Configuring a federation server
A federation server facilitates SSO across the trust realms and a lot of planning goes into setting up one using AD FS 2.0. In this recipe, we will explore the steps to set up a federation server using AD FS 2.0.
Following are the prerequisites for configuring a federation server:
- Windows Server 2008/2008 R2 Enterprise on a 2-GHz or higher machine with 2 GB of RAM and 10 GB of hard disk space
- Web Server Internet Information Services (IIS)
- Windows PowerShell
- Microsoft .NET Framework 3.5
- Windows Identity Foundation
The AD FS 2.0 installation package ( AdfsSetup.exe
) can be downloaded from http://go.microsoft.com/fwlink/?linkid=151338. The setup wizard will automatically attempt to check and install the necessary prerequisites.
Note
Select the appropriate installer based on the version of the operating system and the system architecture (32 bit/64 bit).
To configure a federation server, perform the following steps:
- Double-click on the
AdfsSetup.exe
file to launch the Active Directory Federation Services 2.0 Setup Wizard:Note
You must be logged in with the administrative privileges to be able to install AD FS.
- Click on Next on the Welcome to the AD FS 2.0 Setup Wizard page and accept the terms on the End-User License Agreement page by selecting I accept the terms in the License Agreement, as shown in the following screenshot:
- In the Server Role step, select the Federation server option and click on Next, as shown in the following screenshot:
- In the next step, the installer will check for the necessary prerequisites and will attempt to install any missing software required for AD FS to operate. Verify and click on Next, as shown in the following screenshot:
- Click on Finish once the installation is complete and the Completed the AD FS 2.0 Setup Wizard dialog box is displayed, as shown in the following screenshot:
Note
Make sure that you have checked the Start the AD FS 2.0 Management snap-in when this wizard closes checkbox to launch the AD FS 2.0 management console. Alternatively, the AD FS 2.0 Management snap-in can also be launched from Start | Administrative Tools.
The AD FS 2.0 management console is displayed, but before we can configure a federation server, we need to configure an SSL certificate in IIS to secure the federation server site URL and expose over HTTPS.
- Open the IIS Manager console, and double-click on the Server Certificates icon, as shown in the following screenshot:
Note
The AD FS 2.0 installer automatically installs Web Server Role if it is not already configured. The related services are deployed under Default Web Site.
- Click on the Create Self-Signed Certificate… link under the Actions pane on the Server Certificates page, as shown in the following screenshot:
- Specify a friendly name (adfsweb.domain.com in our example) for the server certificate in the Specify a friendly name for the certificate field in the Create Self-Signed Certificate window, as shown in the following screenshot:
- Clicking on OK generates the self-signed certificate and gets listed under the Server Certificates page, as shown in the following screenshot:
Note
Make sure to import the generated certificate to the Trusted Root Certification Authorities folder under the Local Computer store.
- In the IIS management console, select Default Web Site and click on the Bindings link under the Actions pane, as shown in the following screenshot:
- In the Site Bindings dialog box, click on Add… to create a new binding. In the Add Site Binding dialog box, select Type as https, and select the adfsweb.domain.com certificate from the SSL certificate drop-down menu, as shown in the following screenshot:
- In addition, edit the http type in the Site Bindings dialog box to specify the Host Name as adfsweb.domain.com. The final settings should look like the following screenshot:
- Now, we are ready to configure the federation server. In the AD FS 2.0 management console, click on the AD FS 2.0 Federation Server Configuration Wizard link to launch the configuration wizard, as shown in the following screenshot:
- In the AD FS 2.0 Federation Server Configuration Wizard window, select Create a new Federation Service in the Welcome step, and click on Next, as shown in the following screenshot:
- In the Select Deployment Type step, select Stand-alone federation server and click on Next, as shown in the following screenshot:
- In the Federation Service Name step, click on Next. The wizard will automatically determine the Federation Service name from the Subject field of the SSL certificate ( adfsweb.domain.com), as shown in the following screenshot:
- Click on Next in the Existing Database and Summary steps.
- The configuration results will be displayed in the Results step. Click on Close to close the wizard after a successful configuration, as shown in the following screenshot:
In case, you are redeploying AD FS 2.0, the installer detects an existing browser sign-in website and skips the deployment step. Use the following command to delete the website before redeploying AD FS 2.0:
After a successful installation, the configuration wizard is used to configure a stand-alone federation server. Note that by default, NETWORK SERVICE is assigned as a service account for Federation Service, which is not ideal in the production scenarios. In real time, a federation server farm should be used, however if a stand-alone federation server is indeed the choice, the service account should be set to an appropriate account.
To verify the successful functioning of Federation Service, go to the https://adfsweb.domain.com/adfs/fs/federationserverservice.asmx
URL. If the page appears correctly, the federation server is operational.
Alternatively, you can check the event log to confirm whether the federation server is operational (look for Event ID 100).
SQL Server as a configuration database
The federation server configuration can be stored either in Windows Internal Database or Microsoft SQL Server. The Federation Server Configuration Wizard does not provide an option to use SQL Server as the configuration database. This can be configured via the command prompt. The AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server TechNet article at http://social.technet.microsoft.com/wiki/contents/articles/948.aspx by Nick Pierson and Brian Desmond provides a detailed insight into the steps for migrating the configuration database from Windows Internal Database to SQL Server.
AD FS Role in Windows Server
If you are using Windows Server 2003 R2 or Windows Server 2008/2008 R2/2008 R2 SP1/SP2 to create a federation server, Federation Services can be configured using the Server Manager console. Perform the following steps to achieve this:
Note
AD FS Role has limited capabilities as compared to AD FS 2.0. For example, support for SAML 2.0 specifications is available only in AD FS 2.0.
- Right-Click on the Roles node and click on Add Roles. In the Add Roles Wizard window, select Active Directory Federation Services under the Select Server Roles section and click on Next, as shown in the following screenshot:
- Select Federation Service and AD FS Web Agents under the Select Role Services section and click on Next, as shown in the following screenshot:
- Select Create a self-signed certificate for SSL encryption in the Server Authentication Certificate and the Token-Signing Certificate steps and click on Next, as shown in the following screenshot:
- Specify the federation server name as adfsweb.domain.com in the Federation Server field under the Specify Federation Server section and click on Next, as shown in the following screenshot:
- Select Create a new trust policy under the Select Trust Policy section and click on Next, as shown in the following screenshot:
- Complete the wizard to provision AD FS Role and go to the
https://adfsweb.domain.com/adfs/fs/federationserverservice.asmx
URL to verify if the service is up and running, as shown in the following screenshot: