To continue with ADFS 3.0 setup, once imported the signed SSL certificate returned from the CA, the ADFS role must be installed in the current ADFS server.
Depending on your environment, you may setup a single server or a load-balanced configuration with multiple servers.
Blog series
Prerequisites
- One server Windows 2012 R2 joined to the domain. For large environments at least two federation servers should be used in a load-balanced configuration.
- A dedicated service account in Active Directory (i.e. vmadfs)
- The signed SSL certificate received from the CA (i.e. sts.nolabnoparty.com)
Install ADFS role
To enable Federation Services, it is necessary to install in the server the ADFS role. From the Server Manager click Add roles and features.
Click Next to start the configuration.
Select Role-based or feature-based installation option then click Next.
Enable Select a server from the server pool option and highlight the server to install. Click Next to continue.
Select Active Directory Federation Services role and click Next.
Nothing to select, click Next.
Click Next to continue.
Thick Restart the destination server automatically if required and click Yes to confirm.
When ready to proceed, click Install button to start role installation.
ADFS role is being installed in the server.
When the installation has completed, click Close to exit the Wizard.
Configure Federation Service
When the role has been installed, click on the yellow warning icon then click Configure the federation service on this server option.
When the ADFS Wizard starts, make sure to select Create the first federation server in a federation server farm option then click Next.
Specify an account with domain administrator permissions then click Next.
In the SSL Certificate field, click the drop-down menu to select the certificate (i.e. sts.nolabnoparty.com) created in part 2 that should have been already imported into the server. Federation Service Name should have same name of the installed certificate whilst Federation Service Display Name is the name users will see at sign in (i.e. Nolabnoparty.com). Click Next.
If you receive the warning message as shown in the picture, it means that the KDS Root Key has not been set yet. This is part of the new Group Managed Service Accounts Windows 2012 feature.
To create the KDS root key for immediate effectiveness, simply open the PowerShell shell and type the command:
PS C:\> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
To remove the KDS root key warning message, in the ADFS Wizard click Previous then Next buttons. Since we're going to use a dedicated service account (i.e. vmadfs), select the option Use an existing domain user account or group Managed Service Account and specify the password. Click Next to continue.
If the farm has less than five ADFS servers, WID can be used to store the configuration data. Select Create a database in this server using Windows Internal Database then click Next.
Here you can review the settings of the configuration. Click Next to perform the pre-requisite checks.
If all pre-requisite checks passed successfully, click Configure button to configure ADFS on this computer.
The system installs the required components and configure the service.
When the server is successfully configured, click Close to exit the Wizard.
Set DNS A record
To authenticate against Active Directory from inside and outside the LAN, all devices require ADFS to be properly configured in the DNS infrastructure.
Public DNS
To resolve the ADFS name sts.nolabnoparty.com from external, an A record must be created in the public DNS that points to the public IP of the ADFS server in DMZ zone (part 4 covers this topic).
Internal DNS
To resolve the ADFS name from internal, the DNS must be configured accordingly.
Open the DNS Manager, right click the Forward Lookup Zones item and select New Zone option.
The New Zone Wizard opens. Click Next.
Select Primary zone option and thick Store the zone in Active Directory. Click Next to continue.
Select option To all DNS servers running on domain controllers in this domain: nolabnoparty.local then click Next.
Type the Zone name giving same name assigned to the ADFS and click Next.
Select Allow only secure dynamic updates and click Next.
Click Finish to create the new zone.
To resolve the DNS name internally, right click the new created zone sts.nolabnoparty.com and select New Host (A or AAAA) option.
Leave the Name blank and type the IP address of the ADFS server previously configured. Don't enable Create associate pointer (PTR) record. Click Add Host when done.
Click OK to close the confirmation window.
The new A record has been created.
If you ping the ADFS name inside the LAN, you get the correct reply.
Test ADFS
To test if ADFS works as expected, open Internet Explorer in a computer of the LAN and type the address:
https://adfsname.domain.com/adfs/ls/IdpInitiatedSignon.aspx
In the example, the address https://sts.nolabnoparty.com/adfs/ls/IdpInitiatedSignon.aspx is used in the browser. Click the Sign in button.
If you are prompted for credentials, it means the domain is not configured in IE as Local intranet zone.
To fix the problem from Internet Explorer menu select Tools > Internet Options and access the Security tab. Select Local intranet zone and click on Sites then Advanced buttons.
Click Add to add the ADFS name in the selected zone. The website name (i.e. sts.nolabnoparty.com) is added in the Websites field. Click Close.
Click on Sign in button again. This time the You are signed in message confirms ADFS service is working.
Troubleshooting
During the ADFS configuration Wizard you may receive the error as shown in the picture. The missing object must be created in Active Directory to complete the configuration.
Open the ADSI Editor and right click the domain name. Select New > Object option.
Select container as a class and click Next.
Type Program Data in the Value field then click Next.
Click Finish to create the object.
Now right click the created object Program Data and select New > Object option.
Select container as a class and click Next.
Type Microsoft in the Value field then click Next.
Click Finish to create the object.
The new objects created in Active Directory.
This time the ADFS configuration is completed successfully.
Part 4 of ADFS configuration covers the WAP server used to perform the authentication for devices outside the LAN.
Hi,
i can't access to your part 4 🙂
Links fixed.
Paolo,
I have a question if this scenario below is possible.
2 x ADFS 3.0 servers located in different DCs (different subnets, layer 3 between the 2 sites)
Need to create the farm with those two and use Windows 2012 R2 NLB (configured on the same ADFS servers) with one single VIP. IS that possible? Couldn't find a firm answer anywhere on the web if Windows NLB can support LB for 2 servers located in different locations (subnets)
Thank you and btw great blog series
Cristian