Test post with pictures from Word

  • Article

AD FS service in Windows 2012 R2 provides simplified, secured claims based identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

 
 

ADFS has undergone many changes in Windows 2012 R2, new improvements in ADFS are:

  • ADFS is a role service in Windows 2012 R2
  • Support for Multi factor authentication which can be applied globally or per Relying Party
  • A brand new Device Registration service that allows you to register non domain joined devices to your Corporate Active Directory which is known as workplace joined. Workplace joined is a mid-state between domain joined and workgroup computers. You need to manually enable this service once ADFS is installed and need to have the subject name for the Device registration service on the certificate used for ADFS. This service can be used as a second factor authentication to ensure that an application can be accessed from devices which are workplace joined.
  • Web Application Proxy - ADFS Proxy is used to publish the ADFS service to external clients. In Windows 2012 R2, a new service Remote Access Role is used to install the ADFS proxy service. To configure the ADFS Proxy you need to install the Web Application Proxy service and enable the ADFS Proxy service there. Apart from being used as an ADFS Proxy, Web application Proxy can be used as a reverse proxy service for many other applications, a functionality which is also provided by TMG.
  • Password change from Workplace joined devices
  • New PowerShell commands for federation server and ADFS Proxy

 
 

Prerequisites – Before you install the ADFS service, make sure the following prerequisites are met:

 
 

Certificate

You need a third party certificate for ADFS service which is trusted by clients. Following subject names are required in certificate:

Subject Name (CN): adfs1.contoso.com ( or whatever is the name for ADFS service )

Subject Alternative Name (DNS): adfs1.contoso.com

Subject Alternative Name (DNS): enterpriseregistration.contoso.com (for device registration service which is used by clients to connect to device registration service)

This certificate should be installed on federation server as well as on Web Application Proxy server

 
 

ADFS Service account

Create a group managed service account (GMSA) that is used for ADFS service account while installing ADFS. FSGMSA group managed account is used in this demo.

 
 

DNS service records

Create A record for ADFS service that point to ADFS farm or standalone ADFS server

Create an alias for device registration service i.e. Enterpriseregistration.contoso.com that points to ADFS server

Configure name resolution between the ADFS federation and Web Application Proxy

 
 

Installing ADFS federation server:

 
 

  1. Install the ADFS role service from Windows Server manager. In Windows 2012 R2 you can remotely install the roles on server.

 
 

 
 

 
 

 
 

 
 

Click Next > Next > Next > Install to install the ADFS role.

 
 

 
 

  1. Go to the server manager notification and click on Configure the ADFS service

 
 

 
 

 
 

  1. Make sure the requirements given in the below screenshot are met before you proceed to next step. Select whether this is the first federation server in a federation server farm or a new server in existing federation farm.

 
 

 
 

 
 

 
 

  1. Provide the credentials for domain admin account to configure ADFS service as mentioned below:

 
 

 
 

 
 

 
 

  1. Select the ADFS certificate which is installed on the ADFS server. Obviously the federation service name should be same as the name used in the ADFS certificate.

 
 

 
 

 
 

 
 

 
 

 
 

 
 

 
 

 
 

  1. Here you can specify a domain user account or Group Managed Service Account. Group Managed Service Account (GMSA) is a new feature in Windows 2012, which is an improvement to the managed service account in Windows 2008 R2. GMSA are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators. The group Managed Service Account provides the same functionality within the domain but also extends that functionality over multiple servers.

 
 

 
 

 
 

 
 

 
 

  1. You can select a SQL server database or the Windows internal database to host the ADFS configuration database

 
 

 
 

 
 

 
 

 
 

 
 

 
 

 
 

 
 

  1. Click configure and that finishes the ADFS configuration.

 

 
 

 
 

  1. There are few additional steps to enable the Device registration service:

 
 

Initialize the ADDeviceRegistration service on ADFS server

 
 

 
 

 
 

 
 

Enabled the ADFS Device Registration service

 
 

 
 

 
 

 
 

Enable device authentication in ADFS management console:

 
 

 
 

 
 

 
 

Try the following methods to test the functionality of ADFS service:

 
 

https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml- this should return the metadata xml file

https://adfs1.contoso.com/adfs/ls/idpinitiatedsignon.aspx
- This should return the ADFS login page

 
 

In Next section we will look at the Web Application Proxy which has replaced the ADFS Proxy service role in Windows 2012 R2.