In this article, we’ll walk through the steps necessary to install the first Windows Server 2012 R2 federation server in an Active Directory Federation Services (AD FS) farm. Subsequent articles will walk through the steps necessary to add additional farm members, install the Web Application Proxy role, and customize AD FS for your organization.

Prior to installing the first server, you’ll need to organize a number of prerequisites for the installation:

  • Server or Virtual Machine – Ensure that the machine that meets the minimum system requirements and is domain joined
  • Service Account or Group Managed Service Account – AD FS requires a service account that will be used for Kerberos authentication as well as managing access to security keys across farm members. If you install the service in a domain with at least one Windows Server 2012 domain controller, you can use a Group Managed Service Account (gMSA). Using a gMSA is the recommended approach, and the installation wizard can create and configure a gMSA for you if you have enough access to the directory. If not, create a gMSA in advance for use with AD FS.
  • Federation Service Name – You will need to choose a DNS name for the federation service. This name will be referenced by clients and relying parties when accessing AD FS. Common hostnames for the federation service include ‘FS’, ‘STS’, and ‘IDP’ (federation service, security token service, and identity provider, respectively). In this example we will use the FS hostname with a fully qualified domain name of fs.cohovines.com.
  • SSL Certificates – The AD FS service uses three SSL certificates – the service communications certificate, the token signing certificate, and the token decryption certificate. The setup wizard requires that you provide a certificate for service communications, while by default, self signed token signing and token decryption certificates will be generated by AD FS. The service communications certificate is used to secure the HTTPS traffic between clients and AD FS and should be trusted by internal and external clients that will access the service. You should plan to use a commercially issued certificate to ensure trust from a public certification authority such as DigiCert. The common name of the certificate should match the federation service name, e.g. fs.cohovines.com. You can choose whether or not to buy a commercial certificate for token signing and token decryption. Generally speaking, interoperability with third parties is much easier if you choose to buy a commercial certificate for this task. Be sure to get the maximum lifetime possible for the certificate (e.g. 3 years). Changing the certificate later will be an involved process, so it is best to make this design decision up front.
If you will be using the Device Registration Service for Workplace Join, you will need to add subject alternate names (SANs) to your service communications certificate. For each User Principal Name (UPN) suffix that will be supported, you must add a SAN in the format of enterpriseregistration.<UPN Suffix>. For example, in my environment, users have a UPN suffix of cohovines.com. To support Workplace Join, my service communications certificate will need a SAN of enterpriseregistration.cohovines.com. You may also use a wildcard certificate for the service communications certificate.
  • SQL Server or Windows Internal Database – AD FS uses SQL Server to store server configuration and for two optional features. In lieu of using a full SQL Server installation, AD FS can install the Windows Internal Database (WID), a stripped down version of SQL Server, on each federation server. Prior to installing the first AD FS server, decide whether to use WID or SQL Server for the AD FS farm. If you expect to need to support more than 100 relying parties, or more than five federation servers, Microsoft recommends that you use the full version of SQL Server. Likewise, if you have a need for SAML Artifact Resolution or Token Replay Detection for external claims providers, you must use SQL Server. Review this TechNet Library document for more information on this decision. If you elect to use SQL Server, don’t forget to factor in high availability for SQL Server (e.g. clustering or mirroring).

Once you have completed all of the prerequisite tasks, you can begin installing the first AD FS server.

  1. Open Server Manager and click ‘Add roles and features’.
  2. During the Server Selection step of the Add Roles and Features Wizard, shown below, you can elect to install AD FS on multiple servers if you have added them to a pool in Server Manager. If you will be installing a server farm, this is a handy time saving feature.

SNAG-0003

  1. On the next screen, Server Roles, select Active Directory Federation Services as shown below. This will automatically add any missing features that AD FS requires to the wizard’s task list.

SNAG-0004

  1. Proceed through the remainder of the wizard. Once you reach the Results page, shown below, click the ‘Configure the federation service on this server’ hyperlink to begin the AD FS installation process.

SNAG-0008

The AD FS Configuration Wizard will complete the process of installing AD FS on the server. Since this is the first server in the farm, you will need to provide inputs based on the prerequisite decisions discussed earlier in the article.

  1. On the Welcome page, shown below, ensure that Create the first federation server in the federation server farm is selected at the bottom of the screen.

image

  1. On the Connect to AD DS page, provide a domain administrator account for installing the federation service. Elevated credentials are required to create a distributed key management object for AD FS in the Domain’s Program Data container. These credentials are only required during the installation process.
  2. On the Specify Service Properties page, shown below, use the decisions made during the prerequisites section of this article to populate the inputs. The SSL Certificate is the Service Communications Certificate. The dropdown list will show any valid certificates that are already imported. You can use the Import button to import a PFX file containing the certificate that AD FS should use. The federation service name must match the certificate selected. Finally, the Federation Service Display Name is displayed on the default login pages and can be easily changed later.

SNAG-0013

  1. On the Specify Service Account page, shown below, provide details for the service account that the AD FS farm should use. As discussed earlier, a gMSA is the preferred option when possible. If you are running the wizard with sufficient permissions, the wizard can automatically create a gMSA for you. Otherwise, select the second option to specify an existing gMSA or standard domain user account.

SNAG-0014

  1. On the Specify Database page, provide the details for an external SQL Server if you will be using SQL Server. If you will be using WID, accept the defaults and continue.
  2. A useful option on the Review Options page is the View script button. If you click this button, the AD FS Configuration Wizard will provide the PowerShell script equivalent to the options you chose in the wizard.

image

The script below shows the equivalent PowerShell syntax for the options selected in the wizard.

Import-Module ADFS

Install-AdfsFarm `
-CertificateThumbprint:"794CAF64196F53F71DF39BE16E4BADDF4FD277C8" `
-FederationServiceDisplayName:"Coho Vineyard" `
-FederationServiceName:"fs.cohovines.com" `
-GroupServiceAccountIdentifier:"COHOVINES\svc_ADFS`$"
  1. Complete the wizard. Once the Results page is shown, you will be able to begin managing the AD FS farm configuration.
  2. To open the AD FS MMC, open the Start screen and search for ‘AD FS’ as shown below. For convenience, you may want to pin the MMC to the Taskbar so it is easily accessible in the future.

SNAG-0009

In summary, the first AD FS federation server is now installed and ready for configuration, the addition of additional farm members, and publication with the Web Application Proxy. In future articles, we will walk through the steps to perform all three of these tasks.