Configure ADFS and Device Registration service in Windows 2012 R2


 
Installing ADFS federation server:
 
In the previous blogs we looked at the different new features in ADFS in Windows 2012 R2 and the installation requirements.
 

        In this article we will look at the installation of ADFS service and enabling Device Registration service in Windows 2012 R2.

Installing ADFS federation server:

1. Install the ADFS role service from Windows Server manager. In Windows 2012 R2 you can remotely install the roles on server.

clip_image002

2. Click Next > Next > Next > Install to install the ADFS role.

3. Go to the server manager notification and click on Configure the ADFS service

4. Make sure the requirements given in the below screenshot are met before you proceed to next step. Select whether this is the first federation server in a federation server farm or a new server in existing federation farm.

clip_image004

3. Provide the credentials for domain admin account to configure ADFS service as mentioned below:

clip_image006

4. Select the ADFS certificate which is installed on the ADFS server. Obviously the federation service name should be same as the name used in the ADFS certificate.

clip_image008

clip_image010

5. Here you can specify a domain user account or Group Managed Service Account. Group Managed Service Account (GMSA) is a new feature in Windows 2012, which is an improvement to the managed service account in Windows 2008 R2. GMSA are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators. The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers.

clip_image012

6. You can select a SQL server database or the Windows internal database to host the ADFS configuration database

clip_image014

clip_image016

7. Click configure and that finishes the ADFS configuration.

clip_image018

8. There are few additional steps to enable the Device registration service:

Initialize the ADDeviceRegistration service on ADFS server

clip_image020

Enabled the ADFS Device Registration service

clip_image022

Enable device authentication in ADFS management console:

clip_image024

   

You can try the following methods to test the functionality of ADFS service:
 
https://adfs1.contoso.com/adfs/ls/idpinitiatedsignon.aspx  - This should return the ADFS login page
 
 
In Next section we will look at the Web Application Proxy which has replaced the ADFS Proxy service role in Windows 2012 R2. We will also look at publishing DRS via WAP.
 
 


Comments (12)

  1. Me says:

    screens missing:(

  2. Anonymous says:

    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG

  3. Anonymous says:

    Pingback from Configure Web Application Proxy server and publish Device Registration service in Windows 2012 R2 | MS Tech BLOG

  4. Taparshi says:

    Good article but some points missing that may get newbies (like me) into the Lost World of Steven Spielberg and chased by T-Rex...Like SAN of the Service Communication Cert (Technical Jargon for ADFS Cert) should contain "enterpriseregistration.abc.local"
    (basically enterpriseregistration.UPN of your Domain). There has to be a CNMAE with the same entry enterpriseregistration.abc.local pointing to the ADFS Server. CRL Location must be reachable. SSL Binding should be correct (can be found using NETSH HTTP Show
    SSLCERT) , Get-AdfsDeviceRegistrationUpnSuffix must list the UPN used by your users and show proper binding @ 443 (remember no IIS in 3.0) ,if not use Add-AdfsDeviceRegistrationUpnSuffix. Best to use the same service account for adfs and DRS services. IE settings
    must have "Check for Server certificate revocation" unchecked under advanced settings on the client if that location is via some pointer that the client cant reach like LDAP.

  5. Amit Dobhal says:

    @Taparshi - thanks for the feedback. Some of the points (CNAME pointing to ADFS server, ADFS / DRS service certificate names ) you highlighted are mentioned in the previous article however I dint add any screenshots for the same as those are pretty generic
    -
    http://blogs.technet.com/b/amitd/archive/2014/04/18/adfs-new-features-and-prerequisites-in-windows-2012-r2.aspx. Additionally other points you mentioned are good to know and can really be handy when it comes to troubleshooting.

  6. Amit says:

    Great Article. Anyone know if we use an ADFS farm based on WID DB replication, can clients authenticate if the primary ADFS server is down for maintenance and none of the secondary's are promoted to primary. I know configuration changes such as adding
    relying party trusts will not work, but am unsure if normal client authentication is impacted as well?

  7. Amit Dobhal says:

    @Amit - In that case Secondary servers will continue to process the requests as normal however as you rightly mentioned you wont be able to make any new changes to the ADFS configuration database unless you designate other server as the Primary or bring
    back the primary server. Primary server holds the Read / Write copy of the ADFS configuration database in WID farm configuration. Secondary servers hold the read only copy of the database that they synchronize with the primary server.

  8. isaac says:

    Hi Amit, for Device Registration, can I use another suffix CNAME other than enterpriseregistration? I am asking because I have two separate instances of ADFS in same AD Domain and the internal DNS is the same. One of them is testadfs.contoso.com and the
    other one is prodadfs.contoso.com. if I use enterpriseregistration.contoso.com for testadfs.contoso.com, can I use enterpriseregistrationPROD.contoso.com for the prodadfs.contoso.com?

    Thanks

  9. Amit Dobhal says:

    Hi Isaac - As mentioned here -
    https://technet.microsoft.com/en-us/library/dn614658.aspx the CNAME record must use the well-known prefix EnterpriseRegistration followed by the UPN suffix used by the user accounts at your organization. All clients are going to use this well known prefix
    followed by their UPN suffix to discover the service so as long as you have this service published for one of the ADFS farm and containing the client UPN suffixes, clients should be able to discover the service fine.

  10. Anonymous says:

    As an Identity PFE I’ve seen my fair share of ADFS Admin logs. In many cases that log is a good

  11. Anonymous says:

    As an Identity Hybrid PFE I’ve seen my fair share of ADFS Admin logs. In many cases that log is

  12. mike says:

    Hi there

    What if i need to configure more than one UPN suffix root domain? by example: i have many upn suffixes with the customers domain:

    @company-one.net
    @company-two.com

    any idea how to handle device registration in this shared environment?

    best regards mike

Skip to main content