ADFS 2.0 Setup Guide
In my previous project I was asked to configure and build and end to end Web Single Sign On (SSO) solution using Active Directory Federation Service 2.0. One of the requirements was to identify whether this is suitable for our architecture design and identify how much customization we need in order to implement our in-house single sign on solutions.
As our scenario was bit different from what standard samples and setup so I had to do a bit of digging and had to go back and forth so many places in MSDN and other resources.
In the end it was all good and I finally decide to write it down so that these steps become much easier if you follow it. Although I am starting the setup guide with prerequisites but my assumption is that you have good in-depth knowledge in the following areas.
- Complete knowledge of Active Directory,AD Forests and trusted domains.
- Windows Kerberos authentication.
- Architecture of managing Active Directory in the DMZ.
- Knowledge of DNS Server,forward lookup and reverse lookup zones.
- How Security Token Services (STS) works.
- Installing Windows certificate authority.
- Configuring SSL certificates and securing websites using SSL.
- So I am going to use a fictitious domain name GoodHealth.com and the convention for federation server name will be federation.goodhealth.com and the proxy name will be federationproxy.goodhealth.com. It’s just my naming convention and you could use any naming convention for your implementation as long as they have proper DNS entry and the certificates are generated based on these names, otherwise your certificates will not work properly and ADFS installation will not be completed.Rest is all easy and follow the installation steps.
- 2 Windows Server 2008 R2 servers, one for ADFS Federation Server and another one for ADFS Federation Proxy Server.
- DNS entries configured for Federation Server and Federation Server proxy i.e. federation.goodhealth.com and federationproxy.goodhealth.com
- IIS web server installed on the two servers.
- An ADFS domain service account
- SQL Server 2008 for storing ADFS Artifact and configuration information.
- Firewalls on the SQL Server are configured to allow the ADFS Servers to connect.
- Download ADFS Setup from Microsoft download site http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10909
- Launch cmd with admin privilege and run the following command to set service principle for Federation and Federation Proxy Server
- Generate domain certificates using IIS Server for federation server and federation server proxy individually make sure the subject name matches the DNS entry for federation and federation proxy server.
- Configure the binding to use respective SSL certificates for secure https communication on the two web servers.
Setspn -a host/<<Federation Server>> GoodHealth\serviceAccount
Setspn -a http/<<Federation Server>> GoodHealth\serviceAccount
Setspn -a http/<<Federation Proxy Server>> GoodHealth\serviceAccount
- Launch AdfsSetup.exe with admin privilege on Federation Server and choose “Federation Server” in the “Server Role”. This installation will also install all the Prerequisite Software like PowerShell, .Net Framework 3.5 SP1, Windows Identity Foundation etc.
- Launch cmd with admin privilege and run the following command to install a federation server on SQL farm.
FSConfig.exe CreateSQLFarm /ServiceAccount "GoodHealth\serviceAccount" /ServiceAccountPassword "password" /SQLConnectionString "database=AdfsConfiguration;server=<<SQL Server>>;integrated security=SSPI" /AutoCertRolloverEnabled /CleanConfig /FederationServiceName <<Federation Server>>
Once the installation is complete we should be able to see the ADFS 2.0 Federation Service being started as shown in the following figure.
Figure 1: ADFS setup completed
To install the Federation Server proxy run AdfsSetup.exe as administrator and in the setup wizard choose “Federation Server proxy” and enter the name of the federation service server.
- Test the connection to make sure the proxy can connect to Federation server.
- When prompted enter the service account credential to establish the trust between the federation server proxy and the federation service.
Configuring Federation Service Server
- Launch PowerShell with admin privilege and run the following command to disable automatic rollover of certificate on the Federation Service Server.
Set-ADFSProperties –AutoCertificateRollOver $False
- Launch AD FS 2.0 Management and Under ADFS 2.0\Services\Certificates right-click and select “Add Token-Signing Certificate” and choose the web server certificate from the dialog box.
- Right click on the newly added certificate and set it as primary and delete the old certificate which was installed as part of ADFS installation.
- Test the metadata page by accessing the metadata at
- Launch PowerShell with admin privilege and run the following command to switch on the automatic rollover of the certificate.
Set-ADFSProperties –AutoCertificateRollOver $true
Launch Services and make sure the following services are running in the windows services snap-in.
- AD FS 2.0 Windows Service
- Claims to Windows Token Service
Configuring Attribute Store
- Launch ADFS 2.0 Management and Under ADFS 2.0\Attribute Store right-click and select “Add Attribute Store”.
- Enter an appropriate Display Name and choose “SQL” as the attribute store type.
- Enter the following connection string in the respective field.
Data Source=<<SQL Server>>;integrated security=SSPI;database=<<Attribute Database>>
and click “OK”. The attribute database is the name of the database which you gave when you run the FSConfig command from the command prompt.
Adding a Replying Party
- Launch ADFS 2.0 Management and under ADFS 2.0\Trust Relationship right-click and choose “Add Relying Party Trust”.
- Enter the replying party URL in the “Federation metadata address (host name or URL)”
- Click next and in “Choose Issuance Authorization Rules” select “Permit all Users…” and click next and complete the wizard.
Enabling ADFS 2.0 Tracing
- Launch Event Viewer under Application and Services Logs\AD FS2.0\Admin right-click and select “View”.
- On “View” sub menu check “Show Analytic and Debug Logs”
- Browse to Application and Services Logs\AD FS 2.0 Tracing\Debug to view ADFS tracing information.
- Open Service snap-in and restart “AD FS 2.0 Windows Service”.
I hope if you followed the steps correctly you will have a proper ADFS environment up and running and with federation proxy server you will have that extra level security.However once this solution goes into a real public facing environment (i.e. in the DMZ) you will to purchase a proper certificate from the approved certificate authority like Verisign, Thawte etc.
Happy ADFS & SSO !!