A federation server facilitates SSO across the trust realms and a lot of planning goes into setting up one using AD FS 2.0. In this recipe, we will explore the steps to set up a federation server using AD FS 2.0.
Following are the prerequisites for configuring a federation server:
The AD FS 2.0 installation package ( AdfsSetup.exe) can be downloaded from http://go.microsoft.com/fwlink/?linkid=151338. The setup wizard will automatically attempt to check and install the necessary prerequisites.
To configure a federation server, perform the following steps:
- Double-click on the
AdfsSetup.exefile to launch the Active Directory Federation Services 2.0 Setup Wizard:
- Click on Next on the Welcome to the AD FS 2.0 Setup Wizard page and accept the terms on the End-User License Agreement page by selecting I accept the terms in the License Agreement, as shown in the following screenshot:
- In the Server Role step, select the Federation server option and click on Next, as shown in the following screenshot:
- In the next step, the installer will check for the necessary prerequisites and will attempt to install any missing software required for AD FS to operate. Verify and click on Next, as shown in the following screenshot:
- Click on Finish once the installation is complete and the Completed the AD FS 2.0 Setup Wizard dialog box is displayed, as shown in the following screenshot:
The AD FS 2.0 management console is displayed, but before we can configure a federation server, we need to configure an SSL certificate in IIS to secure the federation server site URL and expose over HTTPS.
- Open the IIS Manager console, and double-click on the Server Certificates icon, as shown in the following screenshot:
- Click on the Create Self-Signed Certificate… link under the Actions pane on the Server Certificates page, as shown in the following screenshot:
- Specify a friendly name (adfsweb.domain.com in our example) for the server certificate in the Specify a friendly name for the certificate field in the Create Self-Signed Certificate window, as shown in the following screenshot:
- Clicking on OK generates the self-signed certificate and gets listed under the Server Certificates page, as shown in the following screenshot:
- In the IIS management console, select Default Web Site and click on the Bindings link under the Actions pane, as shown in the following screenshot:
- In the Site Bindings dialog box, click on Add… to create a new binding. In the Add Site Binding dialog box, select Type as https, and select the adfsweb.domain.com certificate from the SSL certificate drop-down menu, as shown in the following screenshot:
- Now, we are ready to configure the federation server. In the AD FS 2.0 management console, click on the AD FS 2.0 Federation Server Configuration Wizard link to launch the configuration wizard, as shown in the following screenshot:
- In the AD FS 2.0 Federation Server Configuration Wizard window, select Create a new Federation Service in the Welcome step, and click on Next, as shown in the following screenshot:
- In the Select Deployment Type step, select Stand-alone federation server and click on Next, as shown in the following screenshot:
- In the Federation Service Name step, click on Next. The wizard will automatically determine the Federation Service name from the Subject field of the SSL certificate ( adfsweb.domain.com), as shown in the following screenshot:
- Click on Next in the Existing Database and Summary steps.
- The configuration results will be displayed in the Results step. Click on Close to close the wizard after a successful configuration, as shown in the following screenshot:
In case, you are redeploying AD FS 2.0, the installer detects an existing browser sign-in website and skips the deployment step. Use the following command to delete the website before redeploying AD FS 2.0:
appcmd delete site "Default Web Site/adfs/ls"
After a successful installation, the configuration wizard is used to configure a stand-alone federation server. Note that by default, NETWORK SERVICE is assigned as a service account for Federation Service, which is not ideal in the production scenarios. In real time, a federation server farm should be used, however if a stand-alone federation server is indeed the choice, the service account should be set to an appropriate account.
To verify the successful functioning of Federation Service, go to the https://adfsweb.domain.com/adfs/fs/federationserverservice.asmx URL. If the page appears correctly, the federation server is operational.
Alternatively, you can check the event log to confirm whether the federation server is operational (look for Event ID 100).
The federation server configuration can be stored either in Windows Internal Database or Microsoft SQL Server. The Federation Server Configuration Wizard does not provide an option to use SQL Server as the configuration database. This can be configured via the command prompt. The AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server TechNet article at http://social.technet.microsoft.com/wiki/contents/articles/948.aspx by Nick Pierson and Brian Desmond provides a detailed insight into the steps for migrating the configuration database from Windows Internal Database to SQL Server.
If you are using Windows Server 2003 R2 or Windows Server 2008/2008 R2/2008 R2 SP1/SP2 to create a federation server, Federation Services can be configured using the Server Manager console. Perform the following steps to achieve this:
- Right-Click on the Roles node and click on Add Roles. In the Add Roles Wizard window, select Active Directory Federation Services under the Select Server Roles section and click on Next, as shown in the following screenshot:
- Select Federation Service and AD FS Web Agents under the Select Role Services section and click on Next, as shown in the following screenshot:
- Select Create a self-signed certificate for SSL encryption in the Server Authentication Certificate and the Token-Signing Certificate steps and click on Next, as shown in the following screenshot:
- Specify the federation server name as adfsweb.domain.com in the Federation Server field under the Specify Federation Server section and click on Next, as shown in the following screenshot:
- Select Create a new trust policy under the Select Trust Policy section and click on Next, as shown in the following screenshot:
- Complete the wizard to provision AD FS Role and go to the
https://adfsweb.domain.com/adfs/fs/federationserverservice.asmxURL to verify if the service is up and running, as shown in the following screenshot:
Note
In all probability, you could be using AD FS 1.x for backward compatibility. The AD FS 2.0 and AD FS 1.x Interoperability article at http://blogs.technet.com/b/askds/archive/2010/05/25/ad-fs-2-0-and-ad-fs-1-x-interoperability.aspx by Directory Services Team provides additional details on interoperability between AD FS 2.0 and AD FS 1.x.