How To Install AD FS 2012 R2 For Office 365–Part 2

In part one we installed the AD FS server on our corporate network, and tested that it was working.

Now we need to make the AD FS infrastructure available to the Internet in a secure fashion, so that Office 365 will be able to contact the AD FS proxy to authenticate user requests.

In part three we will add the AD FS infrastructure to the Office 365 configuration,

Planning And Prerequisites

Install And Configure AD FS Proxy OS

In this installation, the AD FS proxy server will be placed into the DMZ, and installed as a workgroup machine since the TailspinToys organisation does not possess a separate management forest in the DMZ.  Ensure the machine is built as per your standard build process, is secured and all Microsoft updates are installed.

You will want to install the April 2014 Windows 2012 R2 update to light up additional pieces of AD FS functionality, but we will save that for a later blog post.  If you do want to take a peek at this now, the PFE Platform folks are rocking it over here – please subscribe to their RSS feed too!

Install  And Verify Certificate

As discussed in part one, you will need a certificate from a trusted third party.  Ensure that you check with the CA to ensure that you are able to install the certificate onto multiple servers as this is blocked in some license agreements.  This is something that you must check directly with the CA.

If you are allowed to install the certificate from the AD FS server, then this simplifies matters else you will require an additional certificate.  The name must match the AD FS namespace that you selected through the AD FS design process.

Name resolution

Since the AD FS server will be in  a network that may not have access to the internal DNS zone information, ensure that it is able to resolve the AD FS namespace to the internal AD FS infrastructure.  A swift update to the local hosts file may suffice, just remember to add this to your build documentation.

External DNS Record

Create external DNS record for the AD FS proxy server.  This A record will exist in the external DNS zone of you are using split DNS.  In the TailspinToys enterprise (cough, cough this lab) the internal DNS zone is held on AD integrated DNS zones.  The external zone is at a commercial ISP, so the external DNS record was created at the commercial ISP so it resolves to the external IP of the AD FS proxy infrastructure when I am at Starbucks.

As with the internal AD FS farm, there should be multiple WAP servers in the DMZ.  They should be load balanced, and the DNS record should resolved to the VIP.

Open Firewalls

Having the external DNS record point to the AD FS server’s external IP address will not allow traffic to flow unless the firewalls are configured to do so.  In enterprises the AD FS proxy server will be installed into a DMZ so there will be an internal and external firewall.  Both must be opened to allow SSL traffic over TCP port 443.  In addition to this, servers will also need access to the CRL distribution points on the Internet to verify certificate validity.  This will be over HTTP using port TCP 80.

Exchange administrators should be used to this now as they have see Exchange updates take a long time to install on Exchange servers do not have access to  In the case of AD FS, the server should be able to hit the CRL of external CAs.

The AD FS server will require access to the Internet in order to complete the configuration of the solution (in the 3rd post of this series).  This may be an issue if your servers are behind a proxy solution.

Installing Web Application Proxy

Let’s fire up the Add Roles Wizard from Server Manager!

Windows 2012 R2 Add Roles And Features Wizard

As noted in the previous post, there is no longer a separate AD FS proxy role in Windows 2012 R2.  The Remote Access feature provides VPN, Direct Access and Web Application Proxy (WAP) functionality.  It is the latter that we need to install.

Select Remote Access and let’s go find the droids we are looking for…

Installing Windows 2012 R2 Remote Access Role Service

Unless you want to add any features, like telnet * for troubleshooting purposes later, click next.

Installing Windows 2012 R2 Remote Access Role Service

The Remote Access role selection process starts.  Unlike in days of old when installing a feature would install all of the bits, and by extension potential vulnerabilities, Windows now wants to only install the bare minimum.  This is a paradigm shift compared to the early days of IIS where it would install everything and then you have to spend time stripping stuff back out.  Index extension attack anyone?


In our case we just want to install the Web Application Proxy role service, so select that and click next

Windows 2012 R2 Select Remote Access Role Service

Confirm the choice, and then install.

Windows 2012 R2 Confirm Remote Access Role Service

Once the necessary WAP role services are installed, we are then able to launch the Web Application Proxy Wizard to configure WAP.

Windows 2012 R2 Remote Access Role Installation Complete

Configure Web Application Proxy

We need to configure the WAP proxy with the necessary information so that it knows it will be publishing our internal AD FS server and how to access AD FS.

Configure 2012 R2 Web Application Proxy For ADFS

On the screen below is where most configuration issues arise with this process.  What a lot of folks do is interpret the Federation service name as the display name of the AD FS server.  That will not get you very far unfortunately…

Windows 2012 R2 ADFS Proxy Configuration - Beware Federation Service Name

The federation service name field does NOT want you to enter the display name of the AD FS server farm.   The display name in the previous example was “Tailspintoys STS”. and this can been checked by looking in the AD FS console

Server 2012 ADFS Role Properties - Showing Display Name And Federation Service Name

If you look closely at the AD FS properties, the federation service name is actually the FQ DN of the service.  In our case this is so let’s enter that along with credentials on the AD FS server so we are able to access AD FS.

Windows 2012 R2 ADFS Proxy Configuration - Federation Service Name Correctly Filled In

In the same way that we require a SSL certificate on the AD FS server, the same is true on the WAP as clients will establish SSL sessions to this machine.  WAP will then us a SSL session to the internal AD FS server on TCP 443.

Since the certificate was installed and verified as part of the preparatory work, we select it and move on.


Verify the details, and click configure.

Windows 2012 R2 ADFS Proxy Configuration Verify Details

The wizard starts to configure the AD FS proxy

Windows 2012 R2 ADFS Proxy Configuration Starting...

And shortly thereafter completes!

Windows 2012 R2 ADFS Proxy Configuration Complete

Verifying AD FS Proxy Installation

At this time we should have a functional AD FS proxy server that is able to provide internet based users with access to our AD FS server’s authentication services.  But as always, we need to test!

To open up the Remote Access management console, use the Remote Access Management shortcut in administrative tools.

If you have immediately launched this after installing the AD FS proxy it may take a few seconds or a refresh to show up.  The other top tip is not to look for a published web app.  Remember that WAP can be used to publish various applications to the internet, but in this case we are just wanting to use the base AD FS proxy components.

To check that the AD FS proxy is running, click onto the Operational Status in the left hand tree

Server 2012 R2 Remote Access Management Console

Selecting the operational status, will then show how the AD FS proxy is currently running.  You can also jump to Perfmon or Event Viewer from this node.


Should the AD FS proxy have an issue the console will light up like a Christmas tree.  In this case I deliberately stopped the “Active Directory Federation Services” service on the AD FS proxy, please click to enlarge the image:

Less Than Happy ADFS Proxy Server

And as expected with the AD FS proxy crippled users will not be able to authenticate, even if they try an alternative browser!

No ADFS Love Here For You!

Even though the Windows service is name the same on both the AD FS server and the AD FS proxy, note that the executable path is different:

Server 2012 R2 ADFS Proxy Service Details

Server 2012 R2 ADFS Server Service Details

Verify AD FS Proxy Configuration

In event viewer on the AD FS proxy, open up the application and services logs and check that the proxy is able to retrieve it’s configuration from the AD FS server.  This can be seen here, click to enlarge:

ADFS Proxy Application And Services  Event Log

With the full event details shown here:

Server 2012 R2 ADFS Proxy - Retrieving Configuration From ADFS Server

Verify Federation Service Metadata

Using the same URL as before, open Internet Explorer and navigate to your AD FS server’s federation metadata URL.

This will be something like the below, just change the FQDN to match your environment.

The intent here is to ensure that we are able to get to the site externally.  If you are not able to see the AD FS text rendered in the browser, start with ensuring that the firewalls are not dropping traffic.


Verify AD FS Sign-In Page

Browse to the AD FS sign-in page and test that you are able to authenticate.

The URL will be similar to the below, again change the FQDN to match your organisation’s.

You should see the below, and be prompted to sign in:

(Note that I did not full screen the window before grabbing capture else it would be too small)

Sign In To The Tailspintoys STS

Clicking the Sign In button will prompt for credentials:

Sign In To The Tailspintoys STS

If you successfully authenticate then you will be rewarded with this stellar screen:

Now Signed  In To The Tailspintoys STS

And if are unable to type a password (like me doing demos) then you will get this less than stellar result:

OOOOpseys -- Signed  In Failed  To The Tailspintoys STS

In part three we will finish this off, and instruct Office 365 to leverage the shiny AD FS infrastructure to authenticate users.



* – Not having telnet client by default always grates.  In the same way that explorer file options are always set to hide the good stuff like file extensions, system files and the ilk.

Comments (47)

  1. anonymouscommenter says:

    Well then, here we are in part three already! Previously we: Installed ADFS 2012 R2 For Office 365 in

  2. anonymouscommenter says:


  3. anonymouscommenter says:

    When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate

  4. anonymouscommenter says:

    Thanks for this tutorial. I have managed to successfully set up our environment using your steps as guidance. However, I have one question. Why do I get a credentials pop up windows when I click on "Sign In" ? Why dose it not ask me to sign in on the same
    page like above? how can I change this behaviour? thanks

  5. anonymouscommenter says:

    In a similar DNS configuration as yours, internal being AD integrated and external via ISP how would you configure DNS for a 2 site (1 ADFS and 1 WAP pair on each side) ADFS cluster without access to a load balancer?

  6. Hi Steve – can you elaborate on this a bit more please?


  7. Hi Eugene,

    Assuming that you have no GLB, then you are going to have to manually do what such devices do and that is to change the DNS records yourself. So set a low TTL on them and make sure you can get to the ISP DNS portal 🙂


  8. anonymouscommenter says:

    Just resolved an issue configuring WAP, which ended up with a call to MS Support.

    Turns out that there is a timeout on the WAP configuration, which can be triggered if ADFS doesn’t complete it’s checks in a timely manner. When initiating the Proxy configuration, ADFS checks with each DC in the Domain to see if the DRS service has been registered.
    If it can’t contact a DC, it waits for the TCP session to timeout, which by default is 3 seconds, and then moves on to the next. If there are many DCs that are not contactable (not necessarily unusual in a large global AD environment), the aggregate of the
    TCP timeouts causes the WAP configuration to timeout. Changing the timeout value with NETSH, in my case to 500ms, allowed the configuration to complete.

  9. anonymouscommenter says:

    Hi Andy

    Where did you change the TCP time out value? I get the error Time out has expired and the operation has not been completed.

    Has anybody come across this before?

  10. anonymouscommenter says:

    I have a small client (under 30 users) who is moving away from SBS 2011 to Office 365 and a single DC that is on-site for file sharing and AD (WSUS, DNS, DHCP,File Services). The server is replicated to a DR site with Veeam so while a single server can
    be a problem in an outage it is not a major concern at this time. The goal is to use ADFS to sync the users for Office365 after we retire the SBS server. It is not clear if I HAVE to build additional servers for ADFS or if in this small of an environment I
    can install everything on the single DC. Have you tried this config or is there a specific reference that it WILL NOT work? Thanks for your help.

  11. Hi Mark,

    ADFS will not sync the users to O365. That is what DirSync or AADSync will do.


  12. anonymouscommenter says:

    Hi Rhoderick

    Great series of tuts!

    One thing I can’t find in any documentation is whether good-ol’ Windows NLB will work with WAP in this case. Have you, by any chance, tested that?



  13. anonymouscommenter says:

    I cannot install web application proxy and AD Federation on same server….

  14. Dave – no. Separate machines.

    To do ADFS properly we are looking at a minimum of 4 servers. Two ADFS servers, and two proxies.

    That may be not be desired for smaller orgs, so please look at either:
    DirSync with password sync
    3rd party identity providers


  15. Hi Sven,

    That is not something that I have tested, all recent deployments have used LB devices.


  16. anonymouscommenter says:

    always enjoy your posts
    and jokes aren’t bad either:)

  17. anonymouscommenter says:

    1 Úvod
    V tomto článku se budeme zabývat povýšením ADFS serverů

  18. anonymouscommenter says:

    Sven, I’ve just read documentation and it says it is supported.

    Web Application Proxy does not include integrated load-balancing functionality. If you plan to deploy multiple Web Application Proxy servers, you should consider deploying a load-balancer to ensure that the external traffic is distributed evenly between Web
    Application Proxy servers. You can use any hardware or software load-balancer that supports HTTP and HTTPS, including Windows Network Load Balancing.

  19. anonymouscommenter says:

    This is a link throw-down for the items that we discussed during a recent Office 365 workshop that I

  20. anonymouscommenter says:

    I’m on the my 3rd iteration of my EMS lab. Meaning, I had something up and running (twice) then tore

  21. anonymouscommenter says:

    In the Tailspintoys environment, the administrator (moi) was a bit slack. They let the ADFS 2012 R2 proxy

  22. anonymouscommenter says:

    Hi Rhoderick,
    What address do I put for the External DNS for web proxy?
    Thanks, BJ

  23. This will depend upon how you are publishing that to the internet.

    Ultimately it needs to be the external IP for your server/publishing mechanism.


  24. anonymouscommenter says:

    Just a quick question, the certificates you use is did you get it to resolve the website to

  25. anonymouscommenter says:

    @sky it’s possible he could be using a SAN cert which allows up to 5 alternate names for the certificate. Then in DNS, you point FQDN to the same IP address.

  26. Hi folks,

    I used these examples in the first of these three blog posts, and above.

    I should be used consistently in the post above. It will be in the address bar of all the IE windows.

    Apart from the couple of examples. where do you see the STS. coming through please?


  27. Hi Don – the ADFS certs in this lab have been single name certs IIRC.

    Load up into the browser and take a peek. I don’t recall ever making them as a SAN cert. They will have been renewed, but as
    like for like.


  28. anonymouscommenter says:

    Web proxy is configured and shows all "green" status!
    Question: Does 443 need to be opened to WEP for any? Or Is it 443 on WEP from Office 365 IPs?

  29. anonymouscommenter says:

    Thank you for the excellent ADFS articles!

    We currently have ADFS 2.0 deployed (on w2008r2 machines) with our Office 365 setup.
    We only have 2 ADFS servers and instead of proxies we use a hardware Citrix NetScaler 7500 device (a great load balancer and gateway).
    The NetScaler was deployed for different reasons but we leverage it so we don’t have to deploy and maintain 2-3 more servers.
    Everything is working fine like this.

    My manager suggested that we upgrade to ADFS 3 (on 2012r2) but I have some concerns:
    – to avoid downtime can we have ADFS 2.0 and ADFS 3.0 machines coexisting in our setup?
    – would it be possible to deploy the 2 new ADFS 3.0 machines into the same farm, get them to be in the same federation setup, then simply shut down and decommission the ADFS 2.0 machines?
    – as per Dominic’s post above, "You can use any hardware or software load-balancer that supports HTTP and HTTPS…" – does this mean we can leverage our NetScaler device and do everything with it and just a pair of ADFS 3.0 servers (without any WAP servers)?
    Personally, I don’t see any benefits from ADFS 3.0 for our current needs but I assume it will be at least future proof and will run on 2012r2 machines…


  30. anonymouscommenter says:

    By chance is it possible to have the ADFS Proxy server in the same Domain and VLAN as the Service Server? I’m working through this install and I run into an Operation timeout error. I checked the Firewalls and DNS records are in place.

  31. Lukas – check what you are putting into the dialog box when specifying the ADFS server please. Does that name resolve, and the certificate you installed is a valid trusted certificate?


  32. anonymouscommenter says:

    I’ve checked the dialog box and I’m using a 3rd party trusted certificate. I’ve moved the ADFS Proxy server to a Public DMZ and turned it into a workgroup machine. I’m receiving what sounds like the Service Server is closing the connection when trying
    to establish the trust between the Proxy and Service Servers.

  33. Run a netmon when attempting this on the ADFS server and WAP. What traffic patterns do you see there?


  34. anonymouscommenter says:

    Is having the WAP on the ADFS Service necessary? Or does it just need to be on the Proxy server?

  35. anonymouscommenter says:

    I also see that when I try establishing a trust that the Proxy is making a certificate. By chance does that need to be places on the Service Server?

  36. anonymouscommenter says:

    I ran the Network Trace and apparently the Proxy server isn’t accepting connections on port 443. Is there another port that the WAP would be using to create the trust?

  37. No – only 443 TCP is needed between WAP and ADFS server.

    if you run a separate instance of NetMon on the ADFS server at the same time, do you see the traffic coming in from the WAP server?

    On the ADFS server does netstat -ano show a binding for TCP 443 on ?


  38. anonymouscommenter says:

    Traffic is going to the Proxy but it is refusing it. It’s telling me that it sent a rejection from the ADFS service. But after looking at the Network trace it’s like it is rejecting that port on the Proxy server.

  39. anonymouscommenter says:

    Thanks for the tutorial, I think I have followed it all step-by-step, and have sucessfully migrated the ADFS 2.0 to ADFS 3.0, but I cannot make the proxy work

    Any common / known issues with the proxy setup?

  40. anonymouscommenter says:

    Everything is green, both on the event viewer and the remote access operation status, also, telnet to 443 works, so i assume i can discard the connectivity part

  41. anonymouscommenter says:

    This is a great article, I have manged to setup Two ADFS servers in my production domain and 2 WAP servers in the DMZ and all working great with office365. Question I had, is it possible to use the current WAP servers in the DMZ to connect to another domain
    that has ADFS servers built and configured.

    Or do I need separate WAP servers to connect to a different ADFS configuration in a different domain. I have looked at publishing on the current WAP servers but get the feeling it will overwrite the existing configuration for my ADFS production domain leveraged
    with Office 365.

    Any help or feedback would be greatly appreciated.

  42. anonymouscommenter says:

    The year 2015 is almost done, and 2016 is upon us! As in previous years , I thought it would be interesting

  43. Assume the same cert can be used in ADFS and Proxy server ?

    1. Yes – and that is certainly recommended.


  44. Luis says:

    Hi Rhoderick,

    it is unclear, how did you solve the problem you mentioned (quoted next): “And as expected with the AD FS proxy crippled users will not be able to authenticate, even if they try an alternative browser!” ?

    1. Hi Luis,

      That was an example to show that the WAP does not stand alone and relies on AD FS for the capabilitity to authenticate.

      This is the previous line:
      In this case I deliberately stopped the “Active Directory Federation Services” service on the AD FS proxy, please click to enlarge the image:


Skip to main content