How To Install AD FS 2012 R2 For Office 365

When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365.   In the burgeoning drafts folder Active Directory Federation Services (AD FS) was at the top, so that got finished first!

The act of deploying and configuring AD FS 2012 R2 for Office 365 will be broken down into three separate blog posts

  1. Install AD FS (this post)

Identity, Identity, Identity

The IT security landscape keeps evolving.  One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims.  Claims based authentication is an industry standard security protocol to authenticate users.  This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens.  Claims based auth requires these tokens, and by extension an entity that can issue the token.  This is the Secure Token Service (STS).  The STS server can be based on Active Directory Federation Services (AD FS) or other platforms that provide this service.

AD FS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:

  1. Cloud Identity – users are created, and managed,  in Windows Azure Active Directory (WAAD).  No connection to any other directory.  This is the simplest model as there is no integration to any other directory.  Each user has an account created in the cloud which does not synchronise anywhere else.  Note that you will still typically need additional on-premises credentials to gain access to a local workstation and local resources.
  2. Directory Synchronisation – Users are created and managed in the on-premises directory and get synchronised up to Office 365 so they can access Office 365 resources.  Typically this means running the DirSync appliance, or in some cases FIM with the Windows Azure Active Directory Connector.  The newer builds of DirSync allow for the user’s password hash to be synchronised up to Office 365.  Note this does not say clear text password.    This allows user’s to logon to Office 365 using the same credentials as on-premises with no additional infrastructure.
  3. Federated Identity – Federation relies on directory synchronisation so that WAAD is populated.  When the authentication request is presented to Office 365, the service will then contact the on-premises AD FS infrastructure so that AD is responsible for authenticating the request.

AD FS is the primary choice for customers who want to use federated identities with Office 365.  In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation.  The shortcut URL  links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365.  Please read the notes on the TechNet page with regards to the testing and support aspects of these services.

Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed AD FS implementation.  The availability of AD FS is a key discussion point when discussing federation.  For whatever reason if the AD FS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.

In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO).  DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords.  DirSync can be downloaded here, and the TechNet Wiki has details on the release history.   When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:

Windows Azure Active Directory Sync Tool Enable Password Sync

This is worthwhile to mention as there is still a perception that AD FS is a hard requirement to get SSO.  That is soooooooooooo  Q1 2013!

Anyway, I digress let’s get back to AD FS…..

We shall look at installing AD FS 2012 R2 since there are numerous compelling features in this release!

What’s New And Improved In AD FS 2012 R2

The quick answer is a lot!  Some examples include:

  • IIS dependency removed
  • Single server installation option removed and now have single farm install (recommended to install a farm always in prior release anyway)
  • Separate AD FS proxy role removed.  AD FS proxy now based off Web Application Proxy (WAP), and is used to publish the AD FS server to the Internet.  WAP can publish many other applications, not just AD FS.
  • AD FS extranet lockout – AD DS account lockout protection via the AD FS proxy
  • Access control based on network location to control user authentication to AD FS

There are many others, but check here for them since we are focussing on Office 365 usage for AD FS.

Note that you will not see me  call this release AD FS 3.0.  Its full and proper name is  AD FS 2012 R2.  for reference here are the older versions and what some folks call them:

AD FS Build


AD FS 1.0 Released with Windows 2003 R2.  Built into OS.
AD FS 1.1 Released with Windows 2008 and 2008 R2.  Built into OS.
AD FS 2.0 Released After Windows 2008 / 2008 R2.  Separate download from here.
AD FS 2.1 Windows 2012
AD FS 3.0 Windows 2012 R2

Update 5-5-2014:    Please also see this post on exploring AD FS 2012 R2 Extranet Lockout protection.

Update 29-5-2014:  Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.

Update 9-9-2014:    For the other posts on ADF S, please view this tag cloud.

Planning And Prerequisites, And Other Fun Details


The prerequisites are listed on TechNet and now also on  Of course before jumping into the install the installation needs to be planned.

AD FS Role Planning

The AD FS role should be deployed within the corporate network, and not in the DMZ.  The AD FS proxy role (WAP in Windows Server 2012 R2) is intended to be installed into the DMZ.

The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), which may contain several federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

Since the availability of Office 365 relies upon the availability of AD FS when the domain is federated there is a strong recommendation to have at least two AD FS servers with a redundant AD FS proxy infrastructure.

Please review the design guidance on TechNet.

AD FS Service Account

We can now use a standard service account or a Group Managed Service Account in AD FS 2012 R2.

In this case since the KDS root key was not configured, lets leverage a standard service account.

The installation process should set the required Service Principal Names (SPN) on the account.

AD FS Namespace

Select what name you are to use to access AD FS.  Typically this is along the lines of:

Note that this is the namespace for the AD FS service.  Since we will be using Kerberos to access AD FS internally, there must be a Service Principle Name (SPN) registered for this name.  This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the AD FS server by naming the computer the same as the AD FS namespace.

You also want to discuss what display name should be chosen, as this will be visible to users.

Additionally you may also wish to plan to also enable Device Registration Service (DRS) as well, this is a separate namespace. For more details please see Configuring Device Registration.    For the Workplace Join client to discover the Device Registration server using a well-known DNS CNAME record, AD FS must be configured with a server SSL certificate that includes the well-known Device Registration server names. You must include one server name for every userPrincipalName (UPN) suffix in use at your company in the format of:


This would be in this environment.

Internet Access

The AD FS server will require access to the Internet in order to complete the configuration of the solution.  This may be an issue if your servers are behind a proxy solution.


Since AD FS leverages SSL, we need to have a SSL certificate.  You could try three options, but only one will work:

  1. Self-signed certificate
  2. Certificate issued from internal PKI
  3. Certificate from 3rd party public CA

Office 365 needs to see a valid Service Communication Certificate on your AD FS infrastructure, so you are going to have to buy a certificate from a public CA.  Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears.  We can use self-signed certificates for the Token Decrypting and Token Signing Certificate.  These are separate from the service communication cert.

Please follow the documentation from your chosen CA to request, install and complete the certificate.  The steps required vary from vendor to vendor and also over time.  Make sure you are not missing any updated intermediate certificates!  How would you know?  Follow their  process!!

For the purposes of this post we shall deploy the initial AD FS server, and in the future add another AD FS server for redundancy.

If you wish to use the Device Registration Service (DRS), then add the additional name onto the certificate.  Even if you are not using DRS now you may want to save the time updating certificates later on.

Installing AD FS On Windows Server 2012 R2

After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.

ADFS 2012 R2 Role Installation

We don’t need to add any additional features.  Remember that the IIS dependency was removed in AD FS 2012 R2.

ADFS 2012 R2 Role Installation

Clicking next takes us to the AD FS splash screen.  Note that it helpfully tells us that the specific AD FS proxy role has been removed in Windows 2012 R2 and how to go about installing it.  Shame I missed that the very first time  I ran this, and could not find the old school AD FS Proxy role…

ADFS 2012 R2 Role Installation

Clicking next will then install the necessary bits.

ADFS 2012 R2 Role Installation Confirmation

Bits are being shuffled around…

ADFS 2012 R2 Role Installation In Progress

Shuffling has been completed, and the installation is complete.   You can launch the AD FS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.

ADFS 2012 R2 Install Role

Before starting the AD FS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.

Additionally a service account called ADFS-Service  was also pre-created.

The wizard also states that you must have access to Domain Admin (DA) credentials!

Note that you are only given an option to either make a new AD FS farm or add this box to an existing farm.  This saves the painful issue from older AD FS builds, where AD FS was not installed into a farm you were then unable to add the second AD FS server for redundancy.  In that case you had to build a net new farm.

ADFS 2012 R2 Install Welcome Screen

Provide your domain admin credentials.

ADFS 2012 R2 Install Connect To AD

We need to select the SSL certificate that we will use and also provide the AD FS name we selected in the design process.

In this case the name is   -- note that there is no concept of an InternalURL or ExternalURL for the AD FS namespace.  Clients will use the same name on the intranet and internet to locate AD FS.  Thus split DNS will make life simple!

Provide your chosen display name, and click next.

ADFS 2012 R2 Install Specify Service Properties

As mentioned earlier it is possible to use a GMSA as the AD FS service account.  GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.  Note that if you do want to use a GMSA, please review the required setup for this, noting the DC version requirements and the steps you must manually perform.  Add-KdsRootKey

In this case a standard service account was used.

ADFS 2012 R2 Install Specify Service Account

Select the database configuration as per the design.

The Tailspintoys corporation will use WID.

ADFS 2012 R2 Install Specify Database

Review the options, and when happy pull the trigger!

ADFS 2012 R2 Install Review Options

For reference the PowerShell script is shown here:

# Windows PowerShell script for AD FS Deployment

Import-Module ADFS

# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."

Install-AdfsFarm `
-CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" `
-FederationServiceDisplayName:"Tailspintoys STS" `
-FederationServiceName:"" `

The AD FS pre-requisite checks are done, and we can proceed to the configuration:

ADFS 2012 R2 Install Pre-Requisite Checks Completed

One coffee later, we have a shiny new AD FS server – whoo!!

ADFS 2012 R2 Installation Completed

We are not quite done yet, and there a couple of additional things to do!

Next Steps

AD FS Update(s)

Update 29-5-2014:  Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.

When multiple clients (over 200 clients) try to sign in by using an Active Directory Federation Services (AD FS) proxy, the AD FS proxy consumes 100% usage of the CPU. In this situation, the AD FS proxy performance is slow, and causes a delay that exceeds 10seconds. This also causes STS to work under minimal load. Therefore, STS rejects the requests or serves only 5 to 10 requests per second.

Update 11-12-2014:  The above update 2948086  is now bundled in this rollup: May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Update 16-7-2014:  Other updates you may want to review are at the bottom of this post.

Update 4-11-2016  And you will also want to review this list of updates and fixes:  Updates for AD FS and WAP in Windows Server 2012 R2

DNS A Record

We must create the DNS record  for the AD FS instance.  This maps to the AD FS namespace that we previously planned.  Create this A record in your internal DNS infrastructure.

Ideally you will have two AD FS servers for resiliency, in which case you will need to create a load balanced VIP for this service.  Please follow the steps for your specific LB device.  The DNS A record should resolve to the VIP.   For testing purposes, use a hosts file on a client to check out individual AD FS servers – do not try and just use the IP address of the box.


Once the DNS record has been created and propagated, ensure that it resolves correctly.

One thing to mention here, if you create a CNAME and point that to the server hosting AD FS chances are that you will run into a never ending authentication prompt situation.

In the below example the AD FS namespace is called and a CNAME was used to direct traffic to the AD FS server called    This will likely cause the client to obtain a Kerberos ticket for the incorrect name.

ADFS Name Resolution Using DNS CNAME Record

The easiest way to stop this is to use  a regular A record, like so:

ADFS Name Resolution Using DNS A Record

There is also an option contained in KB 911149  that some folks have mentioned.

Additional Steps

This topic covers additional steps to configure AD FS after you install the first federation server, including:

For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.


Verify Federation Service Metadata

Open Internet Explorer and navigate to your AD FS server’s federation metadata URL.

This will be something like the below, just change the FQ DN to match your environment.

The result should show this:

Testing ADFS Federation Metadata

Verify AD FS Sign-In Page

Browse to the AD FS sign-in page and test that you are able to authenticate.

The URL will be similar to the below, again change the FQDN to match your organisation’s.

You should see the below, and be prompted to sign in:

ADFS 2012 R2 Sign-In Page

Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.

If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.

ADFS 2012 R2 Enabling Automatic Sign-in For Local Intranet Zone

Once we are happy that the AD FS instance is functioning appropriately we can then move onto installing the AD FS proxy role (WAP).

This will be covered in the second post in this series, to prevent this one getting too long!



Comments (86)
  1. anonymouscommenter says:

    In part one we installed the ADFS server on our corporate network, and tested that it was working. Now

  2. anonymouscommenter says:

    Well then, here we are in part three already! Previously we: Installed ADFS 2012 R2 For Office 365 in

  3. anonymouscommenter says:


  4. anonymouscommenter says:

    Security is an integral aspect of running modern IT operations. There is a clear understanding that we

  5. anonymouscommenter says:

    Nice work

  6. anonymouscommenter says:

    Excellent just what I was looking for.

  7. anonymouscommenter says:

    The blog post on how to integrate Office 365 with Windows 2012 R2 ADFS raised an interesting question

  8. anonymouscommenter says:

    My configuration fails every time during the WID install and gives an error that the service cannot be started. I’ve even tried granting the service accounts log on as rights. Still no go.

  9. anonymouscommenter says:

    Excellent, worked a treat

  10. anonymouscommenter says:

    Good write-up but the word "leverage" is overused.

  11. @Adam – it’s in there 4 times to annoy one of my ex-colleagues. Bit of a history 🙂

  12. anonymouscommenter says:

    Rhoderick this is a great post. We just decided to to look into ADFS. A curious question… Does ADFS 3.0 in 2012R2 allow for a single server setup? Meaning we wouldn’t have to deploy a server in the DMZ? We only have 100 users and don’t require a very
    complicated setup. Thanks for you time! 🙂

  13. anonymouscommenter says:

    Hey Rhoderick, your post helped me to just confirm a few differences between the ADSF 2.0 I have done in the past and the 3.0 I need to do now; very succinct thanks! Was a bit surprised when I scrolled down and thought to myself "Hey, I know that guy!"
    You came in for a review of our environment while I was working in Toronto once.

  14. Hi Hayden – it’s a small world innit 🙂 ?? Thanks for the shout out – much appreciated.

  15. Steven – not something I have ever done or thought of doing.


    The following AD FS requirements are for the server functionality that is built into the Windows Server® 2012 R2 operating system:
    • For extranet access, you must deploy the Web Application Proxy role service – part of the Windows Server® 2012 R2 Remote Access server role. Prior versions of a federation server proxy are not supported with AD FS in Windows Server® 2012 R2.

    • A federation server and the Web Application Proxy role service cannot be installed on the same computer.

    I’ll see if I can find some other references.


  16. anonymouscommenter says:

    Does O365 support ADFS 2.1 ?

  17. anonymouscommenter says:

    Mark – Yes, we are using ADFS 2.0 on Windows 2008 R2 servers with o365 and are looking into upgrading to ADFS 3.0 in the near future. The way I understand it, all versions of ADFS are supported by O365. Someone else can correct me if I am wrong on this.

  18. anonymouscommenter says:

    Hi Rhoderick,
    do I understood right, that if we need implement Office365 (Exchange Online) with SSO, we need 2 additional servers on-premise for ADFS Server and ADFS Proxy roles?

    Thank You.

  19. randyjthomas says:

    This is really a great post and things went swimmingly for the installation. My only problem is verifying the ADFS using IE, I can’t get a web page to display. My question is, how can the server display a web page if IIS is not installed?

  20. Brian & Mark G. – Yes you can use that, but all of the shiny new features are in ADFS 2012 R2.

    Older ones are still listed in here, for example:


  21. Mindaugas – that would be the minimum recommended number of ADFS servers.

    If you wanted HA, then double that. If that is overkill for a small organisation, please look at the works with Office 365 programme as there are providers that will do this for you at a small fee per user per month.


  22. anonymouscommenter says:

    Hi Rhoderick,

    Deploying for a customer currently, I get the error "Unable to configure the private key store", but am unable to find any clues on the internet. Do you have any idea what can cause this?


  23. anonymouscommenter says:

    Sorted it, misconfigured firewall rule – LDAP wasn’t open from the network zone where the ADFS servers are located to the PDC Emulator. Added it to the rule and it’s installed.

  24. anonymouscommenter says:

    Ok that was easy enough – when I followed your guide…

  25. Thanks for the comment Mick – glad it helped!

    Andy – good you are up and running. After seeing a customer today with a 2008 R2 DC called "PDC" and the other DC called "BDC" it reminded me of the importance of the PDC emulator role even nowadays!


  26. anonymouscommenter says:

    Hi Rhoderick,

    Thanks for the write up. I currently have an on-premise ADFS 2.0 farm working with O365 and want to add an ADFS 3 server on Azure as a secondary server and then make it the primary. Besides setting up a VPN tunnel to Azure and the normal install and join ADFS
    farm steps are there any other configuration that I need to do or consider?


  27. anonymouscommenter says:

    Thanks mate

  28. anonymouscommenter says:


  29. anonymouscommenter says:


    Can you tell me if it’s possible to setup O365 with ADFS to allow a hierarchical login option? Meaning, the default option is to use certificate based authentication but if the end user does not have a smart card they have the option to use their LDAP user
    name and password as a secondary option?

  30. anonymouscommenter says:


  31. anonymouscommenter says:

    Rhoderick, kb/2948086 states "not applicable to your computer" when launched from a 2012r2 farm server. Has this been superseded by another update? Maybe I’m not awake yet?

  32. Tim – let me see what I can find on this.


  33. Mr Update (for lack of a better name, could be MRs but I’m guessing…. 🙂 )

    That will probably be the case, I suspect you just built a 2012 R2 server, have it fully patched and went to install that update?


  34. Looks like it is in here:

    May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2


  35. anonymouscommenter says:

    1 Úvod
    V tomto článku se budeme zabývat povýšením ADFS serverů

  36. anonymouscommenter says:

    SInce SSO is now supported without the ADFS, what are the advantages of keep using ADFS?

  37. anonymouscommenter says:

    En la transición de una organización hacía Office 365, un escenario muy habitual

  38. anonymouscommenter says:

    This is a link throw-down for the items that we discussed during a recent Office 365 workshop that I

  39. anonymouscommenter says:

    can we use self-signed certificate

  40. Please see the Certificates section in this post.


  41. Nuno – that is a good question. Have something in draft for you! Will publish it shortly.


  42. anonymouscommenter says:

    Great Blog. This helped me so much planning and finding the necessary requirements, and then finally implementing this in 10 minutes or less. Very much appreciated.

  43. anonymouscommenter says:

    I can browse to the federation metadata OK –

    For both adfs and sts, I’m using an A record and have my spn registered "host /" for service.adfs

    But displays a 404 every time!

    Please advise

  44. anonymouscommenter says:

    Never mind, with ADFS and Windows 2012 R2 the actual URL is

  45. anonymouscommenter says:


    Additional Hardware
    ADFS: Two clustered servers in the DMZ; two clustered servers behind the firewall


    Removing 3rd party advert.  If naming a vendor, please name 3 or none.


  46. anonymouscommenter says:

    Not a 3rd party advert, simply stating facts about ADFS server vs another product. Quite happy for you to address each challenge presented. However I’ll amend without naming the vendor if you so wish

    Additional Hardware
    ADFS: Two clustered servers in the DMZ; two clustered servers behind the firewall
    Un named product: None

    Firewall Reconfiguration
    ADFS: Requires hole in firewall
    Un named product: None

    Third-party certs
    ADFS: Required
    Un named product: None

    Support for additional SaaS apps
    ADFS: Requires individual configuration and debugging
    Un named product: Choose from a rich catalogue of pre-integrated apps

    Time to implement
    ADFS: 1-2 weeks for Office 365; days to weeks for additional apps
    Un named product: Less than an hour for Office 365 or any other app

  47. anonymouscommenter says:

    I’m on the my 3rd iteration of my EMS lab. Meaning, I had something up and running (twice) then tore

  48. anonymouscommenter says:

    Excellent article !!!

  49. anonymouscommenter says:

    Very nice and helpful article, Thanks. I am stuck in configuration wizard, where ssl certificate and Federation Service name is required. I have self signed certificate, when give that certificate, it does not respond and next option becomes disabled.

  50. Meraj – you must have a valid 3rd party certificate. It will not function with a self signed cert for the service communication certificate.

    Please read the certificate section above


  51. anonymouscommenter says:


    the confusion is related to the amount of information that I’ve read. (Dirsyn, ADFS 2.0 and Active Directory)

    I have two scenarios to understand what options I use.

    1 – Active Directory site with users who use the CRM / Office 365. Of the 300 members, only 20 use CRM / Office 365. They access both internally and externally, when they are at home office.

    – Basically, I thought of installing a server to use the dirsync that will synchronize users and passwords that are in Active Directory Azure (Office 365 / CRM)

    – Question 1: When I enable synchronization, I understand that it will create new users in Active Directory Azure, but these users already exist in Active Directory Azure. The risk that I have is that after synchronization, users already using the login Active
    Directory Azure have problems with CRM / Office 365.

    – Question 2: I can choose which users will be synchronized? Or must all be?

    – Question 3: Should I use ADFS in this scenario?

    2 – I am planning to migrate users of Group Wise to Office 365.

    – I’ve read the migration will be performed using the tool QUEST and will use simple forwarding SMTP.

    – Basically, I will enable Office 365, add the domain, install a server with dirsync and activate the licenses for users who use Office 365. Right?

    – However, the dirsync has some negative risk, such as the replication time password. Is not immediate. So researching started reading about ADFS. It seems that the configuration is simple ADFS, but from what I understand, all users, whether internal or external,
    need to go through ADFS and if it is unavailable, becomes a point of failure.

    – If I use ADFS, the login method in Office 365 will be the same using (@ Or should be done (domain login)?

    – Another point is the fact of using a proxy ADFS. I did not understand his job exactly. I was not sure whether I need it or not really.

    – Other information I read was about the ADFS Federation Gateway. I married confusion further.

    – I also read that some experts use ADFS 2.0 (Windows 2008 R2), but there ADFS 3.0 (Windows 2012). I do not know which one to use? What changes between the two.

    – My goal is: To enable users migrated to Office 365 using the same username and password from the local Active Directory.

    Thank you.

  52. G.R.V says:

    Great help.

  53. @Confused – you win the prize for the most questions ever in a blog comment 🙂

    Use the latest version of ADFS. Currently 2012 R2, it has the most features.

    There is no ADFS Federation gateway. There is MFG, but that is for Exchange really.

    If you already have user objects in a tenant, look at the soft match process.


  54. anonymouscommenter says:

    Internal and external domain UPNs are different:


    Do I need to setup split DNS for That domain only exists external and everything works just fine: www, OWA, Autodiscover, ActiveSync, etc….
    Its stated: "note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!", I’m a bit confused how this might affect
    name resolution for services: www, OWA,ActiveSync, etc….

  55. That’s because Exchange has the concept of internal and external URLs Rocky. ADFS does not, and only has a single namespace so you must have that same name available internal and externally .


  56. anonymouscommenter says:

    Ok. Understand that namespace must made available internally and externally. But, how do I make that namespace available internally to our domain users without potentially disrupting our other services (i.e;,,,, etc…)??????
    I’m assuming i create internal dns zone for and create a record with internal IP of ADFS proxy.

  57. anonymouscommenter says:

    Is the Service Principal Name "" possible as an principle Name (NLB an ADFS ist identical)? Our internal Outlook authentification ist actual Basic and not Kerberos? Whats going wrong? Must I configure anything else?

  58. anonymouscommenter says:

    Thanks Excellent

  59. anonymouscommenter says:

    Thanks Excellent

  60. anonymouscommenter says:

    Great write-up! Just one comment…for the SSL cert, you want to mention that it needs to be a Legacy Key instead of a CNG Key.

  61. anonymouscommenter says:

    If I use DirSync to provide single signon do I need AD FS server?

  62. anonymouscommenter says:

    Thank you great guide. So I actually try to connect smart card PIV to offie 365 with adfs 3.0 but not working. I have the open port 49443 and the following url offer the option x.509 WHEN I PUT THE SMART CARD AND SAYS THE ERROR not reading. I review in the event viewer and this the error:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    Relying Party:

    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
    at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)
    at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
    at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

    I would like to know the step to recognize our smart card to validate in office 365.

    Thank you

  63. anonymouscommenter says:

    Purchased Domain :

    ADFS Name space : sts.crest.local

    When we are trying to access in intranet it routes to sts.crest.local which is the ADFS Name space. Since it is intranet we are able to login and the SSO is working successfully.

    To access the same ADFS name space over internet we have purchased a public IP and we have NAT-ed the same with the NLB IP of ADFS Proxy server.

    we have added the DNS Host A record for sts.crest.local pointing to the public IP.

    However when we are trying to access com in internet it is unable to route to intenal ADFS Name space (sts.crest.local).

    Kindly assist us.


  64. anonymouscommenter says:

    Hi Rhoderick Milne,

    We have deployed Azure AD sync server, ADFS servers with HA using NLB and ADFS porxy servers with HA successfully. And the details are below

    Internal Domian : Crest.local

    Purchased Domain :

    ADFS Name space : sts.crest.local

    When we are trying to access in intranet it routes to sts.crest.local which is the ADFS Name space. Since it is intranet we are able to login and the SSO is working successfully.

    To access the same ADFS name space over internet we have purchased a public IP and we have NAT-ed the same with the NLB IP of ADFS Proxy server.

    we have added the DNS Host A record for sts.crest.local pointing to the public IP.

    However when we are trying to access com in internet it is unable to route to intenal ADFS Name space (sts.crest.local).

    Kindly assist us.


  65. .local domains will never work over the Internet. That’s the whole point behind them.

    Use a publically routable namespace.


  66. anonymouscommenter says:

    The year 2015 is almost done, and 2016 is upon us! As in previous years , I thought it would be interesting

  67. anonymouscommenter says:

    Good Afternoon, Please help me. I have set up ADFS 3.0 on our DC running Windows Server 2012 R2.

    I have Dirsynced all our accounts to Office 365 configured Single Sign On. I can Redirect to our ADFS logon page However when you redirect the ADFS Logon Page it is asking still for a password. I have AD synced to Azure also and according to both domains they
    are federated for Single Sign On. I have assigned a Wildcard Certificate and made sure the domain exists everywhere. I also have The Token Certificates configured as per what ADFS makes when it is set up. As far as I can see it should all work however I still
    can’t get it to just bypass the logon and go straight into office 365. It does login manually absolutely fine using the UPN Suffix. I have made sure all accounts have been updated to the UPN Suffix I wish to use. I have also got TMG 2010 Configured as our
    Web Application Proxy and when you do a test using the test connectivity page on Microsoft it all passes. I am just not sure what I could be missing to cause it not to logon automatically. Any help would be really appreciated.

    Thank you,


  68. Damien,

    if you follow the series of these 3 articles it will walk through all of the steps required.

    What do you mean you are using TMG as WAP?


    1. satya11 says:

      Hi I don’t have ADFS Proxy , while login to
      getting error :
      Additional technical information:
      Correlation ID: 91383
      Timestamp: 20xx-0x-x8 21:49:48Z
      AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials

  69. Majid Khan says:

    Great Post but I have few questions:
    Everything successfully installed and configured as expected, but One issue when tried to login using the credentials of the on-premises mailbox to login using the Federated page, it says “we do not recognize this user id and password. Be sure to type the password correct…..” Now need to know that why this issue is occurring? Sice I am using the correct password…Second Question is DO I need to setup Azure AD Connect for Password Synchronization?? Will be waiting for your reply??

  70. Sujithkumar says:

    I am getting the following error while adding ADFS role :
    An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.

    I tried to Manually register the SPN for adfs user
    setspn -a host/******.*****.com *****\user –> it says already registered
    then i tried to unregister using the following
    setspn -D host/******.*****.com *****\user ->> it shows unregistered but again when i try to re-register it says duplicate found
    I do know that setting up SPN will be done the ADFS Wizard itself but why in my case not working.

    1. This is not right.

      Check AD replication, can some something like the AD Replication Status Monitor.

      Then check for duplicate SPNs. The newer versions of setspn.exe can do this quite easily

      setspn -X


  71. We have followed this post and was successful on the implementation. I have a question though. Is it possible to change the password for the service account used? I know that recommendation is to set the account to “never expires” but our client wanted to change the password. Can you advise on the recommended steps that we can follow? Thanks in Advance.

    1. Hi James,

      Yes – that is doable. Let me finish off a draft post and publish that for you.


        1. Mrx says:

          Hi rhoderick. Great article on setting up adfs although i have some problems setting up sso. When browsing to the adress i am always asked to enter my credentials even though i have added the adfs adress to local intranetzone. Any idea why

          1. Yes – Draft post to get finished. Let me try and get that done in the coming days.


  72. Anon89 says:

    The link in this article to set up the AD FS Poxy is broken!

    1. Thanks! Have updated the link.

      The permalink was point to the wrong place, the content was there on the full path:

      And also via the tag cloud on the right hand side.


  73. mc cabs 77 says:

    Im trying to complete the post deployment configuration – the ADFS role is installed !
    certificate imported, gmsa setup, pre-reqs ticked but when I click configure I get ..
    The parameter is incorrect .. show more .. does not show more .. any ideas ? :-/ .. thanks
    nice blog btw ..

  74. ntspiros says:

    Hello Rhoderick,
    Excellent article thank you very much!
    I have a really tricky question :
    If I have an internal AD domain name lets say
    but the external publicly routable domain name is
    Can the federation service name be different than the AD domain name ?
    i.e. can be : ? instead of
    and the public certificate contain these values :
    will everything work ok?
    The server configuration is internally two ADFS servers behind load balancer and in dmz two WAP servers again behind load balancer.

Comments are closed.

Skip to main content