Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries. AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.
NOTE: Before you begin configuration, please ensure a host A record has been created on the respective DNS server.
To install the Federation Service
The following steps are to be performed on the server which would be acting as the AD FS server.
- Click Start, point to Administrative Tools, and then click Server Manager.
- Right-click Roles, and then click Add Roles to start the Add Roles Wizard.
- On the Before You Begin page, click Next.
- On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.
- On the Select Role Services page, select the Federation Service check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.
- On the Choose a Server Authentication Certificate for SSL Encryption page, click Create a self-signed certificate for SSL encryption and then click Next.
- On the Choose a Token-Signing Certificate page, click Create a self-signed token-signing certificate and then click Next.
- On the Select Trust Policy page, click Create a new trust policy, and then click Next
- On the Select Role Services page, click Next to accept the default values.
- Verify the information on the Confirm Installation Selections page, and then click Install.
- On the Installation Results page, verify that everything installed correctly, and then click Close.
To configure the first federation server in a new federation server farm by using the Active Directory Federation Service Configuration Wizard
Note: Ensure that you have domain administrator permissions or have domain administrator credentials available before you perform this procedure.
- On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
- The Active Directory Federation Service Configuration Wizard opens.
- On the Welcome page, select Create the first federation server in a federation server farm and then click Next.
- On the Connect to AD DS page, specify an account by using domain administrator permissions for the Active Directory (AD) domain to which this computer is joined, and then click Next.
- On the Specify Service Properties page, do the following, and then click Next:
- Import the .pfx file that contains the Secure Socket Layer (SSL) certificate and key that you have obtained earlier.
- Provide a name for your federation service. For example, fs.contoso.com. This name must match one of the subject or subject alternative names in the certificate.
- Provide a display name for your federation service. For example, Contoso Corporation. Users see this name on the Active Directory Federation Services (AD FS) sign-in page.
- On the Specify Service Account page, specify a service account. You can either create or use an existing group Managed Service Account (gMSA) or use an existing domain user account. If you select the option to create a new gMSA account, specify a name for the new account. If you select the option to use an existing gMSA or domain account, click Select to select an account.
Note: The benefit of using a gMSA account is its auto-negotiated password update feature.
If you want to use a gMSA account, you must have at least one domain controller in your environment that is running the Windows Server 2012 operating system.
If the gMSA option is disabled, and you see an error message, such as Group Managed Service Accounts are not available because the KDS Root Key has not been set, you can enable gMSA in your domain by running the following Windows PowerShell command on a domain controller, which runs Windows Server 2012 or later, in your Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10). Then return to the wizard, click Previous, and then click Next to re-enter the Specify Service Account page. The gMSA option should now be enabled. You can select it and enter a gMSA account name that you want to use.
- On the Specify Configuration Database page, specify an AD FS configuration database, and then click Next. You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the location and the instance name of Microsoft SQL Server.
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
- On the Review Options page, verify your configuration selections, and then click Next.
- On the Pre-requisite Checks page, verify that all prerequisite checks are successfully completed, and then click Configure.
- On the Results page, review the results and check whether the configuration is completed successfully. Click Close to exit the wizard.
To verify that a federation server is operational
Open a browser window and in the address bar, type the federation server name, and then append it with federationmetadata/2007-06/federationmetadata.xml to browse to the federation service metadata endpoint. For example, https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.
In your browser window, if you can see the federation server metadata without any Secure Socket Layer (SSL) errors or warnings, your federation server is operational.
You can also browse to the AD FS sign-in page where your federation service name is appended with adfs/ls/idpinitiatedsignon.htm, for example, https://fs.contoso.com/adfs/ls/idpinitiatedsignon.htm. This entry displays the AD FS sign-in page where you can sign in by using domain administrator credentials.
Ensure to configure your browser settings to trust the federation server role by adding your federation service name, for example, https://fs.contoso.com, to the browser’s local intranet zone.