ADFS Installation
1. Preparation for ADFS Installation
1.1 Create a Certificate Template
ADFS requires trusted certificates to ensure secure communication. These certificates can be generated using your internal Certificate Authority (CA). Follow these steps to create a certificate template:
Access Certificate Templates Management:
Open the Certification Authority console.
Navigate to Certificate Templates → Right-click and select Manage.
Duplicate an Existing Template:
Locate the Web Server template, right-click it, and select Duplicate Template.
Modify the Template:
Go to the General tab:
In Template display name, enter a name like "SSL Certificates."
Go to the Security tab:
Select Authenticated Users and check Enroll under the Allow column. Click OK.
Publish the New Template:
Close the Certificate Templates console.
In the Certification Authority console, right-click Certificate Templates → New → Certificate Template to Issue.
Select the newly created template (e.g., SSL Certificates) and click OK.
The template will now appear under Certificate Templates in the Certification Authority console.
1.2 Generate a Certificate for ADFS
Once the certificate template is created, generate a certificate for the ADFS server:
Open MMC (Microsoft Management Console):
Press Win + R, type
mmc.exe
, and press Enter.Go to File → Add/Remove Snap-in… → Select Certificates and click Add.
Choose Computer account and click Finish.
Request a New Certificate:
Expand Certificates (Local Computer) → Right-click Personal → All Tasks → Request New Certificate.
Follow the wizard until the template selection window appears.
Select the newly created template (e.g., SSL Certificates) and click More information is required to enroll for this certificate
Specify Certificate Details:
In the Subject name group:
Set Type to Common Name and enter the Fully Qualified Domain Name (FQDN) of your ADFS server (e.g.,
adfs.ad.contoso.com
). Click Add.
In the Alternative name group:
Set Type to DNS and enter the FQDN again (e.g.,
adfs.ad.contoso.com
). If multiple names are used for ADFS, add them all.
Enroll:
After entering the required details, click OK and Enroll to generate the certificate.
The new certificate will appear in the Certificates (Local Computer) → Personal section.
1.3 Create a Service Account for ADFS
Microsoft recommends using a Group Managed Service Account (gMSA) to run the ADFS service. To create the account:
Prepare the Key Distribution Service (KDS):
Run the following PowerShell command on a domain controller:
Create the gMSA:
Use the following syntax to create the gMSA:
Example:
2. Install ADFS Role
2.1 Add ADFS Role
Open Server Manager.
Click Manage → Add Roles and Features.
Follow the wizard and select Active Directory Federation Services when prompted to choose a role.
2.2 Configure ADFS
After installation, open the Server Manager dashboard.
Click Configure the federation service on this server.
Follow the ADFS configuration wizard:
Specify the Certificate: Select the SSL certificate created earlier.
Federation Service Name: This will auto-fill based on the certificate (e.g.,
adfs.contoso.com
).Federation Service Display Name: Enter the name of your organization.
Specify the Service Account: Use the gMSA created earlier (e.g., FSgMSA).
Leave the remaining options as default and complete the configuration.
Next Steps
After setting up ADFS, proceed to integrate it with Microsoft Exchange by configuring claims-based authentication for Outlook Web App (OWA) and Exchange Admin Center (EAC).
For more information, refer to the official Microsoft documentation on ADFS installation.
Last updated