How to setup an ADFS Farm 2016 in Azure IaaS

To setup a new ADFS 2016 server farm in Azure, simply download our virtual machines from the Azure marketplace called “ADFS 4.0 Server Windows 2016” & “Microsoft Web Application Proxy – WAP 2016 Server” by Cloud Infrastructure Services”.

 

Click on the deploy buttons below to deploy straight to your Azure tenant.

Deploy ADFS 2016 Server to your Azure tenant.

Deploy Web Application Proxy to your Azure tenant

ADFS 2016 Farm

 

ADFS Setup

 

Once you have installed the new Active Directory Federation Server 2016 and powered up in Azure, there are requirements that you’ll need to make sure you have in place before you get started:

 

AD FS 2016 Requirements:

 

The following links explain the requirements you need in place to build your ADFS 2016 farm:

 

Example of ADFS / WAP 2016 farm in Azure

load balanced ADFS farm in Azure

 

If you’re are adding this ADFS server to your existing farm jump to step 3 otherwise if this is a new ADFS server start from step 1.

 

Step 1 – Join your computer to an Active Directory domain

 

First step is to add your VM to your domain. 

 

  1. Make sure the DNS server address on the servers NIC is pointing to one of your domain controllers that is reachable from this VM
  2. To join a computer to a domain
    On the Start screen, type Control Panel, and then press ENTER.
  3. Navigate to System and Security, and then click System.
  4. Under Computer name, domain, and workgroup settings, click Change settings.
  5. On the Computer Name tab, click Change.
  6. Under Member of, click Domain, type the name of the domain that this computer will join, and then click OK.
  7. Click OK, and then restart the computer.

 

Step 2 – Enroll an SSL Certificate for ADFS

 

Active Directory Federation Services (AD FS) requires a certificate for Secure Socket Layer (SSL) server authentication on each federation server in your federation server farm. The same certificate can be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you can import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:

 

  • The subject name and subject alternative name must contain your federation service name, such as fs.contoso.com.
  • The subject alternative name must contain the value enterpriseregistration that is followed by the User Principal Name (UPN) suffix of your organization, for example, enterpriseregistration.contoso.com.

 

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/enroll-an-ssl-certificate-for-ad-fs

 

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_1

 

Internal Certificate Authority (PKI)

 

If you have a PKI infrastructure (CA) already inplace you can request a certificate from your certificate authority in your domain. You will have to setup the certificate in your root CA and make it available to your ADFS servers.

 

To do that login in to your CA server with administrative permissions:

 

  • In Server Manager, click Tools and select Certification Authority from the menu.
  • In the Certification Authority MMC, expand your CA in the left pane, right click Certificate Templates and select Managefrom the menu.
  • In the Certificate Templates console, scroll down to the Web Server template in the central pane, right click it and select Duplicate Template from the menu.
  • In the Properties dialog, switch to the General tab.
  • In the Template display name box, type SSL Certificates.
  • Now switch to the Security tab and click Authenticated Users under Group or user names.
  • Under Permissions for Authenticated Users, check Enroll in the Allow column and click OK.

SSL-Properties

 

 

  • Close the Certificate Templates console.
  • In the Certification Authority MMC, right click Certificate Templates in the left pane and select New > Certificate Template to Issue from the menu.
  • In the Enable Certificate Templates dialog, select SSL Certificates in the list and click OK.
  • Click Certificate Templates in the left pane of the Certification Authority MMC, and you should see SSL Certificates appear in the left with an Intended Purpose of Server Authentication.

 

Request a Certificate for AD FS

 

Now that we have an appropriate certificate template, we can request a certificate for the AD FS server.

  • Log in to your ADFS server as a domain administrator.
  • Go to the Start screen, type mmc and press Enter to open an MMC console on the desktop.
  • In the MMC console, go to the File menu and select Add/Remove Snap-in…
  • In the Add or Remove Snap-ins dialog, select Certificates under Available snap-ins and press Add.
  • In the Certificates snap-in dialog, select Computer account and click Next.
  • On the Select Computer screen, select Local computer and click Finish.
  • Click OK in the Add or Remove Snap-ins dialog.
  • In the left pane of the MMC console, expand Certificates (Local Computer), right-click Personal and select All Tasks > Request New Certificate from the menu.
  • In the Certificate Enrollment dialog, click Next on the Before You Begin screen.

certificate-enrollment

 

  • On the Select Certificate Enrollment Policy screen, select Active Directory Enrollment Policy and click Next.
  • On the Request Certificates screen, click More information is required to enroll for this certificate below SSL Certificates.
  • In the Certificate Properties dialog on the Subject tab, set the Subject name Type to Common name. In the Value box, type the Fully Qualified Domain Name (FQDN) name of your ADFS server and click Add. In my lab, the FQDN of my ADFS server is fs.testdomain.local.
  • Under Alternative name, set the Type box to DNS. In the Value box, type the FQDN name of your ADFS server and click Add.
  • Repeat the last step to set an additional Alternative name DNS value, but this time set the value to enterpriseregistration.testdomain.local, replacing testdomain.local with your domain name.

certificate-properties

 

 

  • Now click OK in the Certificate Properties dialog.
  • Back in the Certificate Enrollment dialog on the Request Certificates screen, check SSL Certificates and click Enroll.
  • Once the enrolment has succeeded, click Finish.
  • In the MMC, click Certificates under Personal in the left pane and you should see the certificate has been issued on the right by your domain’s certification authority.
  • Close the MMC.

 

 

Alternative option if you don’t have a certificate authority or third party trusted certificate is to create a self signed cert as below.  Not recommended in a production environment as you will have to distribute and import into the certificate store on computers that must validate it as a trusted certificate.  This can be achieved via group policy.

 

Self Signed Cert Tool

 

You can use the self signed certificate that is pre installed on our VM if you dont have a PKI infrastructure or third party SSL certificate.  Open up the following command line tool. Open up a command and change directory to C:\Cert

 

Run Selfssl7.exe /? for a list of available commands.

 

In the screenshot below i’ve requested to create a self signed certificate with subject alternatives names of my federation service name (fs.testdomain.local) and the required enterpriseregistration.testdomain.local

 

I’ve also specified the key length of 1024 using the /k switch

 

I’ve also specified /v18250 for number of days the certificate is valid for. /T adds the self-signed certificate to the users trusted certificates lists.  /X exports the cert and /F specifies the file path to save as .pfx.  /W sets a password.

Create self signed certificate

 

Once you’ve exported the certificate check to make sure its in the local computers certificate store. If not then import it :

certificate-store

 

You can now distribute this certificate to machines who will be using this ADFS server.

 

Step 3 – Configure Federation Server

 

Launch Server Manager and you should see a notification to start the “Active Directory Federation Services Configuration Wizard

 

post-config

Now we need to start configuring the ADFS server

 

Since this is our first AD FS server select the first option then click Next:

 

If you have an existing ADFS farm,

see https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server#BKMK_2

 

 

Ref: – https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server

 

 

Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:

 

SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.

 

Federation Service Name: Give your AD FS a FQDN name.

 

Federation Service Display Name: Enter a display name

 

Click Next to proceed:

 

 

On the Specify Service Account tab you may get the following message:

 

“Group managed service accounts are not available because the KDS root key has not been set.”

 

If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.

 

PowerShell Commands:

 

Get-Help Add-KdsRootKey – Read about the command

 

Add-KdsRootKey -EffectiveImmediately – Generate root key

 

Enter the Service Account you want to use and click Next:

 

Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.

 

You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:

 

 

Click Next. If everything checks out click Configure:

 

Once complete click Close:

 

Step 4 – (Optional) Configure a federation server with Device Registration Service (DRS)

 

If you looking to use device authentication, for example Microsoft Windows Hello For Business or enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices you’ll need to enable device registration service on ADFS.

 

Refer to : https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-a-federation-server-with-device-registration-service

 

Step 5 – Configure DNS Records

 

Add a Host (A) and Alias (CNAME) Resource Record to Corporate DNS for the Federation Service and DRS.

 

You must add the following resource records to corporate Domain Name System (DNS) for your federation service and Device Registration Service that you configured in previous steps.

EntryTypeAddress
federation_service_nameHost (A)IP address of the AD FS server or the IP address of the load balancer that is configured in front of your AD FS server farm
enterpriseregistrationAlias (CNAME)federation_server_name.contoso.com

 

Ref: https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/configure-corporate-dns-for-the-federation-service-and-drs

 

Step 6 – Verify that a federation server is operational

 

Open a browser window, in the address bar type the federation server’s DNS host name, and then append /adfs/fs/federationserverservice.asmx to it for the new federation server, for example:

 

https://fs1.testdomain.local/adfs/fs/federationserverservice.asmx

 

Press ENTER, and then complete the next procedure on the federation server computer. If you see the message There is a problem with this website’s security certificate, click Continue to this website.

 

The expected output is a display of XML with the service description document. If this page appears, IIS on the federation server is operational and serving pages successfully.

 

Next check the following:

 

Log on to the new federation server as an administrator.

 

On the Start screen, type Event Viewer, and then press ENTER.

 

In the details pane, double-click Applications and Services Logs, double-click AD FS Eventing, and then click Admin.

 

In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the federation server was able to successfully communicate with the Federation Service.

 

Ref: – https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/deployment/verify-that-a-federation-server-is-operational

 

Setting up WAP Server

 

Once you’ve got your ADFS server up and running now we can begin the WAP deployment.

 

Requirements:

 

 

Step 1 – Import certificate

 

The first step is to import the certificate you used in your ADFS server setup.

You need the certificate from your AD FS server added to your Web Application Proxy server. Login to your AD FS server and open MMC.exe:

 

 

Go to File -> Add/Remove Snap-ins -> select Certificates then click Add:

 

 

When you click OK you will get the following pop up. Select Computer account then click Next:

 

 

On AD FS Server: Drill down to Personal -> Certificates then right click the SSL certificate you used during setup of AD FS. Go to All Tasks -> Export. Save to a location that your Web Application Proxy can access. Ensure you export the Private Key and certificate as a .PFX file.

 

On Web Application Proxy: Right click on Personal -> Certificates then go to All Tasks -> Import:

 

This will bring up the Certificate Import Wizard. Click Next:

 

Browse to the certificate that you exported from your AD FS server and select it. Click Next:

 

Enter the password for the private key and check the box to make the key exportable. Click Next:

 

Leave the default certificate store as Personal. Click Next:

 

Click Finish:

 

Now import into the Trusted Root Certification Authority

 

 

 

 

You should now see the certificate from your AD FS servers on your Web Application Proxy server.

 

Now we are ready to perform the Post Configuration.

 

Step 2 – Post Deployment Configuration

 

Back on your Web Application Server open Server Manager then click Notifications then the message Open the Web Application Proxy Wizard:

 

Click Next and enter the FQDN of your AD FS name and the Service Account you created during AD FS setup. Click Next:

 

On the drop down menu select the certificate you imported from your AD FS server. Click Next:

 

Click Configure:

 

Remote Access Management Console should open when you clicked Close. On Operations Status you should see all the objects as green.

Once finished click Close:

 

You’re now ready to start publishing applications.

 

Support

 

If you have any questions about this ADFS deployment or are experiencing any issues with your deployment leave your comments below and i will answer them for you within 24 hours.

 

If you would like to hire us to setup your ADFS farm for you, get in touch and we can get you up and running 

Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

No Comments

Post a Comment

Comment
Name
Email
Website