How to setup an ADFS Farm 2016/2019 in Azure/AWS/Google IaaS

The following tutorial explains the steps required to setup ADFS and WAP in your cloud environment (e.g Azure, AWS or Google GCP)

The first section covers the ADFS setup and the 2nd section explains the WAP setup.

ADFS Setup

Once you have installed the new Active Directory Federation Server and powered it up , there are requirements that you’ll need to make sure you have in place before you get started:

AD FS 2016 / 2019 Requirements:

The following links explain the requirements you need in place to build your ADFS 2016 / 2019 farm. Either version the requirements are the same:

• Certificate requirements
• Proxy requirements
• AD DS requirements
• Configuration database requirements
• Browser requirements
• Network requirements
• Permission requirements

Example of ADFS / WAP 2016/2016 farm in Azure, AWS or Google GCP

If you’re are adding this ADFS server to your existing farm jump to step 3 otherwise if this is a new ADFS server start from step 1.

Step 1 – Join your computer to an Active Directory domain

First step is to add your VM to your Active Directory domain.

1. Make sure the DNS server address on the servers NIC is pointing to one of your domain controllers that is reachable from this VM
2. To join a computer to a domain
   On the Start screen, type Control Panel, and then press ENTER.
3. Navigate to System and Security, and then click System.
4. Under Computer name, domain, and workgroup settings, click Change settings.
5. On the Computer Name tab, click Change.
6. Under Member of, click Domain, type the name of the domain that this computer will join, and then click OK.
7. Click OK, and then restart the computer.

Step 2 – Enroll an SSL Certificate for ADFS

Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. The same certificate can be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:

• The subject name and subject alternative name must contain your federation service name, such as fs.contoso.com.
• The subject alternative name must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/enroll-an-ssl-certificate-for-ad-fs

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_1

Internal Certificate Authority (PKI)

If you have a PKI infrastructure (CA) already inplace you can request a certificate from your certificate authority in your domain. You will have to setup the certificate in your root CA and make it available to your ADFS servers.

To do that login in to your CA server with administrative permissions:

• In Server Manager, click Tools and select Certification Authority from the menu.
• In the Certification Authority MMC, expand your CA in the left pane, right click Certificate Templates and select Managefrom the menu.
• In the Certificate Templates console, scroll down to the Web Server template in the central pane, right click it and select Duplicate Template from the menu.
• In the Properties dialog, switch to the General tab.
• In the Template display name box, type SSL Certificates.
• Now switch to the Security tab and click Authenticated Users under Group or user names.
• Under Permissions for Authenticated Users, check Enroll in the Allow column and click OK.

• Close the Certificate Templates console.
• In the Certification Authority MMC, right click Certificate Templates in the left pane and select New > Certificate Template to Issue from the menu.
• In the Enable Certificate Templates dialog, select SSL Certificates in the list and click OK.
• Click Certificate Templates in the left pane of the Certification Authority MMC, and you should see SSL Certificates appear in the left with an Intended Purpose of Server Authentication.

Request a Certificate for AD FS

Now that we have an appropriate certificate template, we can request a certificate for the AD FS server.

• Log in to your ADFS server as a domain administrator.
• Go to the Start screen, type mmc and press Enter to open an MMC console on the desktop.
• In the MMC console, go to the File menu and select Add/Remove Snap-in…
• In the Add or Remove Snap-ins dialog, select Certificates under Available snap-ins and press Add.
• In the Certificates snap-in dialog, select Computer account and click Next.
• On the Select Computer screen, select Local computer and click Finish.
• Click OK in the Add or Remove Snap-ins dialog.
• In the left pane of the MMC console, expand Certificates (Local Computer), right-click Personal and select All Tasks > Request New Certificate from the menu.
• In the Certificate Enrollment dialog, click Next on the Before You Begin screen.

• On the Select Certificate Enrollment Policy screen, select Active Directory Enrollment Policy and click Next.
• On the Request Certificates screen, click More information is required to enroll for this certificate below SSL Certificates.
• In the Certificate Properties dialog on the Subject tab, set the Subject name Type to Common name. In the Value box, type the Fully Qualified Domain Name (FQDN) name of your ADFS server and click Add. In my lab, the FQDN of my ADFS server is fs.testdomain.local.
• Under Alternative name, set the Type box to DNS. In the Value box, type the FQDN name of your ADFS server and click Add.
• Repeat the last step to set an additional Alternative name DNS value, but this time set the value to enterpriseregistration.testdomain.local, replacing testdomain.local with your domain name.

• Now click OK in the Certificate Properties dialog.
• Back in the Certificate Enrollment dialog on the Request Certificates screen, check SSL Certificates and click Enroll.
• Once the enrolment has succeeded, click Finish.
• In the MMC, click Certificates under Personal in the left pane and you should see the certificate has been issued on the right by your domain’s certification authority.
• Close the MMC.

Alternative option if you don’t have a certificate authority or third party trusted certificate is to create a self signed cert as below.  Not recommended in a production environment as you will have to distribute and import into the certificate store on computers that must validate it as a trusted certificate.  This can be achieved via group policy.

Create Self Signed Cert via Powershell

You can use a self signed certificate if you dont have a PKI infrastructure or third party SSL certificate.

In the screenshot below i’ve requested to create a self signed certificate with subject alternatives names of my federation service name (fs.testdomain.local) and the required enterpriseregistration.testdomain.local

New-SelfSignedCertificate –DnsName <Federation service name>, <enterpriseregistration> -CertStoreLocation “cert:\LocalMachine\My”

You should now see the certificate in your local computer certificate store under “Personal\Certificates”:

You can now distribute this certificate to machines who will be using this ADFS server.

Step 3 – Configure Federation Server

Launch Server Manager and you should see a notification to start the “Active Directory Federation Services Configuration Wizard“

Now we need to start configuring the ADFS server

Since this is our first AD FS server select the first option then click Next:

If you have an existing ADFS farm,

see https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server#BKMK_2

Ref: – https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server

Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:

SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.

Federation Service Name: Give your AD FS a FQDN name.

Federation Service Display Name: Enter a display name

Click Next to proceed:

On the Specify Service Account tab you may get the following message:

“Group managed service accounts are not available because the KDS root key has not been set.”

If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.

PowerShell Commands:

Get-Help Add-KdsRootKey – Read about the command

Add-KdsRootKey -EffectiveImmediately – Generate root key

Enter the Service Account you want to use and click Next:

Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.

You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:

Click Next. If everything checks out click Configure:

Once complete click Close:

Step 4 – (Optional) Configure a federation server with Device Registration Service (DRS)

If you looking to use device authentication, for example Microsoft Windows Hello For Business or enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices you’ll need to enable device registration service on ADFS.

Refer to : https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service

Step 5 – Configure DNS Records

Add a Host (A) and Alias (CNAME) Resource Record to Corporate DNS for the Federation Service and DRS.

You must add the following resource records to corporate Domain Name System (DNS) for your federation service and Device Registration Service that you configured in previous steps.

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-corporate-dns-for-the-federation-service-and-drs

ADFS Firewall Requirements

Both the firewall located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.

In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required and the certauth endpoint on port 443 is not enabled, AD FS 2016 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers).

Ref for ADFS Network requirements: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_7

Step 6 – Verify that a federation server is operational

Open a browser window, in the address bar type the federation server’s DNS host name, and then append /adfs/fs/federationserverservice.asmx to it for the new federation server, for example:

https://fs1.testdomain.local/adfs/fs/federationserverservice.asmx

Press ENTER, and then complete the next procedure on the federation server computer. If you see the message There is a problem with this website’s security certificate,

click Continue to this website.

The expected output is a display of XML with the service description document. If this page appears, IIS on the federation server is operational and serving pages successfully.

Next check the following:

Log on to the new federation server as an administrator.

On the Start screen, type Event Viewer, and then press ENTER.

In the details pane, double-click Applications and Services Logs, double-click AD FS Eventing, and then click Admin.

In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100.

This event verifies that the federation server was able to successfully communicate with the Federation Service.

Ref: – https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/verify-that-a-federation-server-is-operational

Setting up WAP Server

Once you’ve got your ADFS server up and running now we can begin the WAP deployment.

Requirements:

• Certificate requirements
• Proxy requirements
• AD DS requirements
• Configuration database requirements
• Browser requirements
• Network requirements
• Permission requirements

Step 1 – Import certificate

The first step is to import the certificate you used in your ADFS server setup.

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:

When you click OK you will get the following pop up. Select Computer account then click Next:

On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.

On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:

This will bring up the Certificate Import Wizard. Click Next:

Browse to the certificate that you exported from your AD FS server and select it. Click Next:

Enter the password for the private key and check the box to make the key exportable. Click Next:

Leave the default certificate store as Personal. Click Next:

Click Finish:

Now import into the Trusted Root Certification Authority

You should now see the certificate from your AD FS servers on your Web Application Proxy server.

Now we are ready to perform the Post Configuration.

Step 2 – Post Deployment Configuration

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

Click Next and enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:

On the drop down menu select the certificate you imported from your AD FS server. Click Next:

Click Configure:

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.

Once finished click Close:

You’re now ready to start publishing applications.

Support

If you have any questions about this ADFS deployment or are experiencing any issues with your deployment leave your comments below and i will answer them for you within 24 hours.

If you would like to hire us to setup your ADFS farm for you, get in touch and we can get you up and running