Installing ADFS for Non-HA¶
This section guides users through the installation and configuration of Active Directory Federation Services (ADFS) in a Non-High Availability (Non-HA) setup, providing the steps for deploying a single-server ADFS instance with the necessary certificates and user management.
Prerequisites¶
Ensure that you have administrative access to the Windows Server 2012 R2 operating system.
Installing domain controller server¶
This section explains the process of setting up a server to manage Active Directory (AD) for centralized user authentication and domain management.
To install the domain controller server, follow the steps:
-
Open "Server Manager" on your Windows server, then navigate to the "Dashboard" tab from the left navigation.
-
In the "Dashboard" tab, choose "Add roles and features".
-
In the "Add Roles and Features Wizard", perform the following:
- Click "Server Roles" from the left navigation.
- Enable the "Active Directory Domain Services" checkbox.
-
Click "Next" and then click "Install" to install the role.
-
Verify the status of the installation process in the "Results" tab.
-
Once the feature installation is completed, then click "Close".
-
After the feature installation, promote the server to a domain controller. In the "Server Manager" tab, click
.
-
Select "Promote this server to a domain controller".
-
In the "Active Directory Domain Services Configuration Wizard", perform the following:
- Click "Deployment Configuration" from the left navigation.
- Select "Add a new forest" as the deployment operation.
- Enter the "Root domain name" as "
mdsp.soe
". -
Click "Next".
-
Click "Domain Controller Options" from the left navigation.
- Select the "Forest functional level" and "Domain functional level" as "Windows Server 2012 R2" for the new forest and root domain.
- Enable the "Domain Name System (DNS) server checkbox as the domain controller capabilities.
- Enter the "Directory Services Restore Mode (DSRM) password" in the "Password" field and confirm it in the "Confirm password" field.
-
Click "Next".
-
Click "Additional Options" from the left navigation.
The NetBIOS domain name is automatically generated based on the domain name. -
Check the domain name and change it if it is required and then click "Next".
-
Click "Prerequisites Check" from the left navigation.
-
Click "Next" and then "Install".
Once the installation is completed, the server restarts automatically.
Installing AD certification service¶
AD Certification Service deploys the service to enable the certificate for secure communication.
To install the AD certification service, follow the steps:
-
In "Server Manager", click "Dashboard" from the left navigation. Click "Add roles and features".
-
In the "Add Roles and Features Wizard", perform the following:
- Click "Server Roles" from the left navigation.
- Enable the "Active Directory Certificate Services" checkbox.
-
Click "Next".
-
Click "Role Services" from the left navigation.
- Enable the "Certification Authority" and "Certification Authority Web Enrollment" checkboxes.
-
Click "Next".
-
In the "Confirm installation selection" screen, click "Confirmation" to confirm the installation process.
-
Click "Install".
-
Verify the status of the installation process in the "Results" tab.
- Click "Close".
Configuring the AD CS¶
It is required to configure the Certificate Authority (CA) to manage and issue certificates in the domain.
To configure AD CS, follow the steps:
-
In the "Server Manager" tab, click
.
-
Click "Configure Active Directory Certificate Services on the destination server".
-
In the "AD CS Configuration" tab, perform the following:
- Click "Credentials" from the left navigation.
- Specify the credentials to configure the role services.
-
Click "Next".
-
Click "Role Services" from the left navigation.
- Enable the "Certification Authority" and "Certification Authority Web Enrollment" checkboxes.
-
Click "Next".
-
Click "Setup Type" from the left navigation.
- Select the "Enterprise CA" to setup the type of the CA.
-
Click "Next".
-
Click "CA Type" from the left navigation.
- Select the "Root CA" for the CA type.
-
Click "Next".
-
Click "Private Key"8 from the left navigation.
- Select "Create a new private key" for the private key type.
-
Click "Next".
-
Click "Cryptography" from the left navigation.
-
Specify the cryptographic options as mentioned below:
- Select a cryptographic provider: RSA#Microsoft Software Key Storage Provider.
- Key length: 2048.
- Select the hash algorithm for signing certificates issued by this CA: SHA256.
-
Click "Next".
-
Click "CA Name" from the left navigation.
- Specify the names of the CA as mentioned below:
- Common name for this CA: mdsp-dc01-CA.
- Distinguished name suffix: DC=mdsp,DC=soe.
- Preview of distinguished name:
CN=mdsp-dc01-CA
,DC=mdsp,DC=soe
.
-
Click "Next".
-
Click "Validity Period" from the left navigation.
-
Specify the validity period and click "Next".
-
Click "Confirmation" tab to confirm the configuration process.
- Click "Configure".
- Verify the status of the configuration process in the "Results" tab.
- Verify the details and click "Close".
Verifying the AD CS¶
Verifying the AD CS setup involves testing the certificate issuance and access processes to ensure the Certificate Authority is functioning properly.
To verify the AD CS installation, follow the steps:
-
To sign in the certificate web interface, click Certsrv.
-
Enter the credentials and click "Sign in".
Result¶
The Certificate Services web interface is displayed.
Providing permissions to specific user for Certificate Authority¶
Assigning the required permissions to a specific user for the Certificate Authority allows that user to manage the Certificate Authority.
To grant permissions to a specific users, follow the steps:
-
In the "Server Manager" click Dashboard" tab, navigate to "Tools" and select "Certification Authority".
-
In the "Certification Authority (Local)" tab, perform the following:
- Select and right click on the "Certificate Templates".
- Click "Manage".
-
In the "Certificate Templates Console" tab:
Select and right click on "Web Server" and then select "Properties".
-
In the "Web Server Properties" tab, select "Security" tab and choose the following options:
- Click "Add".
The "Select Users, Computers, Service Accounts or Groups" screen appears. - Click "Object Types" tab.
- In the "Object Types" dialog box, enable "Computers" checkbox and click "OK".
- In the "Select Users, Computers, Service Accounts, or Groups" dialog box, enter the name of your object in the "enter the object names to select" field and click "OK".
- In the "Security" tab, under "Permissions for dc01" enable the required or all checkboxes for the desired permissions and click "OK".
- Click "Add".
Adding the ADFS management user¶
Adding an ADFS management user creates a user account with permissions to administer ADFS operations.
To add an ADFS management user, follow the steps:
-
In the "Server Manager" tab, click "Tools" and select "Active Directory Users and Computers".
-
In the "Active Directory Users and Computers" tab, perform the following:
- Select and right click on the "Users" folder.
- Select "Create New User".
- In the "New Object - User" window, enter the user details.
- Enter the "First name" as "adfs", "Last name" as "server" and "Full name" as "adfs server".
- Enter the "User logon name" as "adfs_svc".
- Click "Next".
- Enter the "Password" in the "Password" field and confirm it in the "Confirm password" field and enable "Password never expires" checkbox.
- Click "Next".
Result¶
The server is added with specified name.
Issuing a certificate for ADFS domain via MMC¶
This section describes the steps for issuing a certificate for ADFS domain via MMC generates and assigns an SSL certificate for the ADFS domain using the MMC tool.
To issue a certificate for the ADFS domain via MMC, follow the steps:
-
Open the "MMC" console.
- Press "Windows + R" keys on keyboard.
- In the "Run" window, enter "mmc" and click "OK".
-
In the "MMC" console, click "File" and select "Add/Remove Snap-in".
-
In the "Add or Remove Snap-ins" window, select "Certificates" and click "Add".
-
In the "Certificates snap-in" window, choose "Computer account" and click "Next".
-
In the "Select Computer" window, choose "Local computer" and click "Finish".
-
Click "OK".
-
In the "MMC" console, click "Certificates (Local Computer)" under "Personal" folder.
- Select and right click on the "Certificates" folder.
- Select "All Tasks" and then "Request New Certificate".
-
In the "Request Certificates" window, select the desired certificate and configure the additional settings.
-
In the "Certificate Properties" window, click "Subject" and add the following details:
- In the "Subject name" tab, select "Common Name" as "Type" and enter the "Value" as "adfs-srv.mdsp.soe".
- Click "Add".
- In the "Alternative name" tab, select "DNS" as "Type" and enter the "Value" as "adfs-srv.mdsp.soe".
-
Click "Add".
-
Verify the details and click "OK".
-
Click "Enroll".
Result¶
The specified certificate is issued successfully.
Installing ADFS service¶
Installing ADFS service deploys the ADFS role to enable the secure, federated and authentication services.
To install the ADFS service, follow the steps:
-
In the "Server Manager", click "Dashboard" tab, click "Add roles and features".
-
In the "Add Roles and Features Wizard", perform the following:
- Click "Server Roles".
- Enable the "Active Directory Federation Services" checkbox.
- Click "Next".
- Click "Confirmation" tab to confirm the installation process.
- Click "Install".
- Verify the status of the installation process in the "Results" tab.
- Check the details and click "Close".
-
In the "Server Manager" tab, click "Notifications" icon at the top right corner.
-
Select "Configure the federation service on this server".
-
In the "Active Directory Federation Service Configuration Wizard", perform the following:
- Click "Welcome".
- Select "Create the first federation server in a federation server farm".
- Click "Next".
- Click "Connect to AD DS".
- Verify the details and click "Next".
- Click "Specify Service Properties". Select the "SSL Certificate" as "adfs-srv.mdsp.soe", select the "Federation Service Name" as "adfs-srv.mdsp.soe" and specify the Federation Service Display Name as "ADFS SSO".
- Click "Next".
- Click "Specify Service Account".
- Select "Use an existing domain user account or group Managed Service Account".
- Click "Select".
- In the "Select User or Service Account" window, enter the object name as "adfs_svc" and click "OK".
- Enter the "Account Password" and click "Next".
- Click "Specify Database".
- Select "Create a database on this server using Windows Internal Database".
- Click "Next".
- Click "Review Options".
- Verify the details and click "Next".
- Click "Pre-requisite Checks" to check whether all prerequisites are passed successfully and click "Configure".
- Verify the status of the installation process in the "Results" tab.
- Click "Close".
Result¶
The ADFS service is installed successfully in the "DNS Manager" tab.
Verifying ADFS service¶
Verification for ADFS service validates the ADFS functionality by accessing the IdP-initiated sign-in page.
To verify the ADFS service installation, follow the steps:
-
To sign in to the ADFS service, click ADFS.
-
Click "Sign in".
-
Enter the credentials and click "Sign in".
Result¶
You have sign in to the ADFS service account successfully.
Fix Issues¶
Fixing issues resolves potential issues, for ADFS on Windows Server 2019 or newer, you may encounter the following error during verification.
To fix the issue, run the commands as mentioned in the image. For more information, refer to Benoit's Corner.
Adding users in Active Directory (AD) controller¶
To add users in the AD controller, follow the steps:
-
In the "Server Manager" tab, click "Tools" and select "Active Directory Users and Computers".
-
In the "Active Directory Users and Computers" tab, right-click on the folder created. Select "New" and click "Organizational Unit".
Result¶
A folder is created with the specified name.
Add Relying Trust in ADFS¶
To add a relying trust in ADFS, refer to the Managing ADFS Server.