IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hey y’all Mark and Tom here with a series we think you guys will dig. I feel like half of our blog posts are building a lab of some kind. We love our labs in PFE. That’s how most of us learn. Set up a lab, play around with the technology, and get it configured. It’s fun for everyone! Right?! We are starting to get more and more customer requests around people just starting out with ADFS. We thought we’d get everyone starting by walking you through how to setup your very own ADFS Lab.
First you have to have an AD Forest set up. If you don’t have that check out a blog post by Doug Gabbard. http://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspx
We are going to assume you have the following setup before you dive in.
- Active Directory Forest
- ADFS Server running Windows Server 2012
- Domain Joined
- Valid network configuration
Creating a Service Account
ADFS runs on a service account. This will need to be created ahead of time before doing the install.
Some warnings about this service account:
#1: Don’t mess around with or set the Service Principal Names (SPN) on any accounts related to ADFS. The ADFS configuration wizard will automatically configure the correct Service Principal Names (SPN) on this service account so don’t worry about this configuring the SPN.
#2: Ensure that the physical computer name of any of the ADFS servers in the farm don’t match the ADFS service name. If you plan to call your ADFS service name sts.markmorow.com, ensure that none of the servers in the farm have this same actual computer name. If you do this, you immediately have a duplicate SPN scenario, which will prevent Kerberos authentication to this ADFS farm. Here is more information on duplicate SPN’s:
For my environment test environment I created an account called ADFS_SVC and my server is called ADFS01Corp.
As Jasmin talked about at http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx we need three certificates on ADFS. But really, we only need to have 1 setup to do the install. We need a Server Communications (SSL) certificate. We got three choices.
1.) You could use an publically signed external cert. Since this is TEST you may not want to pay for one.
2.) You can generate a self-signed cert. This has a great walkthrough on doing that. http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html
3.) You can request a certificate from your internal PKI. You do have an internal PKI set up right??? http://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspx
I picked #3. I had spent a few hours before and setup a PKI infrastructure in my lab. The walkthroughs are very easy to follow. Don’t be scared.
First we need to request a certificate. We do that by going to the MMC snap-in, adding certificates for the Computer Account, Local Computer, right click Personal, go to All Tasks, Request New Certificate.
We are going to select our Active Directory Enrollment Policy and click Next
If you don’t see Web Server make sure your Web Server template is published and you have rights to it. As we can see here we need some additional configuration information. Click on the blue text.
Our certificate name is going to be STS.yourdomain.com. Obviously configure this to fit your needs. Click ok and finish the cert process.
Ok now that we got all our pre-reqs in order let’s do the actually install of ADFS.
You’ll want to start by going to Server Manager and adding the ADFS role. Click Next
It will add any other additional roles and features it needs. Click Add Features and next through these new features until you hit the ADFS Role services.
After you next your way a few default screens you’ll come up to this screen. We’ll come back later to an ADFS Proxy, but for now just leave the Federation Service checked. Hit next a few more times than Finish. Let the install finish.
You should see a yellow exclamation point at the top right to let you know there is additional configuration requirements. Click “Run the AD FS Management snap-in”
You’ll then get the ADFS Snap in to finish configuring. Click “ADFS Federation Server Configuration Wizard”
Since this is our first ADFS Server we are going to select “Create New Federation Service” and hit next.
We’ll be creating a server farm of one. Click next.
ADFS should automatically pick up the Server Certificate. We’ll click next.
Input the service account we created earlier and click Next. The install should start.
All done. We are now setup using the WID database. If you wanted to use a SQL database you would have to do the install from the command line. Check back for Part 2 on how to configure a relaying party and a web app to view claims.
Mark “Next, Next” Morowczynski, Tom “Finish” Moser