Install and prepare two servers (adfs01/02.domain.com) 2016 with windows updates and join them to your domain.
Determine the namespace that you will use for your ADFS (adfs.domain.com)
Follow up the next step for completion.
Service accounts
As recommended by Microsoft, a Group Managed Service Account (gMSA) has been created for managing the ADFS service.
Specify which server will be permitted to use the service account.
$server1 = Get-ADComputer “adfs01”
$server2 = Get-ADComputer “adfs02”
get-ADServiceAccount -identity SRVC_ADFS | set-adserviceAccount -DNSHostName SRVC_ADFS.domain.com -PrincipalsAllowedToRetrieveManagedPassword $server1, $server2
Certificate preparation
Before the installation, you need to have a certificate prepared with a 3rd party public CA and have decided of the AD FS namespaces.
Certificate per-requiste : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap
How to update the certificate : https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/
Here is the request.inf to use in the procedure
| [Version]
Signature=”$Windows NT$” [NewRequest] Subject = “CN=adfs.domain.com” [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication [Extensions] 2.5.29.17 = “text” _continue_ = “dns=www.adfs.domain.com&” |
|---|
Installing AD FS On Windows Server 2016
After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.
We don’t need to add any additional features. Remember that the IIS dependency was removed in AD FS 2012 R2.
Clicking next takes us to the AD FS splash screen. Note that it helpfully tells us that the specific AD FS proxy role has been removed in Windows 2016 and how to go about installing it.
You can launch the AD FS configuration wizard from here, or alternatively if this window is closed it can be launched from Server Manager.
Before starting the AD FS configuration wizard note that the 3rd party certificate was previously installed and tested.
The choice of service account type was also made prior to starting the installation wizard. in this case the KDS Root container was pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new AD FS farm or add this box to an existing farm. This saves the painful issue from older AD FS builds, where AD FS was not installed into a farm you were then unable to add the second AD FS server for redundancy. In that case you had to build a brand new farm from scratch.
Provide your domain admin credentials.
We need to select the SSL certificate that we will use and also provide the AD FS name we selected in the design process.
Select the certificate
Enter the following Federation Service Name : adfs.domain.com
Set the Federation Service Display Name with : adfs.domain.com
Type in the chosen display name, and click next.
Use the existing domain\srvc_ADFS gMSA account
Select the database configuration as per the design. We use the Windows Internal Database.
Pre-requisite Checks are performed.
Clicking “Show More” will display the highlighted pop-up box.
Click Configure to start the configuration process.
When configuration has completed, the results screen is displayed. This should look like the below.
Once done, create a A record with the federation name that will be used.
Verify Federation Service Metadata
Open Internet Explorer and navigate to your AD FS server’s federation metadata URL.
This will be something like the below, just change the FQDN to match your environment.
https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml
Verify AD FS Sign-In Page
Note that AD FS 2016 disables the idpinitiatedsignon page by default, and you will need to manually enable it using:
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true |
Browse to the AD FS sign-in page and test that you are able to authenticate.
The URL will be similar to the below, again change the FQDN to match your organisation’s.
Verify Listening Ports
If you want to investigate the TCP ports which the AD FS server is listening on, netstat can be used for this.
netstat -anob | findstr "443" |
Verify Netsh Bindings
The same applies if you want to see the SSL bindings. We can use netsh to review them:
netsh http show ssl | findstr /i "Hostname:port" |
https://blogs.technet.microsoft.com/rmilne/2017/04/28/how-to-install-ad-fs-2016-for-office-365/
Add the second server as a secondary ADFS
Configure the Network Load Balancer between the two servers
