ADFS Ask Premier Field Engineering

8/10/2019 ADFS Ask Premier Field Engineering

1/64

Ask Premier Field Engineering (PFE) Platforms

FAQ on ADFS - Part 1Hello everyone, Jasmin here again and this time I am writing about Active Directory Federation Server (ADFS). Lately, I have been

getting several questions from most of my customers and some of my peers around ADFS deployment, planning, setup,

implementation etc. While addressing these questions, I realized that I was answering similar type of queries especially when it was a

first time ADFS deployment effort. I have therefore created a list of common Q/A around ADFS in hopes that it would benefit those

looking into federation for the first time.

What is ADFS?

ADFS helps you use single sign-on (SSO) to authenticate users to multiple web applications over the life of a single session. This is

accomplished by securely sharing digital identity and rights (Claims) across security and enterprise boundaries. Some of the ADFS

uses can be foundhere

What are the different versions of ADFS? Which one is the latest?

There are four versions of ADFS.

AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system and could be installed as a Windows

component.

AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008 R2. In both editions, AD FS was

installed from the Server Manager as a role. There were minimal changes from AD FS 1.0 to AD FS 1.1.

AD FS 2.0 was released after Windows Server 2008 R2. It was released to the weband is free to download.It requires at

least Windows Server 2008 SP2 to install. Two versions (x86 and x64) are available for Windows Server 2008, while only the

x64 version is available for Windows Server 2008 R2.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system and therefore, can be installed as a Role

from Server Manager.

One thing to note is that, AD FS 1.x is limited in its standards support which includes WS-Federation Passive Requestor Profile

(browser) and SAML 1.0 TOKENS while AD FS 2.0 extends standards support for WS-Federation. It supports WS-Federation PRP, WS-

Federation Active Requestor Profile, SAML 1.1/2.0 TOKENS, SAML 2.0 Operational Modes, IdP Lite/SP Lite/eGov 1.5

What is the benefit of installing ADFS on Windows Server 2012 versus on Windows Server

2008 R2?
http://blogs.technet.com/b/askpfeplat/http://blogs.technet.com/b/askpfeplat/http://technet.microsoft.com/library/hh831502http://technet.microsoft.com/library/hh831502http://technet.microsoft.com/library/hh831502http://www.microsoft.com/en-us/download/details.aspx?id=10909http://www.microsoft.com/en-us/download/details.aspx?id=10909http://www.microsoft.com/en-us/download/details.aspx?id=10909http://www.microsoft.com/en-us/download/details.aspx?id=10909http://technet.microsoft.com/library/hh831502http://blogs.technet.com/b/askpfeplat/http://blogs.technet.com/b/askpfeplat/


2/64

In Windows Server 2012, ADFS 2.1 is released as part of the operating system and is installed from the Server Manager as a role.

Server Manager provides configuration wizard pages that perform validation checks and automatically install all the services that AD

FS depends on. Whereas, in Windows Server 2008 SP2 or Windows Server 2008 R2, ADFS 2.0 must be installed from the web. You

will also need to install the update rollup 3 for Windows Server 2008 and 2008 R2 which is locatedhere. Furthermore, With Windows

Server 2012, the AD FS server role now includes new cmdlets that you can use to perform PowerShell-based deployment within your

federated identity installations and environments. Detailed cmdlets information can be foundhere. Lastly, with Windows Server

2012, AD FS can be integrated with Dynamic Access Control scenarios allowing AD FS to consume AD DS claims that are included in

Kerberos tickets as a result of domain authentication. More information on claims can be foundhere

Which AD FS configuration database store should I choose, Windows Internal Database

(WID) or SQL?

The AD FS configuration database stores all the configuration data. It contains information that a Federation Service requires to

identify partners, certificates, attribute stores, claims, etc. You can store this configuration data in either a Microsoft SQL Server 2005

or newer database or the Windows Internal Database (WID) feature that is included with Windows Server 2008,

Windows Server 2008 R2 and Windows Server 2012. Following is a short description of

WID Advantages WID Disadvantages

Very easy to setup and implement Supports five federation servers in a farm

Load balancing and fault tolerance is

possible if setup as a farm.

SAML artifact resolution and SAML/WS-

Federation token replay detection feature is not

available

Supports multiple Federation Servers in

a farm (limits to 5 federation server in a

farm)

It is not supported if there is more than 100 claim

trust providers trust or more than 100 relying party

trusts.

More info: In a farm with WID as the database, the first server in the farm act as the primary server and

host a read/write copy of the database. Secondary servers then replicate inbound the configuration data

into their read-only database. They are fully functional federation members and can service the clients

just like the Primary server. They are just unable to write any configuration changes to the WID which

does not take place every day.

SQL Advantages SQL Disadvantages

Supports multiple federation servers (not subject to

the limitation of WID)

Additional setup complexities. Require

PowerShell to install it

Load balancing and fault toleranceSQL cluster introduces another potential

point of failure

Easily Scalable SQL server must be performing well to
http://support.microsoft.com/kb/2790338http://support.microsoft.com/kb/2790338http://support.microsoft.com/kb/2790338http://technet.microsoft.com/en-us/library/jj553800.aspxhttp://technet.microsoft.com/en-us/library/jj553800.aspxhttp://technet.microsoft.com/en-us/library/jj553800.aspxhttp://technet.microsoft.com/en-us/library/hh831504.aspxhttp://technet.microsoft.com/en-us/library/hh831504.aspxhttp://technet.microsoft.com/en-us/library/hh831504.aspxhttp://technet.microsoft.com/en-us/library/hh831504.aspxhttp://technet.microsoft.com/en-us/library/jj553800.aspxhttp://support.microsoft.com/kb/2790338


3/64

service requests

SAML artifact resolution and SAML/WS-

Federation token replay detection supported

If the Primary Server in the farm is down, what happens?

Another server in the farm can be configured as the primary server. Below is the PowerShell command to run on the secondary

server which you want to make primary:

Add-PsSnapin Microsoft.Adfs.PowerShell

Set-AdfsSyncProperties -Role PrimaryComputer

Once the primary federation server is set run the following PowerShell commands on the other secondary federation servers to sync

them with the new Primary ServersCommand to run on the other farm member servers:

Add-PsSnapin Microsoft.Adfs.Powershell

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation

Server}

Is it possible to move from WID to SQL at some point in the future?

Yes it is supported to move from WID to SQL. Detailed steps are documentedhere

Is SAML artifact resolution and SAML/WS-Federation token replay detection feature

required by most Relying Parties?

From my experience most Relying Parties do not require this feature. However, there are some that do. So it would be wise to check

on that before deciding the database configuration store. If that is a requirement, the SQL must be selected.

What is the difference between a single ADFS server versus a farm? Which one is better?

ADFS can be setup as a

Standalone federation server.
http://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/948.ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx


4/64

Farm Federation Server using WID

Farm Federation Server using SQL

Farm federation server is definitely a better option than a standalone federation server for the obvious reasons scalability and

redundancy. Standalone federation server only support a single server and only store configuration information on a Windows

Internal Database (WID). Of course It is easy to setup and its best for lab environment but lacks scalability and redundancy.

Moreover, you cannot add more than one server to the Standalone federation server. However, with a farm federation server, you

can start a farm with one single ADFS server and add more ADFS servers to the farm at that t ime or sometime in the future. I often

get this question, can a farm federation server using WID function with one server? And the answer is YES! But remember you cannot

benefit from load balancing and redundancy since there is only one server in the farm. For more information on Federation Server

using WID or SQL please refer to the question of which database to choose.

Which type of certificates does AD FS require?

Basically you need three types of certificates.

Service communication certificate

o AD FS uses this certificate to enable HTTPS which is a requirement for traffic to and from the federation server

and federation server proxies ( to secure communication) So it is basically a SSL certificate which needs to be

installed on the IIS for each federation server and federation server proxy

Token signing certificate

o AD FS uses this certificate to digitally sign outgoing AD FS tokens. This is not used to secure data but in fact it is

used to ensure the integrity of the security tokens as they pass between the federation servers and application

server via the client computer.

Token decrypting certificate

o AD FS 2.0 and above has the ability to encrypt the contents of the AD FS tokens. This is in addition to having

these tokens signed by the server's token signing certificate.

Where can I obtain the required certificates from?

There are several options and each have their pros and cons.

Server communication certificate

o This certificate must be trusted by the client computers so it is recommended that in a production environment

this certificate is obtained from a public CA. Other alternative is to use your enterprise CA (PKI) to issues this cert

however, you will need to ensure that this certificate is trusted by all client computers. You may have to use

Group Policy to manually push down this certificate. Bear in mind that if the client machines are not joined to


5/64

the domain, they may not be able to trust your internal certificate which could result in bad user experience

such as receiving securityALERT prompts when they try to access the federated resources. In your test

environment, you can easily use a self-signed certificate if you wish as security is usually not of a concern in a

lab environment.

Token Signing Certificate

o This certificate can be issued via enterprise CA, public CA or by creating a self-signed certificate. The way it is

installed depends on how you create the AD FS farm. It is required that all federation servers in the farm use the

same token signing certificate. Hence you can install this certificate from the CA on a federation server and

export the cert along with the private key to other federation servers in the farm and save the cost involved in

obtaining a certificate from the public CA. However, the option that I personally favor is to allow what AD FS 2.x

does by default i.e. it creates a self-signed certificates for signing tokens. I like this option because the

maintenance is very low. It has a validity of one year after which it must be renewed however, AD FS provides

the capability for automatic renewal (Automatic Certificate Rollover) for self-signed certificates before expiry and

if the relying party trust is configured for automatic federation metadata, the relying party will automatically

sync the new public key.

Token Decrypting Certificate

o

Similar to Token Signing Certificate AD FS 2.x by default will use another self-signed certificate for the Token

decrypting/encrypting certificate and as stated above, it also provides the capability for Automatic Certificate

Rollover.

How can I check if my ADFS server is operating successfully?

Check for Event ID 100 under Applications and Service Logs | AD FS | Admin. This event verifies that the federation server was able to

successfully communicate with the federation service.
http://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74/8524.ADFS_2D00_Event_2D00_Log.pnghttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74/8524.ADFS_2D00_Event_2D00_Log.pnghttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspx


6/64

Is there a checklist that I can follow to setup ADFS in my environment?

ADFS 2. 0http://technet.microsoft.com/en-us/library/dd807086(v=ws.10).aspx

I also found a checklist specifically for Windows Server 2012 which is located athttp://technet.microsoft.com/en-

us/library/dd807086.aspx

More useful resources:

AD FS 2.0 Step-by-Step and How to Guides:http://technet.microsoft.com/en-us/library/adfs2-step-by-step-

guides(WS.10).aspx

AD FS 2.0 Content Map: http://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspx

That's it for now. As I get more questions, I will create part 2 of the ADFS FAQ.

Jasmin Amirali

How to Build Your ADFS Lab on Server 2012

Part 1Hey yall Mark and Tom here with a series we think you guys will dig. I feel like half of our blog posts are building a lab of some kind. We love our labs in PFE. Thats

how most of us learn. Set up a lab, play around with the technology, and get it config ured. Its fun for everyone! Right?! We are starting to get more and more

customer requests around people just starting out with ADFS. We thought wed get everyone starting by walking you through how to setup your very own ADFS

Lab.

Initial Setup
http://technet.microsoft.com/en-us/library/dd807086(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/dd807086(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/dd807086(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74/3731.ADFS_2D00_Event.pnghttp://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/dd807086.aspxhttp://technet.microsoft.com/en-us/library/dd807086(v=ws.10).aspx


7/64

First you have to have an AD Forest set up. If you dont have that check out a blog post by Doug

Gabbard.http://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspx

We are going to assume you have the following setup before you dive in.

Active Directory Forest

ADFS Server running Windows Server 2012

o Domain Joined

o Valid network configuration

Creating a Service Account

ADFS runs on a service account. This will need to be created ahead of time before doing the install.

Some warnings about this service account:

#1: Dont mess around with or set the Service Principal Names (SPN) on any accounts related to ADFS.The ADFS configuration wizard will automatically

configure the correct Service Principal Names (SPN) on this service account so dont worry about this configuring the SPN.

#2: Ensure that the physical computer name of any of the ADFS servers in the farm dont match the ADFS service name.If you plan to call your ADFS

service name sts.markmorow.com, ensure that none of the servers in the farm have this same actual computer name. If you do this, you immediately have a

duplicate SPN scenario, which will prevent Kerberos authentication to this ADFS farm. Here is more information on duplicate SPNs:

http://blogs.technet.com/b/askpfeplat/archive/2012/03/29/the-411-on-the-kdc-11-events.aspx

For my environment test environment I created an account called ADFS_SVC and my server is called ADFS01Corp.

Getting Certificates

As Jasmin talked about athttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxwe need three certificates on ADFS. But really, we

only need to have 1 setup to do the install. We need a Server Communications (SSL) certificate. We got three choices.

1.) You could use an publically signed external cert. Since this is TEST you may not want to pay for one.

2.) You can generate a self-signed cert. This has a great walkthrough on doing that. http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-

iis-7.html

3.) You can request a certificate from your internal PKI. You do have an internal PKI set up

right???http://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspx
http://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2012/03/29/the-411-on-the-kdc-11-events.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2012/03/29/the-411-on-the-kdc-11-events.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspxhttp://social.technet.microsoft.com/wiki/contents/articles/4797.ad-cs-and-pki-step-by-steps-labs-walkthroughs-howto-and-examples.aspxhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.htmlhttp://blogs.technet.com/b/askpfeplat/archive/2013/07/22/faq-on-adfs-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2012/03/29/the-411-on-the-kdc-11-events.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/01/30/no-excuses-you-need-a-lab-for-active-directory-2012.aspx


8/64

I picked #3. I had spent a few hours before and setup a PKI infrastructure in my lab. The walkthroughs are very easy to follo w. Dont be scared.

First we need to request a certificate. We do that by going to the MMC snap-in, adding certificates for the Computer Account, Local Computer, right click Personal,

go to All Tasks, Request New Certificate.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/4532.image_5F00_30997822.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/3583.image_5F00_7CCEF11F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/4532.image_5F00_30997822.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/3583.image_5F00_7CCEF11F.png


9/64

We are going to select our Active Directory Enrollment Policy and click Next

If you dont see Web Server make sure your Web Server template is published and you have rights to it. As we can see here we need some additional configuration

information. Click on the blue text.

Our certificate name is going to be STS.yourdomain.com. Obviously configure this to fit your needs. Click ok and finish the cert process.

Installing ADFS

Ok now that we got all our pre-reqs in order lets do the actually install of ADFS.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/5140.image_5F00_360D0A28.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0211.image_5F00_0FA8962C.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/5140.image_5F00_360D0A28.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0211.image_5F00_0FA8962C.png


10/64

Youll want to start by going to Server Manager and adding the ADFS role. Click Next
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/2514.image_5F00_18BF6471.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/4375.image_5F00_033F9465.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/2514.image_5F00_18BF6471.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/4375.image_5F00_033F9465.png


11/64


12/64

Youll then get the ADFS Snap in to finish configuring. Click ADFS Federation Server Configuration Wizard

Since this is our first ADFS Server we are going to select Create New Federation Service and hit next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/3678.image_5F00_54C853CE.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/7002.image_5F00_15680F8D.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/3678.image_5F00_54C853CE.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/7002.image_5F00_15680F8D.png


13/64

Well be creating a server farm of one. Click next.

ADFS should automatically pick up the Server Certificate. Well click next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0624.image_5F00_1F795E60.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/5078.image_5F00_319D79CD.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0624.image_5F00_1F795E60.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/5078.image_5F00_319D79CD.png


14/64

Input the service account we created earlier and click Next. The install should start.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0456.image_5F00_1DD0449F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/7701.image_5F00_4ECD649B.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/0456.image_5F00_1DD0449F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/7701.image_5F00_4ECD649B.png


15/64

All done. We are now setup using the WID database. If you wanted to use a SQL database you would have to do the install from the command line. Check back for

Part 2 on how to configure a relaying party and a web app to view claims.

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

Mark and Tom here again, continuing our series on ADFS. In this post, we'll show you how to use some

sample-code to configure a web application for Web Single Sign-On (Web SSO) with ADFS.

What's Web SSO?

While Federated Web Single Sign-on (henceforth, SSO) is when two organizations create a federation

trust between each other for the purpose of sharing applications while still using their own credentials,

most of our customers are setting up ADFS for using Web SSO.

Web SSO is when a claims-aware web application, either on-premise or off-premise, is configured toenable users to login to the application using their existing Active Directory credentials. Great examples

of these are ServiceNow for your helpdesk, Dynamics CRM Online for CRM, or an Office 365 SharePoint

site for collaboration. In a typical Web SSO transaction, the end-user will navigate directly to the web

application and the web application will determine that the user is not authorized and redirect them to

their ADFS server. There, they authenticate using integrated Windows authentication or by typing in

their credentials. Finally, they get redirected back to the application with a SAML token. The application

will then verify the SAML token and the web application will then load.

The key to remember here is that the claims-aware application never communicates with the ADFS

server directly. The client's browser handles the responsibility of authenticating against the ADFS server

and then the browser receives the SAML token, which it submits to the application. This is the reason

that Web SSO is described as a passive request; the browser isn't truly SSO-aware but is still capable

ofBROKERING the transaction.

Having a sample claims-aware website that you can install, that also shows the claims that are being

sent, can immensely help in understanding Web SSO, how to configure the ADFS components, and how

to troubleshoot the claims that are being sent. Once you have this solid foundation, onboarding more

Web SSO applications for your users should be much easier.

What Do I Need for Web SSO?

The requirements are pretty simple. You need:

An ADFS Server. More than one, load balanced and using a SQL backend for prod. But, since this

is all about building a lab, one is just fine. For the purposes of this series, it should be on

Windows Server 2012 or 2012 R2.
http://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspx


16/64

An attribute store. This will be Active Directory, SQL Server, or an LDAP provider. Since 99.9% of

you (completely scientific statistic) will likely use Active Directory Domain Services, we'll talk

about that. We also won't talk about deploying AD, since you'reprobablyalready done with

that.

A claims-aware web application that has been configured to point to your security token service.This should be on its own IIS server. We'll point out some sample code, share a sample test

application (Disclaimer: We aren't developers), and use Message Analyzer to highlight the

authentication flow.

Let's get to it!

The Lab

The forest we'll be using is called corp.milt0r.com. The ADFS service URL is https://sts.milt0r.com.

Finally, the test application will live on an IIS server at https://adfstest.corp.milt0r.com. In checklist

form, you'll need:

A working Domain Controller

A working ADFS member server. All of our examples refer to ADFS 2.1 on Server 2012, but

should apply to 2.0 on 2008 R2 as well, with the exception of the script. (See ourprevious

articleto get ADFS setup)

A working IIS member server, running Windows Server 2012 or Windows Server 2012 R2

A client machine that is joined to your lab domain.

The URL of your web application

*Optional* An SSL certificate for your web application from a trusted CA

The Web Application

We started by grabbing some sample code from MSDN.You can find that code here.Then we were

shown some much nicer looking code (ThanksDave)and used that instead. Since our primary focus in

this post is configuring web SSO from an infrastructure standpoint, we aren't going to cover the code

itself. To make it even easier, we included a PowerShell script that will set it all up for you. Both are

attached at the bottom of this post. Make sure to read the disclaimer

Setup Script

The setup script is going to do the following:

Create a self-signed certificate

Configure IIS (app pool, new site, HTTPS binding)
http://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://msdn.microsoft.com/en-us/library/hh987037.aspxhttp://msdn.microsoft.com/en-us/library/hh987037.aspxhttp://msdn.microsoft.com/en-us/library/hh987037.aspxhttp://social.technet.microsoft.com/profile/dgreg%20-%20msft/?ws=usercard-hoverhttp://social.technet.microsoft.com/profile/dgreg%20-%20msft/?ws=usercard-hoverhttp://social.technet.microsoft.com/profile/dgreg%20-%20msft/?ws=usercard-hoverhttp://social.technet.microsoft.com/profile/dgreg%20-%20msft/?ws=usercard-hoverhttp://msdn.microsoft.com/en-us/library/hh987037.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspx


17/64

Modify the application's web.config file and federation metadata document to contain your STS

URL and application URL.

The script requires Windows Server 2012 or 2012 R2. It will not work on Windows Server 2008 R2.

Before running it, you'll need to collect some information. Those items are:

The fully qualified domain name of your test app. (ex: MyTestApp.corp.contoso.com)

The name of your ADFS server

You will need to manuallyperform the following:

Register an A record in your DNS zone for the test application

Ensure the PowerShellexecution policyon your IIS server is set to remotesigned, and you've

runUnblock-Fileon the script, or set the policy to unrestricted.

Once you've got that, copy the ZIP file contents up to the IIS server. Unzip the script to a folder, andmove the entire deploy folder from the zip file to a location on the system drive. Now, run the script.

The parameters are pretty straightforward:

The parameters are as follows:

SourcePath: This should be the path to the web site code we've provided. In the example, we

had copied the site data from the zip file to c:\temp\deploy.

SiteName: This will be the name of the test site in IIS, as well as the application pool

SitePhysicalPath: The location on disk where the template site will be copied. We used

C:\sites\adfstest.

ADFSServer: The hostname/FQDN of your ADFS server (not the friendly name, but actual

hostname).

AppFQDN: The full qualified domain name of your test application. This will be set as a binding

on the site in IIS.

The script will install everything you need, including the necessary features and roles.

Creating the Relying Party Trust

A term you should be very familiar within ADFS is "Relying Party." But what's a relying party? Who's

relying on what? The RP can be a couple of things, so simply saying "Relying Party" is vague. Relying

Party can refer to:

Relying Party Application
http://technet.microsoft.com/en-us/library/hh849812.aspxhttp://technet.microsoft.com/en-us/library/hh849812.aspxhttp://technet.microsoft.com/en-us/library/hh849812.aspxhttp://technet.microsoft.com/en-us/library/hh849924.aspxhttp://technet.microsoft.com/en-us/library/hh849924.aspxhttp://technet.microsoft.com/en-us/library/hh849924.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_46C1BEEE.pnghttp://technet.microsoft.com/en-us/library/hh849924.aspxhttp://technet.microsoft.com/en-us/library/hh849812.aspx


18/64

o This is the application or service that relies on the claims for authentication.

Relying Party Trust

o The relying party trust is the connection between the relying party application and our

ADFS infrastructure. It's what we configure in ADFS to make the whole thing work.

We've already got our relying party application configured, thanks to the script and files above. Next,

we'll need to setup the relying party trust between the application and the ADFS server. To setup the

trust, you'll need the following information:

Path to the relying party application's federation metadata document.

Or, the UNC path to the federation metadata document. This will be under the test application's

site path.

Open up the ADFS Management console and right-clickon "Relying Party Trusts" then "Add Relying

Party Trust."

Click start in the first screen. On the "Welcome" step is where we'll specify the location for the

federation metadata document. Here, you should be able to enter the URL to the metadata document.

If the certificate you used in the app isn't trusted by the ADFS server, and you use the Import data about

the relying party published online or on a local networkoption, it will fail. So, if you used our handy

script above, you can either 1) trust the self-signed SSL cert on the ADFS server or 2) Use the 2nd

option

Import data about the relying party from a file.

If you had to use the 2nd

option, it should look something like this:
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_49DBD69D.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5ECAC85F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_49DBD69D.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5ECAC85F.png


19/64

Notice that we had to use the UNC path to the file, instead of the URL. If the federation metadata isn't

published or available, this is also a valid way to configure the relying party trust.

Click next. On the following screen, enter a descriptive name for the application, as well as any notes on

why this particular relying party trusts exists (process owner, app owner, related processes, etc).

Click Next. On the Choose Issuance Authorization Rules screen, make sure Permit all users to access the

relying partyis selected. If you didn't want users to have access, you could deny all by default, then go

back and add "Allow" rules after. We'll cover that later.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_24542846.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7E5BE73E.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_69B1EC6B.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_24542846.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7E5BE73E.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_69B1EC6B.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_24542846.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7E5BE73E.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_69B1EC6B.png


20/64

On the Ready to Add Trustscreen, review the settings and click Next. Finally,

click Close. Congratulations, you've configured the relying party trust! Now let's test!

Caveat: If your STS is in a domain that is NOT in the same domain as your machine, for example the STS

URL in this post issts.milt0r.com, but the client workstation is in corp.milt0r.com, you'll need to add

sts.milt0r.com to your intranet zone in IE to permit Windows Authentication. To do that, in IE goto Internet Options-> Securitytab -> Local Intranet-> Click the Sitesbutton ->Advanced. There, add

your STS URL (ie,https://sts.milt0r.com)to the list. Click OK.

On your client machine, navigate to your application URL. You should see something like this:

You might end up with a certificate error if you didn't trust the certificate. But, if you see this screen,

you've successfully configured web single sign-on between your application and ADFS. The box that says

"Issued Identity" is where you'll see any configured claims. We'll cover that more in the next post in this

series.

Under the Hood

Now, let's take a look at what the authentication flow looks like inMessage Analyzer.

First, we ran klist purge on the client machine, and opened an In-Private browser session, just to make

sure we didn't use any old cookies. Using Message Analyzer's web proxy and NDIS providers, we're able

to view the unencrypted traffic as captured on the client. Navigating to the application URL, the

conversation looks like the image below.

1) The browser connects to the web application. Since we're using passive claims, the web app provides

a 302 redirect to the browser, pointing it to the ADFS service (Frame 114)
https://sts.milt0r.com/https://sts.milt0r.com/https://sts.milt0r.com/http://blogs.technet.com/b/messageanalyzer/archive/2012/09/17/meet-the-successor-to-microsoft-network-monitor.aspxhttp://blogs.technet.com/b/messageanalyzer/archive/2012/09/17/meet-the-successor-to-microsoft-network-monitor.aspxhttp://blogs.technet.com/b/messageanalyzer/archive/2012/09/17/meet-the-successor-to-microsoft-network-monitor.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_65F0F543.pnghttp://blogs.technet.com/b/messageanalyzer/archive/2012/09/17/meet-the-successor-to-microsoft-network-monitor.aspxhttps://sts.milt0r.com/


21/64

If we dig in to the frame details, we can pull out the entire redirect URL:

2) In the next frames, we can see the browser connect to the ADFS service and receives a 401 challenge.

3) Having purged our Kerberos tickets, we see the full AS/TGS exchange. In 262-275, we see the

authentication service requests and replies. In 284 and 288, we see the ticket granting service request

for our STShttp/sts.milt0r.com. We've authenticated and received a Kerberos ticket.

4) We present the service ticket to the STS and are authorized. The ADFS service processes our request

and, assuming the relying party trust is in place, knows whether or not to issue any claims and what

those claims should be. The security token is packaged up and returned in the HTTP reply.

5) Finally, the browser provides the SAML token to the relying party application. Based on the contents

of the token, the user may or may not be authorized. In our test app, we get a reply back from the

server that contains all of the claims in our token.

Wrap-Up

We hope this post takes you one step further in the process of getting your ADFS lab built and

configured. At this point in the series, you've built an ADFS server, installed a test application on the IISserver, and configured a relying party trust between the test application and the ADFS service. In the

next few posts in the series we'll cover federating between two organizations, claim rules, and more.

Stay tuned!
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_72637827.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3132DE1F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0B3A9D18.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4BDA58D6.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5DFE7443.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_57B50D04.png


22/64

How to Build Your ADFS Lab on Server 2012

Part 3: ADFS ProxyMark Morowczynski [MSFT]

16 Mar 2014 11:00 PM

6

Hey yall Mark and Tom back after a small hiatus. We (well mostly Mark because this was his responsibility) got distracted by other

things like helping customers, the Olympics and Im tired Ill do it tomorrow, whats on Netflix streaming?. Hopefully so far

youve followed along and have anADFS server builtand have asample Web SSOso you can start messing around or if your

manager asks, learning about ADFS. By now the security group has probably gotten wind of this experiment and come to you with

Hey man, these ADFS servers can make claims about anyone, they are just like a DC, no way were putting these in the DMZ.

Technically this person is correct. You will want to protect your ADFS servers the same way you protect a DC. If you wouldntput a

DC in your DMZ (hint you probably shouldnt) then same goes for ADFS. However you can now sit back and tell your security group

Dont worry, we got an ADFS Proxy.

Installing the ADFS Proxy Role

When you see how simple this is you will be ashamed it took me this long to write this post. Youll have a machine that can be

domain joined or doesnt have to be as long as it can talk to the ADFS server on port 443. Since this is a test lab, I do have my ADFS

Proxy joined to the domain. Start by click Add Roles and Features in Server Manager.
http://social.technet.microsoft.com/profile/Mark%20Morowczynski%20%5bMSFT%5dhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspx#commentshttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspx#commentshttp://social.technet.microsoft.com/profile/Mark%20Morowczynski%20%5bMSFT%5d


23/64

Click on Active Directory Federation Services
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1DCAEBE7.png


24/64

Accept all the requirements by click Add Features.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4C468C38.png


25/64

Select Federation Services Proxy and hit next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_6EC2CD06.png


26/64

Youll then click finish let it install.

Configuring the SSL and DNS

The next thing you are going to need to do is put an SSL cert on your ADFSProxy. This SSL name should ALSO match the SSL cert on

your ADFS server. This shouldnt be too much of a shock when you think about what role its providing. For external users or

applications that are external, they are going to resolve the same ADFS service name, in my case sts.markmorow.com and it will

connect to the proxy instead of the internal ADFS server. Which brings us to DNS. Its up to the administrator to configure the

internal DNS servers to point at the internal ADFS server and the external DNS servers to point proxy.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_2FF3670F.png


27/64

This is the error message youll get if you thought you were slick and skipped that last paragraph about SSL and DNS.

Right click the default website, edit bindings, Add port 443 and select a certificate. For this lab you can use an internal cert as well

but in the real world you will want to use a public cert.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_450994D7.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4C927393.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_450994D7.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4C927393.png


28/64

After the SSL and DNS has been configured we are now ready to run the ADFS Proxy Configuration wizard.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7D4A9CA0.png


29/64

Its a pretty short wizard as you can see, click Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3EE7699E.png


30/64

Youll add the federation server you want to connect to, remember your DNS configuration from before so you should be pointing

to the INTERNAL adfs server, for me that will be sts.markmorow.com. Youll then enter your domain credentials to establish the trust.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_2922A2A3.png


31/64

Click Next
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_5A46FEA5.png


32/64

Alright you are done. The proxy is configured. A good way to simulate the proxy in a lab environment is to change your hostfile to

resolve that name to the proxy instead of your internal adfs server. So after this post you should have a fully functional test lab that

includes an ADFS server, ADFS Proxy and sample claims app. Dont worry folks we are just getting started on this topic, if you have

specific ADFS things youd like to see covered or any comments let us know below.

Mark didnt even medal Morowczynski and Tom coach Moser

How to Build Your ADFS Lab Part4:Upgrading to Server 2012 R2Mark Morowczynski [MSFT]

31 Mar 2014 12:00 AM

18
http://social.technet.microsoft.com/profile/Mark%20Morowczynski%20%5bMSFT%5dhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx#commentshttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4245AEEE.pnghttp://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx#commentshttp://social.technet.microsoft.com/profile/Mark%20Morowczynski%20%5bMSFT%5d


33/64

Hey yall Mark and Tom back again with part 4 in our most likely never ending ADFS series. Its going to end up being as long as Game of Thrones when its all said

and done, I can feel it. At this point you should have an ADFS server, anADFS Proxyand aWeb Appall in your test environment. Now, you will notice that all of this

stuff was built on Windows Server 2012. You might even have wanted to ask us, Hey man, you guys picked Server 2012 instead building out your lab on that sweet

new ADFS 3.0 on Server 2012 R2. I followed along but built mine on Server 2012 R2. You guys must be crazy or something. Yea we are crazy alright, crazy like a

fox. Sometimes we have a plan, other times it looks like we have a plan. This one we actually did have a plan. We knew there are some folks out there already

running ADFS 2.0 on Server 2008 R2. We thought maybe they want to upgrade to the new hotness that is ADFS 3.0, so we planned an upgrade post for this series.

Youre welcome. If you are on ADFS 2.0 on Server 2008 R2 or ADFS 2.1 on Server 2012 you can follow along to get that lab up to the latest greatest. Lets dig in.

Pre-Reqs and High Level Process

Youll want two machines set up both Server 2012 R2, one that is domain joined which will be the ADFS server and one that is not. This will be the Web Application

Proxy (WAP) or what the ADFS Proxy has now become. Well get to this in a bit.

From the process standpoint we can break this down into a few key steps.

Export certificates from the current ADFS servers.

Export the configuration from the current ADFS servers.

Install ADFS 3.0 on the new server

Import the configuration on the ADFS 3.0 server

Install the Web Application Proxy (WAP) server

Test and make DNS changes to point to the new ADFS 3.0 infrastructure

Certificates on the ADFS Server

We first need to take a look at the different certificates we have. As we recall we have 3 certificates, the Service communication, the token-decrypting and the

token-signing cert.
http://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7837C1AC.pnghttp://blogs.technet.com/b/askpfeplat/archive/2013/12/23/how-to-build-your-adfs-lab-on-server-2012-part2-web-sso.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2014/03/17/how-to-build-your-adfs-lab-on-server-2012-part-3-adfs-proxy.aspxhttp://blogs.technet.com/b/askpfeplat/archive/2013/12/09/how-to-build-your-adfs-lab-on-server-2012-part-1.aspx


34/64

If youve been using our previous guides youll most likely have something as above. A service communication certificate fromyour PKI and 2 self-signed certs. We

will now want to export out our Service communications cert. If you used a 3rdparty cert on any of the other certs, youll want to export those as well. Our lab is

using self-signed.

To export the certificates open an MMC Console, Add Certificates, select Computer Account, Local Computer and Click Ok. It should look similar to this.

Next expand Personal, Certificates and right click the Certificate you want to export, pick All Tasks and select Export. Select next and should be at this screen.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_028E076F.png


35/64

Youll want to confirm the Yes, export the private key check box is selected. If its greyed out and you are using an internal PKI its possible you requested the

certificate without the option to allow the key to be exportable. This is why we have a test lab, people. Simply request a new cert, select the key to be exportable

and set this new certificate as the SSL binding on the site as well as the Server Communication certificate. Dont feel bad, the dates on my certs are different for the

exact same reason.

Now click Next, set a password on the certificate to export and click Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_2ECFAFB5.png


36/64

Select an output directory and click Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1BB113BA.png


37/64

Then click Finish. You should get this message.

(Hooray!)

Then go ahead and copy this over to your new ADFS 3.0 server. Well need this certificate in just a bit.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0C9F5642.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4D3F1200.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0C9F5642.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4D3F1200.png


38/64

Exporting the ADFS Server Configuration

Its time to back up our current ADFS server. Youve probably wonder how do I do that. Well there is a built in PowerShell sc ript on the 2012 R2 media. Simply go to

\Support\ADFS and run the Export-FederationConfigration.ps1Path Path to where you want it to goand the script will take care of the rest. It also gives you some

really important info youll need when you are setting up your new ADFS server, the farm name and the service account its going to be using.

ADFS 3.0 Install

This shouldnt be too much of a surprise but youll go to Server Manager and Add Roles and Features wizard. Youll want to se lect Active Directory Federation

Services as shown below.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_370E1810.png


39/64

Then click Nexton the features install.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0A8A098C.png


40/64

Click Nexton the ADFS screen.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0D54DFE1.png


41/64


42/64

Once its done youll need to configure the service. Server manager should indicate you still need to do this as seen below.


43/64

At this point you would be inclined to say oh I have an existing farm, I want to join this to the existing one. Sorry, it doesnt work that way. What you will actually be

doing is standing up a new ADFS 3.0 farm. Select Create the first federation server in a federation server farm and hit next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1BDCAF7B.png


44/64

If you arent logged in with an account that has Domain Admin privileges you will need to enter an account and then hit next for it to connect.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1690597B.png


45/64

Now its time to get that certificate ready. Click theimportbutton, browse to that certificate, put the password you set on it in and you should be good to go. Few

things to also notice. Here is where you are going to set the name of the federation farm name and it should match what you exported from the old farm. Also

note that we are setting up an SSL cert without any IIS. Let that sink in. Click Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0CCD82B4.png


46/64

Now its time to put in the service account you are running ADFS under. This was also told to you during that PowerShell export. Once youve got that in, hit Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_14E73FBA.png


47/64

Time to enter in what type of database we want to use. In the previous version our only choice was WID unless we wanted to do this whole install via PowerShell,

where you were able to configure SQL Server. Now you can do either through the GUI. Since this is a test lab we are going to stick with WID. Click Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4362E00B.png


48/64

One last stop if we need to make any changes. We can also see how this would be configured via PowerShell by hitting the View script button. All looks good, lets

hit Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1984FC87.png


49/64

It will now do a pre-requisite check. If you get a pass, click Configure. If you didnt, its time to troubleshoot. If youve been following along you should be ok.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_1360409D.png


50/64

This is what you should get when its completed. Looks good.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7442451E.png


51/64

Ok so lets take a second and make sure ADFS 3.0 is working as expected before we move on. To do that on the ADFS 3.0 server, open IE and go

tohttps://localhost/adfs/ls/IdpInitiatedSignon.aspx.

If everything is working you should get a nice page like the following. You can ignore the cert error for now as well.
https://localhost/adfs/ls/IdpInitiatedSignon.aspxhttps://localhost/adfs/ls/IdpInitiatedSignon.aspxhttps://localhost/adfs/ls/IdpInitiatedSignon.aspxhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_071BEA2B.pnghttps://localhost/adfs/ls/IdpInitiatedSignon.aspx


52/64

Import the ADFS Configuration

At this point we have a nice, brand new, clean ADFS 3.0 instance. Thats great but we dont want to really set up all those r elying party trusts. Time to import that

previous export. Copy over that export folder to the ADFS 3.0 server. Much like a great magician, we show you that there is nothing in the Relying Party trusts other

than the defaults.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0ABF266A.png


53/64

Now lets run that sister script,Import-FederationConfiguration.ps1Path Where you put the export folder. Its located also in the 2012 R2 media under

\Support\ADFS\. You should get something like that screen below.

And now your Relying Party trusts should look something like.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7CA7E97F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3FEDD03E.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_7CA7E97F.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_3FEDD03E.png


54/64

Bam! All that came over magically. Our lab is pretty simple but to see more of what you can export and import check out this TechNet article. At this point lets take

a step back and think about what we have going on. Currently all our DNS is pointing to the ADFS 2.1 infrastructure. We can update our host file on our test client

to point at the new ADFS 3.0 infrastructure. Once we are convinced its all working we can move on but note we havent affected our ADFS 2.1 at all. Its still exactly

the way it was before we started on this.

Installing the Web Application Proxy (WAP)

The WAP has lots of great new features which are well beyond the scope of this post (told you the series will be long). Much like the ADFS proxy, we can domain

join this or leave it in a workgroup. For this test lab, Ill have mine domain joined. At this time we will want to export the certificate on the ADFS proxy and import it

on to this WAP server before we get started. You would do this the same way described above for the export and just double click the certificate and follow the

quick prompts to import it. Also much like the ADFS Proxy we will make sure DNS or using our host file points to the back end ADFS 3.0 server. Be careful if you are

using DNS and are pointing to the ADFS 2.1 server. You want the WAP to point to the ADFS 3.0 not the 2.1 ADFS server. Make sense? Dont worry you gotthis.

Startup Server Manager and click Add Roles and Features Wizardand click Remote Access.
http://technet.microsoft.com/en-us/library/dn486787.aspx#BKMK_bbhttp://technet.microsoft.com/en-us/library/dn486787.aspx#BKMK_bbhttp://technet.microsoft.com/en-us/library/dn486787.aspx#BKMK_bbhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_626A110C.pnghttp://technet.microsoft.com/en-us/library/dn486787.aspx#BKMK_bb


55/64

Hit Nextat the features page.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_6FD2B4C3.png


56/64

At the Remote Access screen hitNext.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_4C3BA7CD.png


57/64

Add any features it needs for the install.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_75D72513.png


58/64

Now select Web Application Proxyand hit Nextand finish the confirmation dialog box.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_21AC9A65.png


59/64


60/64

Now, just like the ADFS Proxy (notice how I keep stressing that), youll need to enter in the ADFS service name. This should be the name that is on the certificate

you exported. We will want to make sure this name resolves to the ADFS 3.0 server as well. Youll also need to enter some credentials for the ADFS server so it can

complete the configuration. Once youre done hitNext.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_26B68A27.png


61/64

We are almost done; its a pretty short configuration process, similar to the ADFS Proxy. Select that certificate you exported and hit Next.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0C78B1B4.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0C78B1B4.png


62/64

Take a last look and hit Configure.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_6DC45879.png


63/64

At this point you are all set up. You can once again update your host file to point to this new ADFS WAP. You should get a screen much like this.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_23CB6838.png


64/64

Notice DNS really controls who is hitting what. So we are able to completely test our ADFS 3.0 using host files to confirm it is working as expected before we make

the big DNS changes to cut it over, big for a test lab, of courseJ. Update your DNS records to point to the correct ADFS servers and you should be all set. You just

completed your very first ADFS upgrade.

Let us know in the comments of these post are helpful and what types of ADFS stuff you want to learn more about. Tom and a few of us got some i deas but wed

love to hear from you. Until next time.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-74-metablogapi/image_5F00_0923ED81.png

Date post:	02-Jun-2018
Category:	Documents
Upload:	mohinuddin-mustaq
View:	236 times
Download:	0 times

ADFS Ask Premier Field Engineering

Documents