> For the complete documentation index, see [llms.txt](https://enterprise.hideez.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enterprise.hideez.com/hideez-server-integration/saml-integration/microsoft-exchange-for-authentication-via-saml/adfs-installation.md). # ADFS Installation ## **1. Preparation for ADFS Installation** ### **1.1 Create a Certificate Template** ADFS requires trusted certificates to ensure secure communication. These certificates can be generated using your internal Certificate Authority (CA). Follow these steps to create a certificate template: 1. **Access Certificate Templates Management**: * Open the **Certification Authority** console.

* Navigate to **Certificate Templates** → Right-click and select **Manage**.

2. **Duplicate an Existing Template**: * Locate the **Web Server** template, right-click it, and select **Duplicate Template**.

3. **Modify the Template**: * Go to the **General** tab: * In **Template display name**, enter a name like "SSL Certificates." * Go to the **Security** tab: * Select **Authenticated Users** and check **Enroll** under the **Allow** column. Click **OK**.

4. **Publish the New Template**: * Close the **Certificate Templates** console. * In the **Certification Authority** console, right-click **Certificate Templates** → **New** → **Certificate Template to Issue**.

* Select the newly created template (e.g., SSL Certificates) and click **OK**. The template will now appear under **Certificate Templates** in the **Certification Authority** console. ### **1.2 Generate a Certificate for ADFS** Once the certificate template is created, generate a certificate for the ADFS server: 1. **Open MMC (Microsoft Management Console)**: * Press **Win + R**, type `mmc.exe`, and press **Enter**. * Go to **File** → **Add/Remove Snap-in…** → Select **Certificates** and click **Add**. * Choose **Computer account** and click **Finish**. 2. **Request a New Certificate**: * Expand **Certificates (Local Computer)** → Right-click **Personal** → **All Tasks** → **Request New Certificate**.

* Follow the wizard until the template selection window appears. * Select the newly created template (e.g., SSL Certificates) and click **More information is required to enroll for this certificate**

3. **Specify Certificate Details**:

* In the **Subject name** group: * Set **Type** to **Common Name** and enter the **Fully Qualified Domain Name (FQDN)** of your ADFS server (e.g., `adfs.ad.contoso.com`). Click **Add**. * In the **Alternative name** group: * Set **Type** to **DNS** and enter the **FQDN** again (e.g., `adfs.ad.contoso.com`). If multiple names are used for ADFS, add them all. 4. **Enroll**: * After entering the required details, click **OK** and **Enroll** to generate the certificate.

The new certificate will appear in the **Certificates (Local Computer)** → **Personal** section.

### **1.3 Create a Service Account for ADFS** Microsoft recommends using a **Group Managed Service Account (gMSA)** to run the ADFS service. To create the account: 1. **Prepare the Key Distribution Service (KDS)**: * Run the following PowerShell command on a domain controller: ```powershell Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) ``` 2. **Create the gMSA**: * Use the following syntax to create the gMSA: ```powershell New-ADServiceAccount -Name -DnsHostName -ServicePrincipalNames http/ ``` * Example: ```powershell New-ADServiceAccount -Name FSgMSA -DnsHostName adfs.contoso.com -ServicePrincipalNames http/adfs.contoso.com ``` ## **2. Install ADFS Role** ### **2.1 Add ADFS Role** 1. Open **Server Manager**. 2. Click **Manage** → **Add Roles and Features**. 3. Follow the wizard and select **Active Directory Federation Services** when prompted to choose a role.

### **2.2 Configure ADFS** 1. After installation, open the **Server Manager** dashboard.

2. Click **Configure the federation service on this server**.

3. Follow the ADFS configuration wizard:

* **Specify the Certificate**: Select the SSL certificate created earlier. * **Federation Service Name**: This will auto-fill based on the certificate (e.g., `adfs.contoso.com`). * **Federation Service Display Name**: Enter the name of your organization. * **Specify the Service Account**: Use the gMSA created earlier (e.g., FSgMSA).

2. Leave the remaining options as default and complete the configuration. {% hint style="info" %} ### **Next Steps** After setting up ADFS, proceed to [integrate it with Microsoft Exchange by configuring claims-based authentication for **Outlook Web App (OWA)** and **Exchange Admin Center (EAC)**. ](/hideez-server-integration/saml-integration/microsoft-exchange-for-authentication-via-saml.md) {% endhint %} {% hint style="success" %} For more information, refer to the [official Microsoft documentation on ADFS installation](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment). {% endhint %} *** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://enterprise.hideez.com/hideez-server-integration/saml-integration/microsoft-exchange-for-authentication-via-saml/adfs-installation.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.