(2012-05-08) Installing And Configuring ADFS v2 As An STS Server (Part 1)
Posted by Jorge on 2012-05-08
With this post I want to show you the ADFS v2.0 STS installation procedure that I used in my test/demo environment. The installation binaries can be downloaded from the internet for W2K8/W2K8R2 from here, and I also downloaded (at the time of writing) the latest update rollup for ADFS from here. I followed the following installation steps.
After downloading the ADFS installation binaries, double-click it. Then click on “Next >”.
Figure 1: The Active Directory Federation Services v2.0 Setup Wizard
Check the “I accept the terms in the License Agreement” after reading and accepting the EULA for ADFS v2.0, and then click on “Next >”.
Figure 2: The Active Directory Federation Services v2.0 Setup Wizard – The EULA
We need to start with the installation of the federation server, which is also called the security token service (STS) server. In terms of locating and securing the STS server, you MUST consider it as equal to a writable domain controller. Anyone in control of the STS server is able to issue security tokens. If for whatever reason you need to connect to your STS server from an untrusted network (e.g. the internet) you would need to have a federation proxy server or a unified access gateway (UAG) server with SP1 as an intermediate.
The ADFS STS server must be domain joined to support Windows Integrated Authentication, and because of that the ADFS STS will be able to provide security tokens with claims for any of the following users:
- User accounts in the AD domain of the ADFS STS server;
- User accounts in any AD domain in the AD forest of the ADFS STS server;
- User accounts in any AD domain/forest for which a two-way trust exists with the AD domain/forest of the ADFS STS server.
Because we need an STS server, select the federation server option.
Figure 3: The Active Directory Federation Services v2.0 Setup Wizard – Installing An STS Server
Click on “Next >”.
Figure 4: The Active Directory Federation Services v2.0 Setup Wizard – Prerequisite Software
Now, just be patient.
Figure 5: The Active Directory Federation Services v2.0 Setup Wizard – Installation Of Binaries In Progress
UNcheck, the “Start the AD FS 2.0 Management snap-in when this wizard closes” and click “Finish”.
Figure 6: The Active Directory Federation Services v2.0 Setup Wizard – Installation Finished
After downloading the ADFS rollup package, extract it and double-click the MSU file. Then click “YES”.
Figure 7: Confirming The Installation Of The ADFS Rollup Package 1
Click on “Restart Now” to restart the server.
Figure 8: Finalizing The Installation Of The ADFS Rollup Package
After restarting the server we still need to install/configure the ADFS role. The previous step just installed the binaries. But, before actually installing/configuring the ADFS role, let’s first make sure we have the correct certificates.
Part 2 of this series will continue with the certificates required for ADFS.
With regards to ADFS, also see the following resource with lots of information:
- Checklist for setting a federation server
- Checklist for setting a federation server proxy
- AD FS 2.0 Content Map
- AD FS 2.0 Design Guide
- AD FS 2.0 Deployment Guide
- Operations: AD FS 2.0
- AD FS 2.0 Troubleshooting Guide
- ADFS 2.0 High Availability and High Resiliency Walkthrough
- Enhancing Federation Services for Internal and External Partners
- Active Directory Federation Services 2.0 solution guide
ADFS Related Videos:
- Active Directory Federation Services (ADFS) v2.0 Design
- Active Directory Federation Services (ADFS) v2.0 Concepts
- AD FS 2.0 Installation
- Active Directory Federation Services (ADFS) v2.0 High Availability
- Active Directory Federation Services (ADFS) v2.0 High Availability Installation And Configuration