ADFS Installation

1. Preparation for ADFS Installation

1.1 Create a Certificate Template

ADFS requires trusted certificates to ensure secure communication. These certificates can be generated using your internal Certificate Authority (CA). Follow these steps to create a certificate template:

  1. Access Certificate Templates Management:

    • Open the Certification Authority console.

    • Navigate to Certificate Templates → Right-click and select Manage.

  2. Duplicate an Existing Template:

    • Locate the Web Server template, right-click it, and select Duplicate Template.

  3. Modify the Template:

    • Go to the General tab:

      • In Template display name, enter a name like "SSL Certificates."

    • Go to the Security tab:

      • Select Authenticated Users and check Enroll under the Allow column. Click OK.

  4. Publish the New Template:

    • Close the Certificate Templates console.

    • In the Certification Authority console, right-click Certificate Templates → New → Certificate Template to Issue.

    • Select the newly created template (e.g., SSL Certificates) and click OK.

    The template will now appear under Certificate Templates in the Certification Authority console.

1.2 Generate a Certificate for ADFS

Once the certificate template is created, generate a certificate for the ADFS server:

  1. Open MMC (Microsoft Management Console):

    • Press Win + R, type mmc.exe, and press Enter.

    • Go to File → Add/Remove Snap-in… → Select Certificates and click Add.

    • Choose Computer account and click Finish.

  2. Request a New Certificate:

    • Expand Certificates (Local Computer) → Right-click Personal → All Tasks → Request New Certificate.

  • Follow the wizard until the template selection window appears.

  • Select the newly created template (e.g., SSL Certificates) and click More information is required to enroll for this certificate

  1. Specify Certificate Details:

  • In the Subject name group:

    • Set Type to Common Name and enter the Fully Qualified Domain Name (FQDN) of your ADFS server (e.g., adfs.ad.contoso.com). Click Add.

  • In the Alternative name group:

    • Set Type to DNS and enter the FQDN again (e.g., adfs.ad.contoso.com). If multiple names are used for ADFS, add them all.

  1. Enroll:

  • After entering the required details, click OK and Enroll to generate the certificate.

The new certificate will appear in the Certificates (Local Computer) → Personal section.

1.3 Create a Service Account for ADFS

Microsoft recommends using a Group Managed Service Account (gMSA) to run the ADFS service. To create the account:

  1. Prepare the Key Distribution Service (KDS):

    • Run the following PowerShell command on a domain controller:

      Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
  2. Create the gMSA:

    • Use the following syntax to create the gMSA:

      New-ADServiceAccount -Name <AccountName> -DnsHostName <FederationServiceName> -ServicePrincipalNames http/<FederationServiceName>
    • Example:

      New-ADServiceAccount -Name FSgMSA -DnsHostName adfs.contoso.com -ServicePrincipalNames http/adfs.contoso.com

2. Install ADFS Role

2.1 Add ADFS Role

  1. Open Server Manager.

  2. Click Manage → Add Roles and Features.

  3. Follow the wizard and select Active Directory Federation Services when prompted to choose a role.

2.2 Configure ADFS

  1. After installation, open the Server Manager dashboard.

  1. Click Configure the federation service on this server.

  1. Follow the ADFS configuration wizard:

  • Specify the Certificate: Select the SSL certificate created earlier.

  • Federation Service Name: This will auto-fill based on the certificate (e.g., adfs.contoso.com).

  • Federation Service Display Name: Enter the name of your organization.

  • Specify the Service Account: Use the gMSA created earlier (e.g., FSgMSA).

  1. Leave the remaining options as default and complete the configuration.


Last updated

Was this helpful?