In this article I will be configuring ADFS (Active Directory Federation Services). One of the requirement for ADFS configuration is requirement of PFX SSL certificate (It includes private key), To proceed I will create SSL certificate first. I have below few articles written earlier to understand CA server configuration.
Note: Plan and design your ADFS carefully, here I am using it just for lab purpose.
Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)
I have logged on to ADFS server, where I am planning to install Federation Services. Search and Open mmc.exe. From the File menu click Add/Remove Snap-in, Select Certificates from the Available snap-ins and click Add.
On the Certificates snap-in choose Computer account, click next, keep default Local Computer (the computer this console is running on), After clicking Finish, you will see Certificates snap-in added under Selected snap-ins under console root. Press Ok.
Collapse Certificates (Local Computer), Right click on Personal cert store, from context menu choose All Tasks >> Request New Certificate. This starts Certificate Enrollment wizard, click next for Before you Begin and Select Certificate Enrollment Policy (Keep all the default).
On the Request Certificates, under Active Directory Enrollment Policy click checkbox for Computer and click on the Properties button (Do not click Enroll yet).
On the Certificate Properties >> General tab, give friendly name and optionally provide Description. Go to Subject tab, and Provide information in below table information.
Subject Type Name | Subject Value example | Result Short Name example |
---|---|---|
Common name | adfs.vcloud-lab.com (HostName) | CN=adfs001.vcloud-lab.com |
Organization | vcloud-lab.com (Company name) | O=vcloud-lab.com |
Organization Unit | Architect (Department) | OU=Architect |
Locality | Boston (City) | L=Boston |
State | Massachusetts | S=MH |
Contry | IN (Must be only 2 letters) | C=IN |
Once all the required subject names are added, Jump to Private Key tab, expand Cryptographic Service Provider unselect Microsoft Stron Cryptographic Provider (Signature) and check the box for Microsoft RSA SChannel Cryptographic Provider (Encryption).
On the Key options, Key size should be at least 2048 and check Make private key exportable and Strong private key protection.
Next on the Extension tab under Extended Key Usage (application policies) make sure Server Authentication and Client Authentication is added to Selected options. Again go to Subject tab, to Alternative name add DNS name (FQDN) and IP address of Adfs server and click OK.
On the Certificate Enrollment click Enroll to proceed.
It start enrolling new certificate. Click on CryptoAPI Private Key to Ok. Status will change to succeeded, click Finish in the last.
The new adfs server certificate will be listed under Local Computers personal certificates store. It need to be exported to PFX extension ssl certificate file using below powershell (as administrator) commands.
if (!(Test-Path C:\Certs)) {New-Item -Path C:\ -Name Certs -ItemType Directory} Get-ChildItem Cert:\LocalMachine\My\ | Select-Object ThumbPrint, Subject, NotAfter, EnhancedKeyUsageList #Change the password and thumbprint accordingly $password = ConvertTo-SecureString -String '123456' -Force -AsPlainText Get-ChildItem -Path Cert:\LocalMachine\My\68F3DAF0330A1B7C7C3901A5C7CF6090831076DF | Export-PfxCertificate -FilePath C:\Cert\adfs001.pfx -Password $password
This exported certificate will be required when configuring ADFS server.
Go to and Open Server Manager click Add roles and Features from Manage menu. On the Server Roles choose Active Directory Federation Services. AD FS provides simplified, identity federation and Web single sign-on (SSO) capabilities. AD FS include a Federation Service that enables browser-based Web SSO. Click Install on Confirmation page. (For all other options keep settings default)
Alternatively you can use below PowerShell cmdlet to install the AD FS role using as below.
Install-WindowsFeature ADFS-Federation -IncludeAllSubFeature -IncludeManagementTools
Once role installation is succeeded. On the result page click Configure the federation service on this server link. This starts AD FS configuration wizard. On the Welcome page. as this is a first server keep selected Create the first federation server in a federation server farm option and press Next.
Before you begin configuration you must have following: - Below prerequisite is already fulfilled.
- An Active Directory domain administrator Account
- A publicly trusted certificate for SSL server authentication.
Next on the connect to AD DS (Active Directory Domain Services), Specify an account with Active Directory domain administrator permissions to perform the federation service configuration.
On the Specify Service Properties page, click Import select PFX file, provide certificate password generated earlier. It collects the required information from certificate. Provide Federation service display name, it will help users to see the name on sign in page in the end.
Under Specify Service Account step use an existing domain user account or group Managed Service Account. Select/Add account and password, Click Ok then Next. Specify configuration Database server, I am keeping option of Create a database on this server using Windows Internal Database for simple lab setup. (For production use SQL server database is preferred)
On the Review Option check the settings configured. (If there is a miss click previous to go back and change the settings), Additionally same configuration can be done using PowerShell with below commands as below.
Install-AdfsFarm ` -CertificateThumbprint:"68F3DAF0330A1B7C7C3901A5C7CF60908E1076DF" ` -FederationServiceDisplayName:"vcloud-lab.com " ` -FederationServiceName:"adfs001.vcloud-lab.com" ` -ServiceAccountCredential:$serviceAccountCredential
After reviewing ADFS configuration options, It runs through Prerequisites check and if all the checks are passed, click configure to begin installation, once the server is successfully configured, Restart server. You might see below warning in operation results, which you can ignore.
- The SSL certificate subject alternative names do not support host name 'certauth.adfs001.vcloud-lab.com'. Configuring certificate authentication binding on port '49443' and hostname 'adfs001.vcloud-lab.com'.
- An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.
- The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices. For more information, see http://go.microsoft.com.fwlink/?Linkid=311954
Once ADFS deployment is complete restart server.
Restart-Computer
Next open browser and go with below adfs url.
https://adfs_fqdn/adfs/ls/idpinitiatedsignon
You can find the same adfs url information with below PowerShell one-liner command. Suffix idpinitiatedsignon in the last in the url.
Get-AdfsEndpoint | Where-Object {$_.Protocol -eq 'SAML 2.0/WS-Federation'}
You will probably see below error details.
An error occurred. Contact your administrator for more information.
Error details
•Activity ID: 63a89cea-f5a9-4dff-1b00-0080000000b0
•Error time: Fri, 24 Apr 2020 09:27:59 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
To resolve the error you will need to EnableIDPInitiatedSignonPage with below Powershell command.
Get-AdfsProperties | Select-Object HostName, EnableIdPInitiatedSignonPage Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
Once you refresh browser again you will see Sign in on the webpage. You can test Sign in, but few more configuration I will do next.
If you don't want to use PowerShell and For further configuration on the Server Manager click on Tools menu and select AD FS Management. On the AD FS management collapse Service go to Endpoint and enable Token Issuance for SAML 2.0/WS-Federation.
Next go to Authentication methods, under Primary Authentication Methods click Edit (Primary authentication is required for all users trying to access applications that use AD FS for authentication. You can use options below to configure settings for primary authentication methods).
On the Primary tab uncheck Intranet >> Windows Authentication and click OK.
Refresh ADFS url in the browser and try Sign in to it, It will show as You are signed in, ADFS configuration is completed now.
Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate