next > button
- Click on the Finish button to import the certificate
- Intermediate certificates have to be imported in Intermediate Certification Authorities store
- Root certificate has to be imported in the Trusted Root Certificate Authorities store
Most of the certificates provided by certification authorities are as a PKCS#12 format and the following will only details information on how to finish the deployment of the certificate.
There may be some Intermediate certificates to deploy, they have to be deployed on the server like the provider recommend:
1.2.2. Installation of the AD FS 2.0 Software
- Locate the AdfsSetup.exe setup file that you downloaded to the computer, and then double-click it.
- On the Welcome to the AD FS 2.0 Setup Wizard page, click Next.
- On the End-User License Agreement page, read the license terms.
- Select the I accept the terms in the License Agreement check box, and then click Next.
- On the Server Role page, select Federation server proxy, and then click Next.
- On the Install Prerequisite Software page, click Next.
- On the Completed the AD FS 2.0 Setup Wizard page, verify that the Start the AD FS 2.0 Management snap-in when this wizard closes checkbox is selected, and then click Finish to open the AD FS 2.0 management console.
1.2.3. Configuration of the AD FS Reverse Proxy Servers
- Open the AD FS 2.0 Federation Server Proxy Configuration Wizard and Click ‘Next’
- Fill in the Federation Service Name (fedservice.federation.local) and click on the ‘Test Connection’ button
- The Federation is contacted, if successfull:
- After getting the previous successful box, click on the Next button
- Once prompted for credentials, use the Federation Service domain account
- Click on the ‘Next’ button to start applying the configuration
- If everything gone right, the following Configuration Results screen is displayed
- So now, of course, let’s repeat the same steps on the second AD FS Proxy Server. I’ll see you in a bit for the NLB setup!