(2012-05-10) Installing And Configuring ADFS v2 As An STS Server (Part 3)
Posted by Jorge on 2012-05-10
Part 2 of this series showed you how to configure the required for ADFS.
Instead of using the GUI to configure ADFS, we are going to use the command line version of the configuration wizard as that gives us more possibilities to configure ADFS and because not everything is possible through the GUI version of the configuration wizard. The command line version of the configuration wizard can be found in the following folder “C:\Program Files\Active Directory Federation Services 2.0”. So before executing the command, you either need to navigate to that folder first or you need to provide the full path of the executable.
FSCONFIG provides for the following options.
Figure 1: FSCONFIG Options To Configuring The ADFS STS
Because this is my first STS server and because I want to create a SQL Server based farm, I will use the CreateSQLFarm option. For subsequent ADFS STS server you need to use the JoinSQLFarm option.
&'C:\Program Files\Active Directory Federation Services 2.0\FsConfig.exe' CreateSQLFarm /ServiceAccount ADCORP\SVC_R1_ADFS /ServiceAccountPassword pwd /SQLConnectionString "database=AdfsConfiguration;server=RFSRWDC1.ADCORP.LAB\;integrated security=SSPI" /FederationServiceName FS.ADCORP.LAB /CertThumbprint $($adfsSvcCommunicationCert.Thumbprint) /SigningCertThumbprint $($adfsTokenSigningCert.Thumbprint) /DecryptCertThumbprint $($adfsTokenDecryptionCert.Thumbprint)
Figure 2: Creating A SQL Server Based ADFS STS Farm
In addition to what you see above, the command will also give the ADFS service account READ permissions on the private key of all three certificates used (Certificates MMC –> “Certificates (Local Computer)” –> Personal –> Certificates –> Right-click any of the ADFS certs –> “All Tasks” –> “Manage Private Keys”.), it will also configure the correct SPN (e.g. HOST/FS.ADCORP.LAB) on the ADFS service account.
Because a farm is being used we also need to configure the certificate sharing container in AD (e.g. “CN=62b8a5cb-5d16-4b13-b616-06caea706ada,CN=ADFS,CN=Microsoft,CN=Program Data,DC=ADCORP,DC=LAB”) by using the following command:
Set-ADFSCertSharingContainer -ServiceAccount ADCORP\SVC_R1_ADFS (Get-ADFSProperties).CertificateSharingContainer
Figure 3: Configuring The ADFS Certificate Sharing Container In AD
Now we need to configure the correct federation service identifier. By default the federation service identifier looks as shown below.
Figure 4: The Default Federation Service Identifier Configuration
By adjusting the default value to something like “urn:federation:fs.adcorp.lab” it becomes easier to manage that value. It is not really important what the value is, as long as it is unique! Be aware that it is case sensitive also!
Set-ADFSProperties -Identifier "urn:federation:fs.adcorp.lab" -AcceptableIdentifier "urn:federation:fs.adcorp.lab" (Get-ADFSProperties).Identifier
Figure 5: A Custom Federation Service Identifier Configuration
Now depending on the trusts that need to be setup and the supported applications, custom claims description may need to be defined and claims transform rules need to be defined on the different federation trusts (claims providers and relying parties). In the near future I hope to write about federating to access SP2010 Web Application/Site.
To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):
First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.
Figure 5: Testing ADFS Deployment – Home Realm Discovery
As soon as you click on “continue to sign in” it will ask you to provide credentials. This does assume you are not using Windows Integrated Authentication (in that case the federation service FQDN is NOT added to the Local Intranet Zone in IE). The collection of the credentials is either Windows based of forms based, whatever you have configured. On a ADFS STS it most likely is Windows based as that is the default! If you want to use Windows Integrated Authentication you must add the federation service FQDN to the Local Intranet Zone in IE. On a PRX forms based is the default
Figure 6: Testing ADFS Deployment – Providing Credentials
Figure 7: Testing ADFS Deployment – Successful Logon
As soon as you enter the URL and hit ENTER, you might end up in seeing a BLANK page. To actually see the federation metadata, click IN ADDITION on the “Compatibility View” button in IE. You will then see the following.
Figure 8: Testing ADFS Deployment – Federation Metadata
With regards to ADFS, also see the following resource with lots of information:
- Checklist for setting a federation server
- Checklist for setting a federation server proxy
- AD FS 2.0 Content Map
- AD FS 2.0 Design Guide
- AD FS 2.0 Deployment Guide
- Operations: AD FS 2.0
- AD FS 2.0 Troubleshooting Guide
- ADFS 2.0 High Availability and High Resiliency Walkthrough
- Enhancing Federation Services for Internal and External Partners
- Active Directory Federation Services 2.0 solution guide
ADFS Related Videos:
- Active Directory Federation Services (ADFS) v2.0 Design
- Active Directory Federation Services (ADFS) v2.0 Concepts
- AD FS 2.0 Installation
- Active Directory Federation Services (ADFS) v2.0 High Availability
- Active Directory Federation Services (ADFS) v2.0 High Availability Installation And Configuration
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########