ADFS Installation

1. Preparation for ADFS Installation

1.1 Create a Certificate Template

ADFS requires trusted certificates to ensure secure communication. These certificates can be generated using your internal Certificate Authority (CA). Follow these steps to create a certificate template:

  1. Access Certificate Templates Management:

    • Open the Certification Authority console.

    • Navigate to Certificate Templates → Right-click and select Manage.

  2. Duplicate an Existing Template:

    • Locate the Web Server template, right-click it, and select Duplicate Template.

  3. Modify the Template:

    • Go to the General tab:

      • In Template display name, enter a name like "SSL Certificates."

    • Go to the Security tab:

      • Select Authenticated Users and check Enroll under the Allow column. Click OK.

  4. Publish the New Template:

    • Close the Certificate Templates console.

    • In the Certification Authority console, right-click Certificate TemplatesNewCertificate Template to Issue.

    • Select the newly created template (e.g., SSL Certificates) and click OK.

    The template will now appear under Certificate Templates in the Certification Authority console.

1.2 Generate a Certificate for ADFS

Once the certificate template is created, generate a certificate for the ADFS server:

  1. Open MMC (Microsoft Management Console):

    • Press Win + R, type mmc.exe, and press Enter.

    • Go to FileAdd/Remove Snap-in… → Select Certificates and click Add.

    • Choose Computer account and click Finish.

  2. Request a New Certificate:

    • Expand Certificates (Local Computer) → Right-click PersonalAll TasksRequest New Certificate.

  • Follow the wizard until the template selection window appears.

  • Select the newly created template (e.g., SSL Certificates) and click More information is required to enroll for this certificate

  1. Specify Certificate Details:

  • In the Subject name group:

    • Set Type to Common Name and enter the Fully Qualified Domain Name (FQDN) of your ADFS server (e.g., adfs.ad.contoso.com). Click Add.

  • In the Alternative name group:

    • Set Type to DNS and enter the FQDN again (e.g., adfs.ad.contoso.com). If multiple names are used for ADFS, add them all.

  1. Enroll:

  • After entering the required details, click OK and Enroll to generate the certificate.

The new certificate will appear in the Certificates (Local Computer)Personal section.

1.3 Create a Service Account for ADFS

Microsoft recommends using a Group Managed Service Account (gMSA) to run the ADFS service. To create the account:

  1. Prepare the Key Distribution Service (KDS):

    • Run the following PowerShell command on a domain controller:

      Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
  2. Create the gMSA:

    • Use the following syntax to create the gMSA:

      New-ADServiceAccount -Name <AccountName> -DnsHostName <FederationServiceName> -ServicePrincipalNames http/<FederationServiceName>
    • Example:

      New-ADServiceAccount -Name FSgMSA -DnsHostName adfs.contoso.com -ServicePrincipalNames http/adfs.contoso.com

2. Install ADFS Role

2.1 Add ADFS Role

  1. Open Server Manager.

  2. Click ManageAdd Roles and Features.

  3. Follow the wizard and select Active Directory Federation Services when prompted to choose a role.

2.2 Configure ADFS

  1. After installation, open the Server Manager dashboard.

  1. Click Configure the federation service on this server.

  1. Follow the ADFS configuration wizard:

  • Specify the Certificate: Select the SSL certificate created earlier.

  • Federation Service Name: This will auto-fill based on the certificate (e.g., adfs.contoso.com).

  • Federation Service Display Name: Enter the name of your organization.

  • Specify the Service Account: Use the gMSA created earlier (e.g., FSgMSA).

  1. Leave the remaining options as default and complete the configuration.

For more information, refer to the official Microsoft documentation on ADFS installation.


Last updated