The AD FS provides secured identity federation, single sign-on (SSO) capbalities for users to be able to use enterprise applications within an organization or across organizations (federated). Within Windows Server 2012 R2 AD FS is bundled as a role and compared to AD FS 2.0 the following are the notable differences:
- AD FS is not dependent on IIS instead relies on HTTP.SYS.
- Installation and Configuration can be done through Server Manager UI
- Group Managed Service Account (gmsa) support. Although typically a service account with non-expiration passwords can be used.
Other capabilities of AD FS on Server 2012 platform are detailed here
Installation and Configuration of AD FS role:
Go to Server Manager > Dashboard and chooes Add roles and features
The following will be set of screens that will be presented in the wizard
Select Active Directory Federation Services role
Click on Install on the final step in the wizard
Once the installation is completed additional Configuration steps must be performed and this will be indicated as shown below:
Federation Service Configuration:
The first server where AD FS role is installed in the domain typically becomes the Primary Federation Server. Hence the option “Create first federation server…” is selected. For configuring AD FS on additional sever the second option is selected.
In the following screen specify the SSL certificate.
Specify the service account to be used for running the ADFS service
There are two options available for storing the ADFS configuration information viz., Windows Internal Database (WID) or SQL Server. A detail information is available here and this set up we choose WID.
The final Review Options screen provides the option to store the configuration settings as Power Shell script and this script can be used for additional deployments without having to go through all the wizard steps again.
Now click on the Configure button
Additional Permissions to be Added or Verified:
- Log On As Service (Accessed through Local Security Policy) should have the service account used for ADFS. This is done on the server where ADFS role is installed.
- The private key for the SSL certificate imported should have read permissions for the service account used for ADFS
Things to Check:
I had named the service account for the AD FS service to be DEV\svc_adfs but found that the AD FS set up wizard removed the “_” and consequently this distored the SPN (Service Principal Name). As can been from the screen snap shot below the wizard picked up the account name to DEV\svcADFS.
I then recreated the account to read as: DEV\svc-adfs and then checked the SPN and the registration was correct.
As viewed in Active Directory:
- Access Federation metadata at: https://sts.dev.local/federationmetadata/2007-06/federationmetadata.xml
- Sign-In and Sign-Out at: https://sts.dev.local/adfs/ls/idpinitiatedsignon.aspx
Once above the testing is complete then ADFS is successfully configured.