Deploying Active Directory Federation Services on Windows Server

ADFS (Active Directory Federation Services) is a component of Windows Server that provides the functionality of an authentication provider for web applications. Federation Services are used to authenticate external users in different applications.

Why do I need ADFS if I have an Active Directory deployed? The fact is that the authentication protocols used in Active Directory are not designed to work on the Internet. Kerberos won’t work fully, because its support requires the membership of a web server and a client in the AD domain. NTLM and LM are also not sufficiently secure authentication protocols.

ADFS acts as an access token service. Its mission to issue digital identities (Claims—CBA), based on successful Active Directory authentication. These issued credentials will be sufficient for successful authentication and authorization external user in the web app.

Federation services are consist of two components—Active Directory Federation Services (ADFS) and Web Application Proxy (WAP). WAP accepts incoming requests from the Internet and redirects them to ADFS servers for further processing. Responses from ADFS servers are forwarded to WAP and them to the Internet client. WAP can also act as a reverse proxy server for publishing web applications on the Internet. For example, you can use WAP for easily publish Exchange Web Access (OWA), internal SharePoint, etc. Data transmitted over the network is encrypted using the SSL 3.0 protocol.

In this article, we will show how to install and configure the ADFS role on Windows Server 2016. It is recommended to install AD FS on a dedicated server and not combine it with RDS, RADIUS roles.

When installing ADFS, you will need to specify a domain service account (from which ADFS services will work) and an SSL certificate.

It is recommended to create and use a domain account such as Group Managed Service Accounts (gMSA). Create a gMSA account in AD using PowerShell:

$server1 = Get-ADComputer adfs1
New-ADServiceAccount -Name "gMSAADFS" -DNSHostName gMSAADFS.test.com -Enabled $True -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword $server1

By default, gMSA accounts are created in the special OU—Managed Service Accounts

active directory federation services

Then, obtain the SSL certificate with the EKU (extended key usage) “Server Authentication” and the option to export the private key from your internal CA (ADCS) or external commercial Certificate Authority. The certificate in the Subject name and Subject alternative name should contain a complete list of published FQDNs. The certificate must be exported to the .pfx cert format.

You can install the ADFS 3.0 role on Windows Server 2016 using Server Manager or with a single PowerShell command:

Add-WindowsFeature ADFS-Federation

ad fs

After installing ADFS, run the ADFS post-deployment task by pressing “Configure the federation services on this server” through the Server Manager snap-in.

adfs server

Choose the option “Create the first federation server in a federation farm”.

ad federation services

Select your pfx certificate file by pressing Import button.

active directory federation

In the next step, specify the name of the gMSA account created earlier (gMSAADFS).

adfs active directory

Choose whether you want to use a separate MS SQL Server or an internal Windows database (WID).

adfs federation

Then click Next > Next > Configure. That’s all, your ADFS server is deployed.

To check the availability of ADFS through a dedicated web page on Windows Server 2016, enable the IdpInitiatedSignOnPage option. Enable the test page with the PowerShell command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

To configure other ADFS option you need to use the AD FS Management console.

microsoft active directory federation services

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.