Integrating Integrating Integrating Integrating Active Directory Active Directory Active Directory Active Directory

Federation Services with Federation Services with Federation Services with Federation Services with

SharePointSharePointSharePointSharePoint

Environment All servers have Window Server 2008 R2 Datacentre installed and joined to the test.com domain

• DC – Domain Controller and Enterprise CA for the test.com domain

• Share – SharePoint Server

• SQL – SQL Server for ADFS databases

• SQL02 – SQL Server mirror partner for ADFS databases

• ADFS01 – First ADFS Server

• ADFS02 – Second ADFS Server

The following servers are not joined to the test.com domain

• ADFSProxy01 – First ADFS Proxy Server

• ADFSProcy02 – Second ADFS Proxy Server

Install ADFS 2.0 and Configure to Use with ADFS

Prerequisites

• Download ADFS 2.0 on ADFS01

• Create following DNS entries

o A � auth.test.com � 192.168.1.103 (IP of ADFS01)

• Create a certificate for auth.test.com

• Provision domain user accounts:

o test\adfs-service � Normal Domain User

o test\adfs-install-temp � Domain Admin and sysadmin on SQL server

Installation

1. Logon to the ADFS01 server as a

domain administrator and launch

the ADFSSetup.exe

2. Next

3. I Accept… � Next

4. Select Federation server � Next

5. Next

6. Unselect Start the AD FS 2.0

Management… � Finish

Request a Certificate

1. Open the IIS Management

Console � Select the Server

name � Double click Server

Certificates � select Create

Domain Certificate…

2. Enter the relevant information

� Next

Note: The common name must

be the same as the CNAME

you created earlier

3. Select the correct certificate

authority and enter a friendly

name � Finish

4. Select Default Website �

Bindings

5. Add

6. Select https � select ADFS

Certificate � OK

7. Select http\80 � Remove �

Yes � Close

Configure AD FS

1. Logon to the ADFS01 with an

account that is a Domain Admin

and is a sysadmin on the SQL

server

2. Open Administrator Powershell

console � browse to C:\Program

Files\Active Directory Federation

Services 2.0> � Run the following

command

Note: Replace Password with

account password

.\FSConfig.exe CreateSQLFarm /ServiceAccount

test\adfs-service /ServiceAccountPassword

Password /SQLConnectionString

“database=AdfsConfiguration;server=sql;integrated

security=SSPI” /CleanConfig

/FederationServiceName auth.test.com

/AutoCertRolloverEnabled

3. Example

Export Certificates and add a new token signing certificate to ADFS

1. Open IIS Manager � Select the

server � Server Certificates �

ADFS Certificate � View…

2. Details tab � Copy to File…

3. Next

4. Next

5. Next

6. Enter C:\Temp\Certificates\ADFS

Certificate.cer � Next

7. Finish

8. Open IIS Manager � Select the

server � Server Certificates �

ADFS Certificate � View…

9. Select the Certification Path tab �

select the root � View Certificate

10. Details tab …. And follow the same

steps as above, but save the

certificate as ADFS Certificate Parent

Note: This step is will be used on the

SharePoint Server

11. Open PowerShell run following lines Add-PSSnapin

Microsoft.Adfs.PowerShell

set-adfsproperties -

autocertificaterollover $false

12. Open ADFS Management Console �

Services � Certificates � Add

Token Signing Certificate…

13. OK

14. Yes

15. OK

16. Right click Certificate and select Set

as Primary…

Configure AD FS Trust

1. Open the AD FS Management

Console

2. Relying Party Trust � Add Relying

Party Trust…

3. Start

4. Select Enter data manually �

Next

5. Enter “SharePoint Trust” � Next

6. Next

7. Next

8. Select Enable support for the WS-

Federation Passive protocol �

Enter the URL for the SharePoint

site and add /_trust/,

https://share/_trust/ � Next

9. Add urn:test:sharepoint � Next

10. Next

11. Next

12. Close

13. Select Add

14. Next

15. Map E-Mail-Addresses � E-Mail

Address and Token-Groups -

Unqualified Names � Role

� Finish � OK

Notes

Internet to ADFS proxy 443

ADFS Proxy to ADFS port 443

When configuring the ADFS server farm you need to be logged on as a Domain Admin

References:

http://cloudanalysis.blogspot.co.uk/2011/06/setting-up-adfs-with-office-365.html

http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-

v2-end-to-end.aspx

Add Second ADFS Server

Prerequisites

• Provision Windows 2008 R2 server as ADFS02

• Download ADFSSetup.exe to "C:\Temp\ADFS 2.0\AdfsSetup.exe"

• Add second A DNS record auth.test.com pointing to ADFS02

o Confirm both records are in DNS by running nslookup auth.test.com

Installation

1. Logon to the ADFS02 server as a

domain administrator and launch

the ADFSSetup.exe

2. Next

3. I Accept… � Next

4. Select Federation server � Next

5. Next

6. Unselect Start the AD FS 2.0

Management… � Finish

Export Certificates from ADFS01 primary ADFS server

1. Logon to ADFS01

2. Open MMC snap in for Certificates

for the Computer account

3. Expand Certificates (Local Machine)

� Personal � select Certificates

4. Right click auth.test.com � All

tasks… � Export

5. Next

6. Yes, export private key � Next

7. Select Include all certificates in the

certification path if possible and

Export all extended properties �

Next

Note: DO NOT select Delete the

private key if the export is

successful

8. Enter password � Next

9. Enter C:\Temp\Certificates\ADFS01

Export.pfx � Next

10. Finish

Install Exported Certificate on ADFS02

1. Logon to ADFS02

2. Copy

\\ADFS02\C$\Temp\Certificates\ADFS0

1 Export.pfx to

C:\Temp\Certificates\ADFS01

Export.pfx

3. Open MMC snap in for Certificates for

the Computer account

4. Expand Certificates (Local Machine) �

Personal � right Certificates � Import

5. Next

6. Enter C:\Temp\Certificates\ADFS01

Export.pfx � Next

7. Enter password � Next

8. Next

9. Finish

10. Open IIS Management Console �

Default Web Site � Bindings

11. Select Add � https � Select ADFS

Certificate � OK

12. Select http � Remove

13. Close

14. Logon to ADFS02 as ADFS-Install-Temp

� Open PowerShell console �

browse to C:\Program Files\Active

Directory Federation Services 2.0> �

Run the following command

Note: Replace Password with account

password

.\FSConfig.exe JoinSQLFarm /ServiceAccount

TEST\adfs-service /ServiceAccountPassword

Password /SQLConnectionString

“database=AdfsConfiguration;server=sql;integra

ted security=SSPI”

15. Example

Notes

http://pipe2text.com/?page_id=395

Configure ADFS SQL Databases as with mirrored SQL

Prerequisites

• Configure the ADFSConfiguration and ADFSArtifact SQL databases as mirrored databases

Installation

Note: The following steps are for the ADFSConfiguration database and need to be run on all ADFS

servers

1. Logon to ADFS01 � Open

PowerShell as an

Administrator

2. Stop the adfs service by

running

net stop adfssrv

3. Run the following command

Note: SQL is my primary SQL

server and SQL02 is my Mirror

$temp= Get-WMIObject -namespace root/ADFS -class

SecurityTokenService

$temp.ConfigurationdatabaseConnectionstring=”Data

Source=SQL; Failover Partner=SQL02;Initial

Catalog=AdfsConfiguration;Integrated Security=true”

$temp.put()

4. Start the adfs service by

running

net start adfssrv

5. Logon to ADFS02 � Open

PowerShell as an

Administrator

6. Stop the adfs service by

running

net stop adfssrv

7. Run the following command

Note: SQL is my primary SQL

server and SQL02 is my Mirror

$temp= Get-WMIObject -namespace root/ADFS -class

SecurityTokenService

$temp.ConfigurationdatabaseConnectionstring=”Data

Source=SQL; Failover Partner=SQL02;Initial

Catalog=AdfsConfiguration;Integrated Security=true”

$temp.put()

8. Start the adfs service by

running

net start adfssrv

9. Example

Note: you can run “Get-

WmiObject -namespace

root/adfs -class

securitytokenservice” to see if

setting are correctly applied

Note: The following steps are for the ADFSArtifact database and need to be run on all ADFS

servers

10. Logon to ADFS01 � Open

PowerShell as an

Administrator

11. Run the following command Add-PSSnapin Microsoft.ADFS.Powershell

Set-adfsproperties –artifactdbconnection ”Data

Source=SQL; Failover Partner=SQL02;Initial

Catalog=AdfsArtifactStore;Integrated Security=true”

12. Restart the ADFS service on all

ADFS servers

13. Example

Note: run Get-ADFSProperties

to see if configuration has

applied

14.

15.

16.

17.

18.

19.

20.

21.

22.

Notes

http://pipe2text.com/?page_id=542

Install and Configure ADFS Proxy Servers

Prerequisites

• Provision Windows 2008 R2 Server

• DO NOT Join it to the domain

• Download ADFSSetup.exe to "C:\Temp\ADFS 2.0\AdfsSetup.exe"

Installation

1. Logon as a local Administrator

2. Launch "C:\Temp\ADFS

2.0\AdfsSetup.exe"

3. Next

4. I Accept… � Next

5. Federation server proxy �

Next

6. Next

7. Uncheck Start the AD FS 2.0 …

� Finish

Install Exported Certificate on ADFSProxy01

1. Logon to ADFSProxy01

2. Copy

\\ADFS01\C$\Temp\Certificate

s\ to C:\Temp\Certificates\

3. Open MMC snap in for

Certificates for the Computer

account

4. Expand Certificates (Local

Machine) � Personal � right

Certificates � Import

5. Next

6. Enter

C:\Temp\Certificates\ADFS01

Export.pfx � Next

7. Enter password � Next

8. Next

9. Finish

10. Expand Certificates (Local

Machine) � Personal �

Trusted Certificate Authorities

� Certificates � Import

11. Next

12. Enter

C:\Temp\Certificates\ADFS01

Certificate Parent.cer � Next

13. Next

14. Finish

15. Open IIS Management Console

� Default Web Site �

Bindings

16. Select Add � https � Select

ADFS Certificate � OK

17. Select http � Remove

18. Close

Run ADFS Proxy Configuration

1. Run AD FS 2.0 Federation

Server Proxy Configuration

Wizard

2. Next

3. Test Connection � OK � Next

4. Enter TEST\ADFS-Service and

it’s password � OK

5. Next

6. Close

7. Add static records to

C:\Windows\System32\Hosts

file mapping to the local ADFS

servers

8. Repeat these steps on

ADFSProxy02

Notes

http://pipe2text.com/?page_id=399

• ADFS Proxy does not need to be on domain

• External DNS entry needed which points to the ADFS proxy server with an associated

certificate

Install Rollup Pack 3 for ADFS

Prerequisites

• Download http://support.microsoft.com/kb/2790338/en-gb and extract it

Installation

1. Copy Windows6.1-KB2790338-v2-

x64.msu to C:\Temp\

2. Logon to ADFS01, ADFS02,

ADFSProxy01 and ADFSProxy02 �

Run C:\Windows6.1-KB2790338-

v2-x64.msu � Yes

3. Restart Now

4. After restart confirm ADFS

services have started on all

servers

Configure SharePoint to use AD FS

Prerequisites

• Configure SharePoint default site to use https

Configuration

1. Logon to SHARE

2. Copy ADFS Certificate to from

\\ADFS01\C$\Temp\Certificates to

C:\Temp\Certificates

3. Open an SharePoint Administrator

PowerShell console session and

Run following PowerShell

commands to import the

Certificates

Note: Run in them in a SharePoint

Administrator PowerShell console

session or import the cmdlets

before running the commands

$root = New-Object

System.Security.Cryptography.X509Certificates.X50

9Certificate2("C:\temp\Certificates\ADFS Certificate

Parent.cer")

New-SPTrustedRootAuthority -Name "Token Signing

Cert Parent" -Certificate $root

$cert = New-Object

System.Security.Cryptography.X509Certificates.X50

9Certificate2("C:\Temp\Certificates\ADFS

Certificate.cer ")

New-SPTrustedRootAuthority -Name "Token Signing

Cert" -Certificate $cert

4. Create claim mappings to Email

Address and Role by running this

command in the above SharePoint

PowerShell session

$map = New-SPClaimTypeMapping -

IncomingClaimType

"http://schemas.xmlsoap.org/ws/2005/05/identity/

claims/emailaddress" -

IncomingClaimTypeDisplayName "EmailAddress" -

SameAsIncoming

$map2 = New-SPClaimTypeMapping -

IncomingClaimType

"http://schemas.microsoft.com/ws/2008/06/identit

y/claims/role" -IncomingClaimTypeDisplayName

"Role" -SameAsIncoming

5. Create variable for realm by

running by running this command

in the above SharePoint

PowerShell session

$realm = "urn:test:sharepoint"

6. Now run the final command that

will tie everything together,

preparing SharePoint. Run in the

same SharePoint PowerShell

session as above.

$ap = New-SPTrustedIdentityTokenIssuer -Name

"SAML Provider" -Description "SharePoint secured

by SAML" -realm $realm -ImportTrustCertificate

$cert -ClaimsMappings $map,$map2 -SignInUrl

"https://auth.test.com/adfs/ls" -IdentifierClaim

"http://schemas.xmlsoap.org/ws/2005/05/identity/

claims/emailaddress"

7. Logon to the SharePoint Central

Administration Site � Select

Manage Web Applications

8. New

9. Select Claims Based Authentication

� Change the port to 443 � scroll

down

10. Uncheck Enable Windows

Authentication

11. Create Site Collection

12. Enter Title � Blank Page �

Primary Site Administrator e.g.

TEST\Administrator � OK

Test Configuration 1. At this point you should be able to

browse to https://share. You

should then be presented with the

following screen

2. Logon using the a test account that

is part of the shareallow group

3. After logging on you should be re-

directed to the SharePoint site