ADFS (Active Directory Federation Services) is a component of Windows Server that provides the functionality of an authentication provider for web applications. Federation Services are used to authenticate external users in different applications.
Why do I need ADFS if I have an Active Directory deployed? The fact is that the authentication protocols used in Active Directory are not designed to work on the Internet. Kerberos won’t work fully, because its support requires the membership of a web server and a client in the AD domain. NTLM and LM are also not sufficiently secure authentication protocols.
ADFS acts as an access token service. Its mission to issue digital identities (Claims—CBA), based on successful Active Directory authentication. These issued credentials will be sufficient for successful authentication and authorization external user in the web app.
Federation services are consist of two components—Active Directory Federation Services (ADFS) and Web Application Proxy (WAP). WAP accepts incoming requests from the Internet and redirects them to ADFS servers for further processing. Responses from ADFS servers are forwarded to WAP and them to the Internet client. WAP can also act as a reverse proxy server for publishing web applications on the Internet. For example, you can use WAP for easily publish Exchange Web Access (OWA), internal SharePoint, etc. Data transmitted over the network is encrypted using the SSL 3.0 protocol.
In this article, we will show how to install and configure the ADFS role on Windows Server 2016. It is recommended to install AD FS on a dedicated server and not combine it with RDS, RADIUS roles.
When installing ADFS, you will need to specify a domain service account (from which ADFS services will work) and an SSL certificate.
It is recommended to create and use a domain account such as Group Managed Service Accounts (gMSA). Create a gMSA account in AD using PowerShell:
$server1 = Get-ADComputer adfs1 New-ADServiceAccount -Name "gMSAADFS" -DNSHostName gMSAADFS.test.com -Enabled $True -ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword $server1
By default, gMSA accounts are created in the special OU—Managed Service Accounts
Then, obtain the SSL certificate with the EKU (extended key usage) “Server Authentication” and the option to export the private key from your internal CA (ADCS) or external commercial Certificate Authority. The certificate in the Subject name and Subject alternative name should contain a complete list of published FQDNs. The certificate must be exported to the .pfx cert format.
You can install the ADFS 3.0 role on Windows Server 2016 using Server Manager or with a single PowerShell command:
After installing ADFS, run the ADFS post-deployment task by pressing “Configure the federation services on this server” through the Server Manager snap-in.
Choose the option “Create the first federation server in a federation farm”.
Select your pfx certificate file by pressing Import button.
In the next step, specify the name of the gMSA account created earlier (gMSAADFS).
Choose whether you want to use a separate MS SQL Server or an internal Windows database (WID).
Then click Next > Next > Configure. That’s all, your ADFS server is deployed.
To check the availability of ADFS through a dedicated web page on Windows Server 2016, enable the IdpInitiatedSignOnPage option. Enable the test page with the PowerShell command:
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
To configure other ADFS option you need to use the AD FS Management console.