This video will install Active Directory Federation Services on Windows Server 2012. In a previous video, an enterprise CA was installed and configured. This video will use that enterprise CA to issue a certificate for this install of Active Directory Federation Services.
Demonstration Installing ADFS Role To start the install, select Server Manager from the quick launch bar and then from Server Manager select the option on the home screen Add roles and features. From the Add Roles and Features wizard, the install will be performed on the local server so the default options can be used for the first few screens. On the Select server roles screen, tick the option Active Directory Federation Services and press next. Server Manager may prompt you to install additional features. If this window appears, press the button add features. On the Select Features screen, no additional features are required so it safe to press next and move on. The next few screens of the wizard relate to the install of Active Directory Federation Services. Once past the welcome screen for Active Directory Federation Services screen, the next screen asks for a decision on which components need to be installed. In this case the component Federation Service needs to be ticked. The other components are not required for a base install of Active Directory Federation Services. The next screen relates to the install of IIS since this is required by Active Directory Federation Services. The default options work fine so the wizard can be completed and the Active Directory Federation Services role has been installed and ready to be configured.
Demonstration Configuring Active Directory Federation Services To configure Active Directory Federation Services, from Server Manager, select the exclamation mark under the flag icon at the top right of the screen and then select the option Run the AD FS Management snap-in. This will open the AD FS Management tool, however no option will be able to be configured until AD FS has been configured. To finish the configuration select the option AD FS Federation Server Configuration Wizard. The first screen of the wizard will ask if you want to create a new Federation Service. If you have a Federation Service on the network already, this install can be added to that one to form a farm. In this case, no existing Federation Service exists on the network so the option Create a new Federation Service will be used. The next screen will ask if a new federation server farm is to be created or a standalone federation server. Both options give the same functionality, however if you select the stand-alone option you will not be able to add additional servers to form a farm later on. If you are not sure, you should select the option New federation server farm as this gives you that option later on. You are not able to change your mind after the install. The next screen will ask for a certificate. If you do not have a certificate showing, you can follow the procedure for creating an Enterprise CA below or in a later video the procedure for creating a certificate using a standalone CA. If a certificate has been created and is not showing, it most likely has been created using the wrong settings. The next screen will ask for the service account that will be used with Active Directory Federation Services. If you do not have a service account already created, you can use the procedure below to create a service account. Enter in the name of the service account and password. The service account will require administrator rights to the local server. To do this, open the tools menu and select the option Computer Management. From computer management, expand down to Local Users and Groups and then open Groups. With the groups container open, right click on the administrators groups and select the option Add to Group. To add the service account, press the add button and then enter in the name of the service account that you are using with Active Directory Federation Services. Exit Computer Management and go back to the Federation Service configuration wizard. The wizard can now be completed and Active Directory Federation Services will be configured. On the finial screen of the wizard, you may receive a warning message for the server settings. If the warning says that the SPN for the user account has already been set, this means the configuration attempted to configure this setting but was not able to.
Demonstration creating a certificate for Federation Services To create a certificate using an enterprise CA on the network, move the mouse to the top left or right of the screen to open charms. Select the search option and then enter in MMC. MMC is required because there is no shortcut in the start menu. From MMC, select the file option and then select the option Add/Remove Snap-in and then from the list select the option Certificates and press add. When the certificate MMC is added, Windows will ask which certificates are to be managed. In this case the option Computer account was selected as the certificate required for Federation Services needs to be stored on the local computer. The next screen will ask which computer you want to manage certificates on. In this case certificates will be managed on the local computer so the option Local computer (This computer this console is running on) will be selected. Once the MMC for certificates is open, the next step is to request a certificate from the Enterprise CA for use with this server. To do this the view needs to be changed to purpose view from the default view of logical. To change the view, expand the certificates snap-in and then right click on the container, for example the personal container, and select options found under view. Once the view has changed to logical view, right click the container Server Authentication and then select the option Request New Certificate found under the menu All Tasks. This will start the enrollment certificate wizard. Once past the welcome screen leave it on the option Active Directory Enrollment Policy and move on. The certificate template that will be used was created in a previous video. If you have not done that already you will need to do this before requesting a certificate. The next screen will show the certificate templates that can be requested by auto enrollment. In this case ADFS SSL Certificate 2012 was chosen as this was created in an early video. Once the certificate has been selected, press the button enroll. Once the wizard has been completed, the certificate will be requested from the Enterprise CA and stored in the local computer store. It will automatically be updated using auto enrollment as required. Demonstration creating a service account Go to a computer that has Active Directory User and Accounts available. This can be a Domain Controller or a client computer like Windows 8.1 with RSAT installed. Open Server Manager from the quick launch bar. From Server Manager, select the pull down menu tools and select the option Active Directory Users and Computers. From Active Directory Users and Computers, expand down to the Users container, right click the users container and select User under the New Menu. In this case the first name was ADFS and service was used for the last name. The login name was ADFSService2012. You are free to choose any name that you want.
On the next screen a password was entered and the only tick box ticked is Password never expires. If the password were to expire, then the Active Directory Federation Service would stop running. Generally on systems like these the administrator will need to remember to manually change the password. The wizard can now be completed to create the service account. See http://youtube.com/itfreetraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References None