ADFS 3.0 for its implementation requires a dedicated SSL certificate to be installed in the ADFS servers to provide users with single sign-on access to Office 365 platform.
If you plan to implement Office 365 in your company, ADFS is the service you should consider to keep the authentication process synchronized within all devices. A simpler solution instead of ADFS is the configuration of the DirSync tool but the authentication management is kept separated.
Blog series
ADFS 3.0 setup UPN suffix for Office 365 SSO - pt. 1
ADFS 3.0 SSL certificate signing request - pt. 2
ADFS 3.0 install ADFS Server - pt. 3
ADFS 3.0 install WAP Server - pt. 4
ADFS 3.0 federating Office 365 - pt. 5
ADFS 3.0 install Directory Sync tool - pt. 6
ADFS 3.0 deploy Office 365 - pt. 7
Prerequisites
To setup the ADFS infrastructure you need the following:
- At least two Windows 2012 R2 Server joined to the domain
- One Windows 2012 R2 Server NOT joined to the domain and residing in DMZ area
Request the SSL certificate
Since ADFS 3.0 doesn't need IIS as required in previous release but it relies on a SSL certificate to work, before starting the configuration we need to make a certificate request from the machine we are going to use for the ADFS setup.
From Start > Search program and files type the command mmc then press Enter to run the Snap-in console.
From File menu select Add/remove Snap-in option.
Select Certificates then click Add button.
Since the certificate refers to the machine itself, select Computer account option then click Next.
Select Local computer and click Finish.
When the Certificates snap-in is added to the right pane, click OK to open the console.
Expand the Certificates item and right click Personal. Select All Tasks > Advanced Operations > Create Custom Request.
The Certificate Enrollment Wizard opens. Click Next to proceed.
Select Proceed without enrollment policy option then click Next.
Select (No template) CNG key value from the Template drop down menu and PKCS #10 option as Request format. Click Next.
With the certificate template previously selected you will get the error message shown in the picture during the ADFS configuration since CNG private key is not supported. Keep in mind in case of.
ADFS requires a different certificate template type. From the Certificate Enrollment Wizard select (No template) Legacy key value from the Template drop down menu and PKCS #10 option as Request format. Click Next to continue.
Click on Details to show the additional info and click on Properties.
In the General tab type a Friendly name to better identify the certificate and a Description. Select Subject tab when done.
In this tab we are going to configure the certificate properties. From the Type drop down menu select Common name.
In the Value field type the name of your ADFS and click Add. This name is what will be configured in the public DNS. Click Add to add the Common Name to the certificate.
Now select Organization from the drop down menu and type the Value then click Add.
Select Organization unit, type a Value and click Add.
Select Locality, type a Value and click Add.
Select State, type a Value and click Add.
Select Country, type a Value and click Add.
When the certificate properties has been set, select Private Key tab.
Click on the Cryptographic Service Provider's ^ symbol to expand the properties and select Microsoft RSA SChannel Cryptographic Provider (Encryption) option.
Click on the Key options' ^ symbol to expand the properties and set 2048 as Key size.
Enable Make private key exportable option. Click OK to save the certificate properties.
Click Next to continue with the request process.
Type a File Name and set Base 64 as File format. Click Finish to complete the procedure.
Select Certificate Enrollment > Certificates and check if the certificate request shows up in the right pane.
Copy and paste the certificate in the Certificate Signing Request filed of the selected CA.
Import the signed certificate
When the CA returns the signed certificate, it must be imported in the machine. From the Certificates' snap-in console, select Personal > All Tasks > Import option.
The Certificate Import Wizard opens. Click Next to continue.
Clicking the Browse button select the signed certificate file then click Next.
Place the certificate in Personal Certificate store and click Next.
Click Finish to import the certificate.
Click OK to close the confirmation window.
Select Personal > Certificates to check the issued certificate. The certificate has been imported successfully in the local computer.
Export the certificate with private key
As seen in part 1 during the ADFS setup, another component of the infrastructure (ADFS-WAP) requires the same certificate for its functionality.
From the Certificate console export the certificate including the private key. From Personal > Certificates right click the issued certificate and select All Tasks > Export option.
The Export Wizard opens. Click Next to proceed.
Select Yes, export the private key option and click Next.
Leave default options and click Next.
For security reasons, assign a Password to protect the private key.
Type a File name and click Next.
Click Finish to export the certificate.
Click OK to close the confirmation window.
The certificate .pfx has been exported successfully.
In part 3 we'll start installing the ADFS service in the server as first component of the infrastructure.
Hi Paolo,
Fantastic tutorial! of great help. Only one question, when the certificate expires that steps must be followed for renewal?
Regards,
Hi Paolo,
I have a question in regards to ADFS 3.0 set-up. I am a little bit confused about some items.
The scenario is the following
- Internally - we have a non-routable domain name set-up with additional UPN's
- Externally - we have a routable domain name connected to Office 365
The scenario I was looking to achieve is the following -
Setting up the ADFS server to run in the non routable domain (domain.internal) and using AD CS certificates to secure internal clients
Setting up the ADFS Proxy to run in the routable domain (domain.com) and using a wildcard SSL certificate to secure external communications.
My main issue is that the wildcard SSL certificate does not contain the Subject Alternative name of domain.internal, thus I cannot use this internally and will have to rely on my AD CS Certificate
I am just attempting to "Sanity check" my configuration before putting this in production.
Any thoughts?
Thanks for your help
Gordon