ADFS Installation

1. Preparation for ADFS Installation

1.1 Create a Certificate Template

ADFS requires trusted certificates to ensure secure communication. These certificates can be generated using your internal Certificate Authority (CA). Follow these steps to create a certificate template:

1. Access Certificate Templates Management:

   • Open the Certification Authority console.

   

   • Navigate to Certificate Templates → Right-click and select Manage.

   
2. Duplicate an Existing Template:

   • Locate the Web Server template, right-click it, and select Duplicate Template.

   
3. Modify the Template:

   • Go to the General tab:

     • In Template display name, enter a name like "SSL Certificates."

   • Go to the Security tab:

     • Select Authenticated Users and check Enroll under the Allow column. Click OK.

     
4. Publish the New Template:

   • Close the Certificate Templates console.

   • In the Certification Authority console, right-click Certificate Templates → New → Certificate Template to Issue.

   

   • Select the newly created template (e.g., SSL Certificates) and click OK.

   The template will now appear under Certificate Templates in the Certification Authority console.

1.2 Generate a Certificate for ADFS

Once the certificate template is created, generate a certificate for the ADFS server:

1. Open MMC (Microsoft Management Console):

   • Press Win + R, type mmc.exe, and press Enter.

   • Go to File → Add/Remove Snap-in… → Select Certificates and click Add.

   • Choose Computer account and click Finish.

2. Request a New Certificate:

   • Expand Certificates (Local Computer) → Right-click Personal → All Tasks → Request New Certificate.

   

• Follow the wizard until the template selection window appears.

• Select the newly created template (e.g., SSL Certificates) and click More information is required to enroll for this certificate

1. Specify Certificate Details:

• In the Subject name group:

  • Set Type to Common Name and enter the Fully Qualified Domain Name (FQDN) of your ADFS server (e.g., adfs.ad.contoso.com). Click Add.

• In the Alternative name group:

  • Set Type to DNS and enter the FQDN again (e.g., adfs.ad.contoso.com). If multiple names are used for ADFS, add them all.

1. Enroll:

• After entering the required details, click OK and Enroll to generate the certificate.

The new certificate will appear in the Certificates (Local Computer) → Personal section.

1.3 Create a Service Account for ADFS

Microsoft recommends using a Group Managed Service Account (gMSA) to run the ADFS service. To create the account:

1. Prepare the Key Distribution Service (KDS):

   • Run the following PowerShell command on a domain controller:

     Copy

     Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

2. Create the gMSA:

   • Use the following syntax to create the gMSA:

     Copy

     New-ADServiceAccount -Name <AccountName> -DnsHostName <FederationServiceName> -ServicePrincipalNames http/<FederationServiceName>

   • Example:

     Copy

     New-ADServiceAccount -Name FSgMSA -DnsHostName adfs.contoso.com -ServicePrincipalNames http/adfs.contoso.com

2. Install ADFS Role

2.1 Add ADFS Role

1. Open Server Manager.

2. Click Manage → Add Roles and Features.

3. Follow the wizard and select Active Directory Federation Services when prompted to choose a role.

2.2 Configure ADFS

1. After installation, open the Server Manager dashboard.

1. Click Configure the federation service on this server.

1. Follow the ADFS configuration wizard:

• Specify the Certificate: Select the SSL certificate created earlier.

• Federation Service Name: This will auto-fill based on the certificate (e.g., adfs.contoso.com).

• Federation Service Display Name: Enter the name of your organization.

• Specify the Service Account: Use the gMSA created earlier (e.g., FSgMSA).

1. Leave the remaining options as default and complete the configuration.