Skip to content

Installing ADFS for Non-HA

This section guides users through the installation and configuration of Active Directory Federation Services (ADFS) in a Non-High Availability (Non-HA) setup, providing the steps for deploying a single-server ADFS instance with the necessary certificates and user management.

Prerequisites

Ensure that you have administrative access to the Windows Server 2012 R2 operating system.

Installing domain controller server

This section explains the process of setting up a server to manage Active Directory (AD) for centralized user authentication and domain management.

To install the domain controller server, follow the steps:

  1. Open "Server Manager" on your Windows server, then navigate to the "Dashboard" tab from the left navigation.

  2. In the "Dashboard" tab, choose "Add roles and features".

    Server Manager

  3. In the "Add Roles and Features Wizard", perform the following:

    1. Click "Server Roles" from the left navigation.
    2. Enable the "Active Directory Domain Services" checkbox.
    3. Click "Next" and then click "Install" to install the role.

      Select server roles

    4. Verify the status of the installation process in the "Results" tab.

      Installation process

    5. Once the feature installation is completed, then click "Close".

      Feature installation

  4. After the feature installation, promote the server to a domain controller. In the "Server Manager" tab, click Notifications.

    Notification

  5. Select "Promote this server to a domain controller".

    Promote Server

  6. In the "Active Directory Domain Services Configuration Wizard", perform the following:

    1. Click "Deployment Configuration" from the left navigation.
    2. Select "Add a new forest" as the deployment operation.
    3. Enter the "Root domain name" as "mdsp.soe".
    4. Click "Next".

      Deployment Configuration

    5. Click "Domain Controller Options" from the left navigation.

    6. Select the "Forest functional level" and "Domain functional level" as "Windows Server 2012 R2" for the new forest and root domain.
    7. Enable the "Domain Name System (DNS) server checkbox as the domain controller capabilities.
    8. Enter the "Directory Services Restore Mode (DSRM) password" in the "Password" field and confirm it in the "Confirm password" field.
    9. Click "Next".

      Domain Controller Options

    10. Click "Additional Options" from the left navigation.
      The NetBIOS domain name is automatically generated based on the domain name.

    11. Check the domain name and change it if it is required and then click "Next".

      Additional options

    12. Click "Prerequisites Check" from the left navigation.

    13. Click "Next" and then "Install".
      Once the installation is completed, the server restarts automatically.

      Prerequisites check

Installing AD certification service

AD Certification Service deploys the service to enable the certificate for secure communication.

To install the AD certification service, follow the steps:

  1. In "Server Manager", click "Dashboard" from the left navigation. Click "Add roles and features".

    Server Manager

  2. In the "Add Roles and Features Wizard", perform the following:

    1. Click "Server Roles" from the left navigation.
    2. Enable the "Active Directory Certificate Services" checkbox.
    3. Click "Next".

      Server roles

    4. Click "Role Services" from the left navigation.

    5. Enable the "Certification Authority" and "Certification Authority Web Enrollment" checkboxes.
    6. Click "Next".

      Role Servies

    7. In the "Confirm installation selection" screen, click "Confirmation" to confirm the installation process.

    8. Click "Install".

      Confirmation

    9. Verify the status of the installation process in the "Results" tab.

    10. Click "Close".

    Results

Configuring the AD CS

It is required to configure the Certificate Authority (CA) to manage and issue certificates in the domain.

To configure AD CS, follow the steps:

  1. In the "Server Manager" tab, click Notifications.

    Notification

  2. Click "Configure Active Directory Certificate Services on the destination server".

    Configure directory

  3. In the "AD CS Configuration" tab, perform the following:

    1. Click "Credentials" from the left navigation.
    2. Specify the credentials to configure the role services.
    3. Click "Next".

      Credentials

    4. Click "Role Services" from the left navigation.

    5. Enable the "Certification Authority" and "Certification Authority Web Enrollment" checkboxes.
    6. Click "Next".

      Role Services

    7. Click "Setup Type" from the left navigation.

    8. Select the "Enterprise CA" to setup the type of the CA.
    9. Click "Next".

      Setup type

    10. Click "CA Type" from the left navigation.

    11. Select the "Root CA" for the CA type.
    12. Click "Next".

      CA Type

    13. Click "Private Key"8 from the left navigation.

    14. Select "Create a new private key" for the private key type.
    15. Click "Next".

      Private Key

    16. Click "Cryptography" from the left navigation.

    17. Specify the cryptographic options as mentioned below:

      1. Select a cryptographic provider: RSA#Microsoft Software Key Storage Provider.
      2. Key length: 2048.
      3. Select the hash algorithm for signing certificates issued by this CA: SHA256.
    18. Click "Next".

      Cryptography

    19. Click "CA Name" from the left navigation.

    20. Specify the names of the CA as mentioned below:
      • Common name for this CA: mdsp-dc01-CA.
      • Distinguished name suffix: DC=mdsp,DC=soe.
      • Preview of distinguished name: CN=mdsp-dc01-CA,DC=mdsp,DC=soe.
    21. Click "Next".

      CA Name

    22. Click "Validity Period" from the left navigation.

    23. Specify the validity period and click "Next".

      Validity period

    24. Click "Confirmation" tab to confirm the configuration process.

    25. Click "Configure".

    Confirmation

    • Verify the status of the configuration process in the "Results" tab.
    • Verify the details and click "Close".

    Results

Verifying the AD CS

Verifying the AD CS setup involves testing the certificate issuance and access processes to ensure the Certificate Authority is functioning properly.

To verify the AD CS installation, follow the steps:

  1. To sign in the certificate web interface, click Certsrv.

  2. Enter the credentials and click "Sign in".

    Sign in

Result

The Certificate Services web interface is displayed.

Web interface

Providing permissions to specific user for Certificate Authority

Assigning the required permissions to a specific user for the Certificate Authority allows that user to manage the Certificate Authority.

To grant permissions to a specific users, follow the steps:

  1. In the "Server Manager" click Dashboard" tab, navigate to "Tools" and select "Certification Authority".

    Certification Authority

  2. In the "Certification Authority (Local)" tab, perform the following:

    • Select and right click on the "Certificate Templates".
    • Click "Manage".

    Certificate Authority manage

  3. In the "Certificate Templates Console" tab:

    Select and right click on "Web Server" and then select "Properties".

    Certificate Templates

  4. In the "Web Server Properties" tab, select "Security" tab and choose the following options:

    • Click "Add".
      The "Select Users, Computers, Service Accounts or Groups" screen appears.
    • Click "Object Types" tab.
    • In the "Object Types" dialog box, enable "Computers" checkbox and click "OK".

    Object Types

    • In the "Select Users, Computers, Service Accounts, or Groups" dialog box, enter the name of your object in the "enter the object names to select" field and click "OK".

    Select Users

    • In the "Security" tab, under "Permissions for dc01" enable the required or all checkboxes for the desired permissions and click "OK".

    Web Server Properties

Adding the ADFS management user

Adding an ADFS management user creates a user account with permissions to administer ADFS operations.

To add an ADFS management user, follow the steps:

  1. In the "Server Manager" tab, click "Tools" and select "Active Directory Users and Computers".

  2. In the "Active Directory Users and Computers" tab, perform the following:

    • Select and right click on the "Users" folder.
    • Select "Create New User".
    • In the "New Object - User" window, enter the user details.
    • Enter the "First name" as "adfs", "Last name" as "server" and "Full name" as "adfs server".
    • Enter the "User logon name" as "adfs_svc".
    • Click "Next".

    active directory

    • Enter the "Password" in the "Password" field and confirm it in the "Confirm password" field and enable "Password never expires" checkbox.
    • Click "Next".

    New object user

Result

The server is added with specified name.

user server

Issuing a certificate for ADFS domain via MMC

This section describes the steps for issuing a certificate for ADFS domain via MMC generates and assigns an SSL certificate for the ADFS domain using the MMC tool.

To issue a certificate for the ADFS domain via MMC, follow the steps:

  1. Open the "MMC" console.

    • Press "Windows + R" keys on keyboard.
    • In the "Run" window, enter "mmc" and click "OK".

    run

  2. In the "MMC" console, click "File" and select "Add/Remove Snap-in".

    MMC

  3. In the "Add or Remove Snap-ins" window, select "Certificates" and click "Add".

    Certificates

  4. In the "Certificates snap-in" window, choose "Computer account" and click "Next".

    Computer account

  5. In the "Select Computer" window, choose "Local computer" and click "Finish".

    Local computer

  6. Click "OK".

    Add or Remove Snap-ins

  7. In the "MMC" console, click "Certificates (Local Computer)" under "Personal" folder.

    • Select and right click on the "Certificates" folder.
    • Select "All Tasks" and then "Request New Certificate".

    Request new Certificate

  8. In the "Request Certificates" window, select the desired certificate and configure the additional settings.

    Configure settings

  9. In the "Certificate Properties" window, click "Subject" and add the following details:

    • In the "Subject name" tab, select "Common Name" as "Type" and enter the "Value" as "adfs-srv.mdsp.soe".
    • Click "Add".
    • In the "Alternative name" tab, select "DNS" as "Type" and enter the "Value" as "adfs-srv.mdsp.soe".
    • Click "Add".

      Certificate properties

    • Verify the details and click "OK".

    Certificate properties

  10. Click "Enroll".

Enroll

Result

The specified certificate is issued successfully.

Certificate issued

Installing ADFS service

Installing ADFS service deploys the ADFS role to enable the secure, federated and authentication services.

To install the ADFS service, follow the steps:

  1. In the "Server Manager", click "Dashboard" tab, click "Add roles and features".

    Server Manager

  2. In the "Add Roles and Features Wizard", perform the following:

    • Click "Server Roles".
    • Enable the "Active Directory Federation Services" checkbox.
    • Click "Next".

    Select roles

    • Click "Confirmation" tab to confirm the installation process.
    • Click "Install".

    Confirmation

    • Verify the status of the installation process in the "Results" tab.
    • Check the details and click "Close".

    Results

  3. In the "Server Manager" tab, click "Notifications" icon at the top right corner.

    Notification

  4. Select "Configure the federation service on this server".

    Configure federation service

  5. In the "Active Directory Federation Service Configuration Wizard", perform the following:

    • Click "Welcome".
    • Select "Create the first federation server in a federation server farm".
    • Click "Next".

    Welcome

    • Click "Connect to AD DS".
    • Verify the details and click "Next".

    Connect to AD DS

    • Click "Specify Service Properties". Select the "SSL Certificate" as "adfs-srv.mdsp.soe", select the "Federation Service Name" as "adfs-srv.mdsp.soe" and specify the Federation Service Display Name as "ADFS SSO".
    • Click "Next".

    Specify Service Properties

    • Click "Specify Service Account".
    • Select "Use an existing domain user account or group Managed Service Account".
    • Click "Select".

    Specify Service Account

    • In the "Select User or Service Account" window, enter the object name as "adfs_svc" and click "OK".

    Service account

    • Enter the "Account Password" and click "Next".

    Account Password

    • Click "Specify Database".
    • Select "Create a database on this server using Windows Internal Database".
    • Click "Next".

    Specify Database

    • Click "Review Options".
    • Verify the details and click "Next".

    Review Options

    • Click "Pre-requisite Checks" to check whether all prerequisites are passed successfully and click "Configure".

    Pre-requisite Checks

    • Verify the status of the installation process in the "Results" tab.
    • Click "Close".

    Results

Result

The ADFS service is installed successfully in the "DNS Manager" tab.

DNS Manager

Verifying ADFS service

Verification for ADFS service validates the ADFS functionality by accessing the IdP-initiated sign-in page.

To verify the ADFS service installation, follow the steps:

  1. To sign in to the ADFS service, click ADFS.

  2. Click "Sign in".

    Sign in

  3. Enter the credentials and click "Sign in".

    ADFS credentials

Result

You have sign in to the ADFS service account successfully.

Signed in

Fix Issues

Fixing issues resolves potential issues, for ADFS on Windows Server 2019 or newer, you may encounter the following error during verification.

Fix Issues

To fix the issue, run the commands as mentioned in the image. For more information, refer to Benoit's Corner.

Windows powershell

Adding users in Active Directory (AD) controller

To add users in the AD controller, follow the steps:

  1. In the "Server Manager" tab, click "Tools" and select "Active Directory Users and Computers".

  2. In the "Active Directory Users and Computers" tab, right-click on the folder created. Select "New" and click "Organizational Unit".

Tools

Result

A folder is created with the specified name.

Folder

Add Relying Trust in ADFS

To add a relying trust in ADFS, refer to the Managing ADFS Server.


Last update: January 31, 2025