Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3)

Posted by Jorge on 2012-05-10

Part 2 of this series showed you how to configure the required for ADFS.

Instead of using the GUI to configure ADFS, we are going to use the command line version of the configuration wizard as that gives us more possibilities to configure ADFS and because not everything is possible through the GUI version of the configuration wizard. The command line version of the configuration wizard can be found in the following folder “C:\Program Files\Active Directory Federation Services 2.0”. So before executing the command, you either need to navigate to that folder first or you need to provide the full path of the executable.

FSCONFIG provides for the following options.


Figure 1: FSCONFIG Options To Configuring The ADFS STS

Because this is my first STS server and because I want to create a SQL Server based farm, I will use the CreateSQLFarm option. For subsequent ADFS STS server you need to use the JoinSQLFarm option.

&'C:\Program Files\Active Directory Federation Services 2.0\FsConfig.exe' CreateSQLFarm /ServiceAccount ADCORP\SVC_R1_ADFS /ServiceAccountPassword pwd /SQLConnectionString "database=AdfsConfiguration;server=RFSRWDC1.ADCORP.LAB\;integrated security=SSPI" /FederationServiceName FS.ADCORP.LAB /CertThumbprint $($adfsSvcCommunicationCert.Thumbprint) /SigningCertThumbprint $($adfsTokenSigningCert.Thumbprint) /DecryptCertThumbprint $($adfsTokenDecryptionCert.Thumbprint)


Figure 2: Creating A SQL Server Based ADFS STS Farm

In addition to what you see above, the command will also give the ADFS service account READ permissions on the private key of all three certificates used (Certificates MMC –> “Certificates (Local Computer)” –> Personal –> Certificates –> Right-click any of the ADFS certs –> “All Tasks” –> “Manage Private Keys”.), it will also configure the correct SPN (e.g. HOST/FS.ADCORP.LAB) on the ADFS service account.

Because a farm is being used we also need to configure the certificate sharing container in AD (e.g. “CN=62b8a5cb-5d16-4b13-b616-06caea706ada,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ADCORP,DC=LAB”) by using the following command:

Set-ADFSCertSharingContainer -ServiceAccount ADCORP\SVC_R1_ADFS (Get-ADFSProperties).CertificateSharingContainer


Figure 3: Configuring The ADFS Certificate Sharing Container In AD

Now we need to configure the correct federation service identifier. By default the federation service identifier looks as shown below.




Figure 4: The Default Federation Service Identifier Configuration

By adjusting the default value to something like “urn:federation:fs.adcorp.lab” it becomes easier to manage that value. It is not really important what the value is, as long as it is unique! Be aware that it is case sensitive also!

Set-ADFSProperties -Identifier "urn:federation:fs.adcorp.lab" -AcceptableIdentifier "urn:federation:fs.adcorp.lab" (Get-ADFSProperties).Identifier


Figure 5: A Custom Federation Service Identifier Configuration

Now depending on the trusts that need to be setup and the supported applications, custom claims description may need to be defined and claims transform rules need to be defined on the different federation trusts (claims providers and relying parties). In the near future I hope to write about federating to access SP2010 Web Application/Site.

To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):

  1. https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx
  2. https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

[1] –> https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx

First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.


Figure 5: Testing ADFS Deployment – Home Realm Discovery

As soon as you click on “continue to sign in” it will ask you to provide credentials. This does assume you are not using Windows Integrated Authentication (in that case the federation service FQDN is NOT added to the Local Intranet Zone in IE). The collection of the credentials is either Windows based of forms based, whatever you have configured. On a ADFS STS it most likely is Windows based as that is the default! If you want to use Windows Integrated Authentication you must add the federation service FQDN to the Local Intranet Zone in IE. On a PRX forms based is the default


Figure 6: Testing ADFS Deployment – Providing Credentials


Figure 7: Testing ADFS Deployment – Successful Logon

[2] –> https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

As soon as you enter the URL and hit ENTER, you might end up in seeing a BLANK page. To actually see the federation metadata, click IN ADDITION on the “Compatibility View” button in IE. You will then see the following.


Figure 8: Testing ADFS Deployment – Federation Metadata

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########


6 Responses to “(2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3)”

  1. […] (1) « (2012-05-08) Installing And Configuring ADFS v2 As An STS Server (Part 1) (2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3) […]


  2. […] v2.0 see the blog post about Installing And Configuring ADFS v2 As An STS Server (part1, part 2, part 3) and about Installing And Configuring ADFS v2 As A PRX […]


  3. […] v2.0 see the blog post about Installing And Configuring ADFS v2 As An STS Server (part1, part 2, part 3) and about Installing And Configuring ADFS v2 As A PRX […]


  4. Rob said

    Hello Jorge

    I love you web site… lot’s of great information and very interesting topics 🙂
    Can you please explain why the Certificate Sharing Container is necessary in the first place and why you need to set it manually using the Set-ADFSCertSharingContainer PowerShell command?
    I have an ADFS 2.0 Farm (6 ADFS servers in it) using SQL Server and have no Certificate Sharing Container and yet everything seems to work just fine. I have not seen any alerts or errors about it anywhere.
    I can’t seem to find any good information about the function of the Certificate Sharing Container. TechNet has a note about it saying “AD FS 2.0 does not share private keys in a federation server farm for administrator-specified certificates, such as certificates that a certification authority (CA) issues” which to me sounds like the only time you need the Certificate Sharing Container is if you use Self-Signed certificates with your ADFS implementation.

    Cheers, Rob


    • Jorge said

      to be honest I have never looked that close to the Cert Sharing container.

      When you installed ADFS with your own private certs, was the install account also a Domain Admin? If it was not, were you able to install ADFS without errors? (because you do not have perms to create the ADFS Cert Sharing container)



  5. […] the past I described how to install an ADFS STS Server in this post and this post and this post. The idea of this post was to focus on UNINSTALLING an ADFS STS Server or the complete federation […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: