Setup Active Directory Federation Services ADFS Farm in Azure/AWS/GCP
The easiest way to setup an ADFS farm – Active Directory Federation Services with a Web Application Proxy (WAP) on any of the cloud platforms using an ADFS Server and WAP Server on Azure, AWS or Google GCP is to use our publicly available images in the cloud marketplaces.
Active Directory Federation Services (ADFS) + (WAP)
Setup ADFS Farm 2019 in Azure
Setup ADFS Farm 2016 in Azure
Setup ADFS Farm 2019 in AWS
Setup ADFS 2016 Farm in AWS
Setup ADFS Farm 2019 in GCP
Setup ADFS Farm 2016 in Google
Table of Contents
Getting Started with Active Directory Federation Services (ADFS Server )
The following tutorial explains the steps required to setup ADFS and WAP in your cloud environment (e.g Azure, AWS or Google GCP)
The first section covers the ADFS setup and the 2nd section explains the WAP setup.
RDP into new ADFS server
Once you have deployed our ADFS or WAP server, the first step is to RDP into the new instance once it has fully booted up. The following links explain how to connect the VM once it has finished being deployed:
- How to RDP to AWS Windows Instance
- How to RDP to Google GCP Windows Instance
- How to RDP to Azure Windows Virtual Machine
Once logged in, you’re now ready to start setting up your new server as per the following sections.
Active Directory Federation Services (ADFS) Setup
Once you have installed the new Active Directory Federation Server and powered it up , there are requirements that you’ll need to make sure you have in place before you get started:
ADFS Server / WAP Server Requirements:
The following links explain the requirements you need in place to build your ADFS 2016 / 2019 farm. Either version the requirements are the same:
Example of ADFS / WAP Server farm in Azure, AWS or Google GCP
If you’re are adding this ADFS server to your existing farm jump to step 3 otherwise if this is a new ADFS server start from step 1.
Step 1 – Join your computer to an Active Directory domain
First step is to add your VM to your Active Directory domain.
- Make sure the DNS server address on the servers NIC is pointing to one of your domain controllers that is reachable from this VM
- To join a computer to a domain. On the Start screen, type Control Panel, and then press ENTER.
3. Navigate to System and Security, and then click System.
4. Under Computer name, domain, and workgroup settings, click Change settings.
5. On the Computer Name tab, click Change.
6.Under Member of, click Domain, type the name of the domain that this computer will join, and then click OK.
7. Final step is restart your computer.
Step 2 – Enroll an SSL Certificate for ADFS
Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. The same certificate can be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:
- The subject name and subject alternative name must contain your federation service name, such as fs.contoso.com.
- The subject alternative name must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.
Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_1
Internal Certificate Authority (PKI)
If you have a PKI infrastructure (CA) already in place you can request a certificate from your certificate authority in your domain. You will have to setup the certificate in your root CA and make it available to your ADFS servers.
To do that login in to your CA server with administrative permissions:
- In Server Manager, click Tools and select Certification Authority from the menu.
- In the Certification Authority MMC, expand your CA in the left pane, right click Certificate Templates and select Manage from the menu.
- In the Certificate Templates console, scroll down to the Web Server template in the central pane, right click it and select Duplicate Template from the menu.
- In the Properties dialog, switch to the General tab.
- In the Template display name box, type SSL Certificates.
- Now switch to the Security tab and click Authenticated Users under Group or user names.
- Under Permissions for Authenticated Users, check Enroll in the Allow column and click OK.
- Close the Certificate Templates console.
- In the Certification Authority MMC, right click Certificate Templates in the left pane and select New > Certificate Template to Issue from the menu.
- In the Enable Certificate Templates dialog, select SSL Certificates in the list and click OK.
- Click Certificate Templates in the left pane of the Certification Authority MMC, and you should see SSL Certificates appear in the left with an Intended Purpose of Server Authentication.
Request a Certificate for ADFS Server
Now that we have an appropriate certificate template, we can request a certificate for the AD FS server.
- Log in to your ADFS server as a domain administrator.
- Go to the Start screen, type mmc and press Enter to open an MMC console on the desktop.
- In the MMC console, go to the File menu and select Add/Remove Snap-in…
- In the Add or Remove Snap-ins dialog, select Certificates under Available snap-ins and press Add.
- In the Certificates snap-in dialog, select Computer account and click Next.
- On the Select Computer screen, select Local computer and click Finish.
- Click OK in the Add or Remove Snap-ins dialog.
- In the left pane of the MMC console, expand Certificates (Local Computer), right-click Personal and select All Tasks > Request New Certificate from the menu.
- In the Certificate Enrollment dialog, click Next on the Before You Begin screen.
- On the Select Certificate Enrollment Policy screen, select Active Directory Enrollment Policy and click Next.
- On the Request Certificates screen, click More information is required to enroll for this certificate below SSL Certificates.
- In the Certificate Properties dialog on the Subject tab, set the Subject name Type to Common name. In the Value box, type the Fully Qualified Domain Name (FQDN) name of your ADFS server and click Add. In my lab, the FQDN of my ADFS server is fs.testdomain.local.
- Under Alternative name, set the Type box to DNS. In the Value box, type the FQDN name of your ADFS server and click Add.
- Repeat the last step to set an additional Alternative name DNS value, but this time set the value to enterpriseregistration.testdomain.local, replacing testdomain.local with your domain name.
- Now click OK in the Certificate Properties dialog.
- Back in the Certificate Enrollment dialog on the Request Certificates screen, check SSL Certificates and click Enroll.
- Once the enrolment has succeeded, click Finish.
- In the MMC, click Certificates under Personal in the left pane and you should see the certificate has been issued on the right by your domain’s certification authority.
- Close the MMC.
Alternative option if you don’t have a certificate authority or third party trusted certificate is to create a self signed cert as below. Not recommended in a production environment as you will have to distribute and import into the certificate store on computers that must validate it as a trusted certificate. This can be achieved via group policy.
Create Self Signed Certificate via Powershell
You can use a self signed certificate if you dont have a PKI infrastructure or third party SSL certificate.
In the screenshot below i’ve requested to create a self signed certificate with subject alternatives names of my federation service name (fs.testdomain.local) and the required enterpriseregistration.testdomain.local
New-SelfSignedCertificate –DnsName <Federation service name>, <enterpriseregistration> -CertStoreLocation “cert:\LocalMachine\My”
You should now see the certificate in your local computer certificate store under “Personal\Certificates”:
You can now distribute this certificate to machines who will be using this ADFS server.
Step 3 – Configure Active Directory Federation Server
Launch Server Manager and you should see a notification to start the “Active Directory Federation Services Configuration Wizard“.
Now we need to start configuring the ADFS server.
Since this is our first AD FS server select the first option then click Next:
If you have an existing ADFS farm:
Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:
SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create.
Ensure you have it in .PFX format.
Federation Service Name: Give your AD FS a FQDN name.
Federation Service Display Name: Enter a display name
Click Next to proceed:
On the Specify Service Account tab you may get the following message:
“Group managed service accounts are not available because the KDS root key has not been set.”
If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.
PowerShell Commands:
Get-Help Add-KdsRootKey – Read about the command
Add-KdsRootKey -EffectiveImmediately – Generate root key
Get-Help Add-KdsRootKey
Add-KdsRootKey -EffectiveImmediately
Enter the Service Account you want to use and click Next:
Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.
You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:
Click Next. If everything checks out click Configure:
Once complete click Close:
Step 4 – (Optional) Configure a federation server with Device Registration Service (DRS)
If you looking to use device authentication, for example Microsoft Windows Hello For Business or enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices you’ll need to enable device registration service on ADFS.
Step 5 – Configure DNS Records
Add a Host (A) and Alias (CNAME) Resource Record to Corporate DNS for the Federation Service and DRS.
You must add the following resource records to corporate Domain Name System (DNS) for your federation service and Device Registration Service that you configured in previous steps.
| Entry | Type | Address |
|---|---|---|
| federation_service_name | Host (A) | IP address of the AD FS server or the IP address of the load balancer that is configured in front of your AD FS server farm |
| enterpriseregistration | Alias (CNAME) | federation_server_name.contoso.com |
ADFS Firewall Requirements
Both the firewall located between the Web Application Proxy and the federation server farm and the firewall between the clients and the Web Application Proxy must have TCP port 443 enabled inbound.
In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required and the certauth endpoint on port 443 is not enabled, AD FS 2016 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy.
This is not required on the firewall between the Web Application Proxy and the federation servers.
Ref for ADFS Network requirements: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_7
Step 6 – Verify that a federation server is operational
Open a browser window, in the address bar type the federation server’s DNS host name, and then append /adfs/fs/federationserverservice.asmx to it for the new federation server, for example:
https://fs1.testdomain.local/adfs/fs/federationserverservice.asmx
Press ENTER, and then complete the next procedure on the federation server computer. If you see the message There is a problem with this website’s security certificate,
click Continue to this website.
The expected output is a display of XML with the service description document. If this page appears, IIS on the federation server is operational and serving pages successfully.
Next check the following:
- Log on to the new federation server as an administrator.
- On the Start screen, type Event Viewer, and then press ENTER.
- In the details pane, double-click Applications and Services Logs, double-click AD FS Eventing, and then click Admin.
- In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100.
- This event verifies that the federation server was able to successfully communicate with the Federation Service.
Setting up Web Application Proxy - WAP Server
Once you’ve got your ADFS server up and running now we can begin the WAP deployment.
Requirements:
Step 1 – Import certificate
The first step is to import the certificate you used in your ADFS server setup.
You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:
Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:
When you click OK you will get the following pop up. Select Computer account then click Next:
On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.
On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:
This will bring up the Certificate Import Wizard. Click Next:
Browse to the certificate that you exported from your AD FS server and select it. Click Next:
Enter the password for the private key and check the box to make the key exportable. Click Next:
Leave the default certificate store as Personal. Click Next:
Click Finish:
Now import into the Trusted Root Certification Authority
You should now see the certificate from your AD FS servers on your Web Application Proxy server.
Now we are ready to perform the Post Configuration.
Step 2 – Post WAP Deployment Configuration
Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:
Click Next and enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:
On the drop down menu select the certificate you imported from your AD FS server. Click Next:
Click Configure:
Remote Access Management Console should open when you clicked Close.
On Operations Status you should see all the objects as green.
Once finished click Close:
You’re now ready to start publishing applications.
Active Directory Federation Services (ADFS / WAP) Support
If you have any questions about this ADFS deployment or are experiencing any issues with your deployment leave your comments below and i will answer them for you within 24 hours.
If you would like to hire us to setup your ADFS farm for you, get in touch and we can get you up and running.
