ADFS 2.0 Setup Guide

In my previous project I was asked to configure and build and end to end Web Single Sign On (SSO) solution using Active Directory Federation Service 2.0. One of the requirements was to identify whether this is suitable for our architecture design and identify how much customization we need in order to implement our in-house single sign on solutions.

As our scenario was bit different from what standard samples and setup so I had to do a bit of digging and had to go back and forth so many places in MSDN and other resources.

In the end it was all good and I finally decide to write it down so that these steps become much easier if you follow it. Although I am starting the setup guide with prerequisites but my assumption is that you have good in-depth knowledge in the following areas.

  • Complete knowledge of Active Directory,AD Forests and trusted domains.
  • Windows Kerberos authentication.
  • Architecture of managing Active Directory in the DMZ.
  • Knowledge of DNS Server,forward lookup and reverse lookup zones.
  • How Security Token Services (STS) works.
  • Installing Windows certificate authority.
  • Configuring SSL certificates and securing websites using SSL.
    So I am going to use a fictitious domain name GoodHealth.com and the convention for federation server name will be federation.goodhealth.com and the proxy name will be federationproxy.goodhealth.com. It’s just my naming convention and you could use any naming convention for your implementation as long as they have proper DNS entry and the certificates are generated based on these names, otherwise your certificates will not work properly and ADFS installation will not be completed.Rest is all easy and follow the installation steps.

Prerequisites

  1. 2 Windows Server 2008 R2 servers, one for ADFS Federation Server and another one for ADFS Federation Proxy Server.
  2. DNS entries configured for Federation Server and Federation Server proxy i.e. federation.goodhealth.com and federationproxy.goodhealth.com
  3. IIS web server installed on the two servers.
  4. An ADFS domain service account
  5. SQL Server 2008 for storing ADFS Artifact and configuration information.
  6. Firewalls on the SQL Server are configured to allow the ADFS Servers to connect.
  7. Download ADFS Setup from Microsoft download site http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10909

Preparation

  1. Launch cmd with admin privilege and run the following command to set service principle for Federation and Federation Proxy Server
  2. Setspn -a host/<<Federation Server>> GoodHealth\serviceAccount

    Setspn -a http/<<Federation Server>> GoodHealth\serviceAccount

    Setspn -a http/<<Federation Proxy Server>> GoodHealth\serviceAccount

  3. Generate domain certificates using IIS Server for federation server and federation server proxy individually make sure the subject name matches the DNS entry for federation and federation proxy server.
  4. Configure the binding to use respective SSL certificates for secure https communication on the two web servers.

Installation

  1. Launch AdfsSetup.exe with admin privilege on Federation Server and choose “Federation Server” in the “Server Role”. This installation will also install all the Prerequisite Software like PowerShell, .Net Framework 3.5 SP1, Windows Identity Foundation etc.
  2. Launch cmd with admin privilege and run the following command to install a federation server on SQL farm.

    FSConfig.exe CreateSQLFarm /ServiceAccount "GoodHealth\serviceAccount" /ServiceAccountPassword "password" /SQLConnectionString "database=AdfsConfiguration;server=<<SQL Server>>;integrated security=SSPI" /AutoCertRolloverEnabled /CleanConfig /FederationServiceName <<Federation Server>>

Once the installation is complete we should be able to see the ADFS 2.0 Federation Service being started as shown in the following figure.

Figure 1: ADFS setup completed

Screen which shows that the entire ADFS 2 Setup went correctly

To install the Federation Server proxy run AdfsSetup.exe as administrator and in the setup wizard choose “Federation Server proxy” and enter the name of the federation service server.

  1. Test the connection to make sure the proxy can connect to Federation server.
  2. When prompted enter the service account credential to establish the trust between the federation server proxy and the federation service.

Configuring Federation Service Server

  1. Launch PowerShell with admin privilege and run the following command to disable automatic rollover of certificate on the Federation Service Server.

    Set-ADFSProperties –AutoCertificateRollOver $False

  2. Launch AD FS 2.0 Management and Under ADFS 2.0\Services\Certificates right-click and select “Add Token-Signing Certificate” and choose the web server certificate from the dialog box.
  3. Right click on the newly added certificate and set it as primary and delete the old certificate which was installed as part of ADFS installation.
  4. Test the metadata page by accessing the metadata at

    https://<<Federation Server>>/federationmetadata/2007-06/federationmetadata.xml

  5. Launch PowerShell with admin privilege and run the following command to switch on the automatic rollover of the certificate.

    Set-ADFSProperties –AutoCertificateRollOver $true

Launch Services and make sure the following services are running in the windows services snap-in.

  1. AD FS 2.0 Windows Service
  2. Claims to Windows Token Service

Configuring Attribute Store

  1. Launch ADFS 2.0 Management and Under ADFS 2.0\Attribute Store right-click and select “Add Attribute Store”.
  2. Enter an appropriate Display Name and choose “SQL” as the attribute store type.
  3. Enter the following connection string in the respective field.


    Data Source=<<SQL Server>>;integrated security=SSPI;database=<<Attribute Database>>

    and click “OK”. The attribute database is the name of the database which you gave when you run the FSConfig command from the command prompt.

Adding a Replying Party

  1. Launch ADFS 2.0 Management and under ADFS 2.0\Trust Relationship right-click and choose “Add Relying Party Trust”.
  2. Enter the replying party URL in the “Federation metadata address (host name or URL)”
  3. Click next and in “Choose Issuance Authorization Rules” select “Permit all Users…” and click next and complete the wizard.

Enabling ADFS 2.0 Tracing

  1. Launch Event Viewer under Application and Services Logs\AD FS2.0\Admin right-click and select “View”.
  2. On “View” sub menu check “Show Analytic and Debug Logs”
  3. Browse to Application and Services Logs\AD FS 2.0 Tracing\Debug to view ADFS tracing information.
  4. Open Service snap-in and restart “AD FS 2.0 Windows Service”.

I hope if you followed the steps correctly you will have a proper ADFS environment up and running and with federation proxy server you will have that extra level security.However once this solution goes into a real public facing environment (i.e. in the DMZ) you will to purchase a proper certificate from the approved certificate authority like Verisign, Thawte etc.

Happy ADFS & SSO !! :)

About these ads
  1. Ernando
    November 6, 2012 at 10:36 am

    Hi Prashant,

    When i am installing the Federation Proxy server and come to the setup Page where you input the federation service name i am able to test connection succesfully. But when i hit next button and type in my service account credentials i get an error message ‘Unable to establish a trust between the federation server proxy and federation service.

    What i have noticed is that the subject name on the certificate specifys my Federation Server Name and not the Federation Service Name. What i also notice is that the Federation Service Name that is inputed on the setup page of the proxy server wizard is my Federation Server Name but the test connection button works succeesfully. But i get error as stated above.

    (Does the Certififcate subject field name need to be the same name as the Federation Service Name, If so how do i change Subject feild on Certificate for this to work or is there another way to reslove this problem).

    Also am i correct in saying that the Federation Service Name and Federation Server Name cannot be the same.

    Federation Server Name = MPL-COLO-ADFS1 = 192.168.192.1 (DNS HOST A RECORD)
    Federation Service Name = MPL-COLO-ADFS = 192.168.192.1 (DNS HOST A RECORD)
    Federation Server Proxy = MPL-COLO-ADFSW = 192.168.192.2 (DNS HOST A RECORD)

    Subject feild on my TEST ssl certificate = MPL-COLO-ADFS1

    HELP!!!!!!!!!!!!!!!!!!!!!!

  2. Are Speaking
    July 4, 2013 at 6:03 am

    Hi there, just became aware of your blog through Google, and found that
    it is really informative. I am going to watch out for brussels.

    I’ll be grateful if you continue this in future. Lots of people will be benefited from your writing. Cheers!

  3. Alex
    November 17, 2014 at 1:47 pm

    Hi Prashant,

    I am having an issue connecting to ADFS server via ( IE) Internet Explorer. However, Firefox and Chrome are working.

    Here is the error message:
    MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.

    Appreciate your help.

  1. February 12, 2013 at 9:11 pm
  2. May 26, 2014 at 12:30 pm
    Joseph Grenier

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: