Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Install and Configure Active Directory Federation Service (ADFS)

In this article I will be configuring ADFS (Active Directory Federation Services). One of the requirement for ADFS configuration is requirement of PFX SSL certificate (It includes private key), To proceed I will create SSL certificate first. I have below few articles written earlier to understand CA server configuration. 

Note: Plan and design your ADFS carefully, here I am using it just for lab purpose.

Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
                       ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)

I have logged on to ADFS server, where I am planning to install Federation Services. Search and Open mmc.exe. From the File menu click Add/Remove Snap-in, Select Certificates from the Available snap-ins and click Add.

mmc.exe ssl certificates active directory federation services adfs adcs certificate authority add remove snap-in vmware vsphere vcenter 7 identity federatyion sso psc domain controller.png

On the Certificates snap-in choose Computer account, click next, keep default Local Computer (the computer this console is running on), After clicking Finish, you will see Certificates snap-in added under Selected snap-ins under console root. Press Ok. 

mmc.exe computer account service account certificates snap-in local computer add or remove snap-ins adfs active directory federation services vsphere 7 vcenter certificates sso psc.png

Collapse Certificates (Local Computer), Right click on Personal cert store, from context menu choose All Tasks >> Request New Certificate. This starts Certificate Enrollment wizard, click next for Before you Begin and Select Certificate Enrollment Policy (Keep all the default).

certificates mmc all tasks request new certificate enrollment Active directory Enrollment Policy CA server Certification Authority CA server vmware vsphere vcenter 7 ADFS federation.png

On the Request Certificates, under Active Directory Enrollment Policy click checkbox for Computer and click on the Properties button (Do not click Enroll yet).

Certificate Enrollment Request Certificates Active Directory Enrollment Policy digital signature keyencipherment client server authentication ADFS federation services vmware vsphere vcenter 7 ca service IAM identity.png

On the Certificate Properties >> General tab, give friendly name and optionally provide Description. Go to Subject tab, and Provide information in below table information.

Subject Type Name Subject Value example Result Short Name example
Common nameadfs.vcloud-lab.com (HostName)CN=adfs001.vcloud-lab.com
Organizationvcloud-lab.com (Company name)O=vcloud-lab.com
Organization UnitArchitect (Department)OU=Architect
LocalityBoston (City)L=Boston
StateMassachusettsS=MH
ContryIN (Must be only 2 letters)C=IN

Certificate Properties friendly name adfs active directory federation serivces subject name alternative name common name cn Organization vmware identity federation services 7 certificate authority.png

certificate porperties orgnaization unit ou locality state alternative dns name subject name, certificate authority ca server active directory federation services adfs vmware vsphere vcenter 7 sso.png

Once all the required subject names are added, Jump to Private Key tab, expand Cryptographic Service Provider unselect Microsoft Stron Cryptographic Provider (Signature) and check the box for Microsoft RSA SChannel Cryptographic Provider (Encryption)

On the Key options, Key size should be at least 2048 and check Make private key exportable and Strong private key protection.

vmware vsphere vcenter 7 ceritifate properties subject name Microsoft RSA SCHannel Cryptographic Provider(Encryption) Key option, key size make private key exportable.png

Next on the Extension tab under Extended Key Usage (application policies) make sure Server Authentication and Client Authentication is added to Selected options. Again go to Subject tab, to Alternative name add DNS name (FQDN) and IP address of Adfs server and click OK.

Certificate properties extended key usage application policies server authentication client authentication subject name conuntry alternative name IP address (v4) DNS Name adfs vmware identity federation.png

On the Certificate Enrollment click Enroll to proceed.

Certificate Enrollment Request Certificates Active Directory Enrollment Policy digital signature keyencipherment client server authentication ADFS federation services vsphere vcenter 7 ca service IAM identity.png

It start enrolling new certificate. Click on CryptoAPI Private Key to Ok. Status will change to succeeded, click Finish in the last.

Certificate Enrollment requesting certificate authority ssl adfs federation services cyrptoAPI private Key Security level Status succeeded vmware vsphere 7 identity federation new feature.png

The new adfs server certificate will be listed under Local Computers personal certificates store. It need to be exported to PFX extension ssl certificate file using below powershell (as administrator) commands. 

if (!(Test-Path C:\Certs)) {New-Item -Path C:\ -Name Certs -ItemType Directory}

Get-ChildItem Cert:\LocalMachine\My\ | Select-Object ThumbPrint, Subject, NotAfter, EnhancedKeyUsageList

#Change the password and thumbprint accordingly
$password = ConvertTo-SecureString -String '123456' -Force -AsPlainText
Get-ChildItem -Path Cert:\LocalMachine\My\68F3DAF0330A1B7C7C3901A5C7CF6090831076DF | Export-PfxCertificate -FilePath C:\Cert\adfs001.pfx -Password $password

This exported certificate will be required when configuring ADFS server.

Certificate local computer localmachine certificate authority mmc snap-in test-path powershell get-childitem thumbprint convertto-securestring Export-PfxCertificate cryptoAPI identity federation services.png

Go to and Open Server Manager click Add roles and Features from Manage menu. On the Server Roles choose Active Directory Federation Services. AD FS provides simplified, identity federation and Web single sign-on (SSO) capabilities. AD FS include a Federation Service that enables browser-based Web SSO. Click Install on Confirmation page. (For all other options keep settings default)

Alternatively you can use below PowerShell cmdlet to install the AD FS role using as below.

Install-WindowsFeature ADFS-Federation -IncludeAllSubFeature -IncludeManagementTools

Windows Server Manager Dashboard Add Roles and Features Install-WindowsFeature ADFS-Federation Active Directory Federation Services AD FS Vmware Vsphere vcenter 7 identity federation SSO.png

Once role installation is succeeded. On the result page click Configure the federation service on this server link. This starts AD FS configuration wizard. On the Welcome page. as this is a first server keep selected Create the first federation server in a federation server farm option and press Next.

Before you begin configuration you must have following: - Below prerequisite is already fulfilled.

  • An Active Directory domain administrator Account
  • A publicly trusted certificate for SSL server authentication.

Add roles and features Configure federation service adfs active domain adfs certificate service ca server vmware vcenter 7 identity federation sso PSC platform service controller esxi.png

Next on the connect to AD DS (Active Directory Domain Services), Specify an account with Active Directory domain administrator permissions to perform the federation service configuration.

Active Directory domain services federation services configuration wizard service acount vmware vsphere vcenter 7 identity federation certification authority ca server services.png

On the Specify Service Properties page, click Import select PFX file, provide certificate password generated earlier. It collects the required information from certificate. Provide Federation service display name, it will help users to see the name on sign in page in the end.

AD FS AD DS specify service properties SSL Certificate Federation service name display name vmware vsphere vcenter 7 identity federation Import certificate authority crt pem pfx.png

Under Specify Service Account step use an existing domain user account or group Managed Service Account. Select/Add account and password, Click Ok then Next. Specify configuration Database server, I am keeping option of Create a database on this server using Windows Internal Database for simple lab setup. (For production use SQL server database is preferred)

Active directory federation services configuration wizard group managed service accounts kds root key vmware vsphere vcenter 7 ADFS adcs ssl certificate services authority enroll.png

On the Review Option check the settings configured. (If there is a miss click previous to go back and change the settings), Additionally same configuration can be done using PowerShell with below commands as below.

Install-AdfsFarm `
-CertificateThumbprint:"68F3DAF0330A1B7C7C3901A5C7CF60908E1076DF" `
-FederationServiceDisplayName:"vcloud-lab.com " `
-FederationServiceName:"adfs001.vcloud-lab.com" `
-ServiceAccountCredential:$serviceAccountCredential

vmware vsphere vcenter 7 adfs federation services configuration Database sql server database certification authority ca server ssl certificate pem pfx crt csr private key mmc.png

After reviewing ADFS configuration options, It runs through Prerequisites check and if all the checks are passed, click configure to begin installation, once the server is successfully configured, Restart server. You might see below warning in operation results, which you can ignore.

  • The SSL certificate subject alternative names do not support host name 'certauth.adfs001.vcloud-lab.com'. Configuring certificate authentication binding on port '49443' and hostname 'adfs001.vcloud-lab.com'.
  • An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.
  • The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices. For more information, see http://go.microsoft.com.fwlink/?Linkid=311954

Once ADFS deployment is complete restart server.

Restart-Computer

Restart computer install-adfsservice windows feature active directory federation services configuration wizard prerequisites vmware vsphere vcenter 7 identity federation.png

Next open browser and go with below adfs url.

https://adfs_fqdn/adfs/ls/idpinitiatedsignon

You can find the same adfs url information with below PowerShell one-liner command. Suffix idpinitiatedsignon in the last in the url.

Get-AdfsEndpoint | Where-Object {$_.Protocol -eq 'SAML 2.0/WS-Federation'}

You will probably see below error details.

An error occurred. Contact your administrator for more information. 

Error details
•Activity ID: 63a89cea-f5a9-4dff-1b00-0080000000b0
•Error time: Fri, 24 Apr 2020 09:27:59 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

vmware vsphere 7 saml 2.0 ws-federation adfs federation services idpinitiatedesignon ssl certificate authority certsrv ca server active directory SSO.png

To resolve the error you will need to EnableIDPInitiatedSignonPage with below Powershell command.

Get-AdfsProperties | Select-Object HostName, EnableIdPInitiatedSignonPage
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Once you refresh browser again you will see Sign in on the webpage. You can test Sign in, but few more configuration I will do next.

adfs url idpinitiatedsignon get-adfsproperties select-object enableidpInitiatedsignonpage set-adfsproperties active directory federation services vmware vsphere vcenter 7 identity management federation sso.png

If you don't want to use PowerShell and For further configuration on the Server Manager click on Tools menu and select AD FS Management. On the AD FS management collapse Service go to Endpoint and enable Token Issuance for SAML 2.0/WS-Federation.

ad fs management adfs endpoints token issuance proxy saml 2.0 WS-Federation transport vmware vsphere vcenter 7 identity federation ssl certificate authority.png

Next go to Authentication methods, under Primary Authentication Methods click Edit (Primary authentication is required for all users trying to access applications that use AD FS for authentication. You can use options below to configure settings for primary authentication methods).

On the Primary tab uncheck Intranet >> Windows Authentication and click OK.

AD FS federation services management Authentication Methods Primary authentication menod Intranet Forms Authentication Multifactor azure active directory ssl certificate vmware vsphere 7 identity federation.png

Refresh ADFS url in the browser and try Sign in to it, It will show as You are signed in, ADFS configuration is completed now.

ADFS ad fs active directory federation services orgnaization sso vmware vsphere vcenter esxi 7 identity federation sso ssl certification authority ca server pfx pem.png

Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

Go Back

Comment

Blog Search

Page Views

4144366

Follow me on Blogarama