ADFS – Active Directory Federation Services 2016 Installation & Configuration

Install and prepare two servers (adfs01/02.domain.com) 2016 with windows updates and join them to your domain.

Determine the namespace that you will use for your ADFS (adfs.domain.com)

Follow up the next step for completion.

Service accounts

As recommended by Microsoft,  a Group Managed Service Account (gMSA) has been created for managing the ADFS service.

Specify which server will be permitted to use the service account.

$server1 = Get-ADComputer “adfs01”
$server2 = Get-ADComputer “adfs02”

get-ADServiceAccount -identity SRVC_ADFS | set-adserviceAccount -DNSHostName SRVC_ADFS.domain.com -PrincipalsAllowedToRetrieveManagedPassword $server1, $server2

 

Certificate preparation

Before the installation, you need to have a certificate prepared with a 3rd party public CA and have decided of the AD FS namespaces.

Certificate per-requiste : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

How to update the certificate : https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

Here is the request.inf to use in the procedure

[Version]

Signature=”$Windows NT$”

[NewRequest]

Subject = “CN=adfs.domain.com”
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
RequestType = PKCS10

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

2.5.29.17 = “text”

_continue_ = “dns=www.adfs.domain.com&”

Installing AD FS On Windows Server 2016

After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.

Installing AD FS 2016 Using Server Manager

We don’t need to add any additional features.  Remember that the IIS dependency was removed in AD FS 2012 R2.

Installing AD FS 2016 Using Server Manager

Clicking next takes us to the AD FS splash screen.  Note that it helpfully tells us that the specific AD FS proxy role has been removed in Windows 2016 and how to go about installing it.

Installing AD FS 2016 Using Server Manager

Installing AD FS 2016 Using Server Manager

AD FS 2016 Installation Progress

You can launch the AD FS configuration wizard from here, or alternatively if this window is closed it can be launched from Server Manager.

AD FS 2016 Installation Complete - Configuration Now Required

Before starting the AD FS configuration wizard note that the 3rd party certificate was previously installed and tested.

The choice of service account type was also made prior to starting the installation wizard.  in this case the KDS Root container was pre-created.

The wizard also states that you must have access to Domain Admin (DA) credentials!

Note that you are only given an option to either make a new AD FS farm or add this box to an existing farm.  This saves the painful issue from older AD FS builds, where AD FS was not installed into a farm you were then unable to add the second AD FS server for redundancy.  In that case you had to build a brand new farm from scratch.

Starting AD FS 2016 Configuration

Provide your domain admin credentials.

AD FS 2016 Configuration - Connect to AD DS

We need to select the SSL certificate that we will use and also provide the AD FS name we selected in the design process.

Select the certificate

Enter the following Federation Service Name : adfs.domain.com

Set the Federation Service Display Name with : adfs.domain.com

AD FS 2016 Configuration - Service Properties

Type in the chosen display name, and click next.

Use the existing domain\srvc_ADFS gMSA account

AD FS 2016 Configuration - Specify Service Account

Select the database configuration as per the design. We use the Windows Internal Database.

AD FS 2016 Configuration - Specifed Configuration Database

AD FS 2016 Configuration - Review Options

Pre-requisite Checks are performed.

AD FS 2016 Configuration - Pre-Requisite Checks Passed

Clicking “Show More” will display the highlighted pop-up box.

AD FS 2016 Configuration - Pre-Requisite Checks Passed

Click Configure to start the configuration process.

When configuration has completed, the results screen is displayed.  This should look like the below.

image

Once done, create a A record with the federation name that will be used.

Verify Federation Service Metadata

Open Internet Explorer and navigate to your AD FS server’s federation metadata URL.

This will be something like the below, just change the FQDN to match your environment.

https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml

Verify AD FS Sign-In Page

Note that AD FS 2016 disables the idpinitiatedsignon page by default, and you will need to manually enable it using:

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Browse to the AD FS sign-in page and test that you are able to authenticate.

The URL will be similar to the below, again change the FQDN to match your organisation’s.

https://adfs.domain.com/adfs/ls/idpinitiatedsignon.html

Verify Listening Ports

If you want to investigate the TCP ports which the AD FS server is listening on, netstat can be used for this.

netstat -anob | findstr "443"

Verifying SSL Listening Ports Using Netstat

Verify Netsh Bindings

The same applies if you want to see the SSL bindings.  We can use netsh to review them:

netsh http show ssl | findstr /i "Hostname:port"

Verifying SSL Bindings Using Netsh

https://blogs.technet.microsoft.com/rmilne/2017/04/28/how-to-install-ad-fs-2016-for-office-365/

Add the second server as a secondary ADFS

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/add-a-federation-server-to-a-federation-server-farm

Configure the Network Load Balancer between the two servers

nlb

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s