In this post I will be installing and configuring the Active Directory Federation Services [AD FS] server role. AD FS is able to provide Single-Sign-On [SSO] capabilities to multiple web application using a single Active Directory account.
vBoring Blog Series:
- How to setup Microsoft Active Directory Federation Services [AD FS]
- How to setup Microsoft Web Application Proxy
Install the AD FS Server Role:
Open Server Manager and click Manage -> Add Roles and Features:
Click Next:
Role-based or feature-based installation should be selected then click Next:
Select the server you want to install this role then click Next:
Note: Web Application Proxy role and AD FS cannot be installed on the same computer.
Select Active Directory Federation Services then click Next:
No additional Features are needed. Click Next:
Click Next:
The AD FS role does not required a reboot. Click Install:
Once complete click Close:
Post-Deployment Configuration:
Back on Server Manager under Notifications click the message Configure the federation service on this server:
Since this is our first AD FS server select the first option then click Next:
Ensure the account you are logged into has Active Directory Domain Admin permissions. If not then click Change. Click Next to continue:
SSL Certificate: On the drop down menu you will see the certificates installed on the server. You can use the default self signed or use one you create. Ensure you have it in .PFX format.
Federation Service Name: Give your AD FS a FQDN name.
Federation Service Display Name: Enter a display name
Click Next to proceed:
Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.
Since this is my home lab I am putting AD FS on my Domain Controller and needed to create a DNS entry.
Note about SSL Certificate: If you imported a certificate you will see it added to your Personal Certificates.
On the Specify Service Account tab you may get the following message:
If you want the Wizard to create a Service Account for you then proceed to the PowerShell window below. If you want to create a Service Account manually you can add it by selecting the second option.
PowerShell Commands:
Get-Help Add-KdsRootKey – Read about the command
Add-KdsRootKey -EffectiveImmediately – Generate root key
Enter the Service Account you want to use and click Next:
Note: Ensure this user account is added to the local administrators group of your AD FS server. It is required to setup Microsoft Web Application Proxy.
You have the option of using a Windows Internal Database (WID) or SQL Server. If you have a small environment/lab then use WID. If you have a large environment use a SQL database. Click Next:
Note: WID is a limited version of SQL Express that doesn’t have a GUI or management interface. The WID database is a file (SUSDB.dbf) stored in C:\Windows\wid\data\
For additional information about using a SQL Server database click here.
Click Next:
If everything checks out click Configure:
Once complete click Close:
AD FS is now installed and is ready for testing!
How to ensure AD FS is working:
Open a web browser and go to the URL below and click Sign In:
1 2 |
<strong>https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx </strong> |
You should get a login box, enter your domain credentials, once logged in you should show the below screen:
You are now ready to use AD FS in your environment!
Very helpful.
In Server 2016 (ADFS 4.0) IdPIntiatedSignOn page is disabled by default and must be turned on manually with Administrative PS shell after deployment to be used:
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
I’ve come from the future just to thank you.
Hey, thanks very much for your helpful tutorial.
I spent at least 2 hours trying to get the sign in page working, only to find out that in your article in the section that says
“How to ensure AD FS is working” the link is incorrect.
It reads:
https://adfs_fqdn/adfs/ls/ldpintiatedsignon
but it should be
https://adfs_fqdn/adfs/ls/idpintiatedsignon
There is an “i” after adfs/ls/ , not “L”
Easily done ! Thanks again.
Thanks @ Thomas Maerz 🙂
I am having hard time with ADFS install and configure. Followed all the steps – yet getting this error when, I tried to test ADFS weblink to see if the install was successful.
•Activity ID: 154cccb7-aae9-45d2-1800-0080000000b8
•Error time: Mon, 24 Jul 2017 14:10:39 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; rv:11.0) like Gecko
I am getting the same error when verifying the ADFS. Could you please share how you fix it.
Thanks!
Allow browser cookies and browser security should LOW
You can ignore above message. I was able to fix ADFS install and configure issue. Just one question to Daniel – How were you able to configure SAN name on your wildcard certificate (that is Common Name, DNS on the wildcard certificate)?
You need to fix that broken URL… I wasted half a morning trying to fix an error message (similar to ramg above) that was caused by a simple typo in your example. The URL you provide is:
https://ADFS_FQDN/adfs/ls/ldpintiatedSignOn
but it should be:
https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx
Note the “i” instead of an “l” (as Petr mentions above) and another missing “i”. The .aspx is optional, but I have copied/pasted the working URL from my setup to ensure complete accuracy.
The instructions you’ve blogged here are fantastic, but this simple syntax error renders your whole blog post ineffective because your instructions cannot be successfully tested. And, more than a month after Petr mentioned the error, you still haven’t fixed it.
Updated!! Apologies for that!
Very helpfull Daniel! Thanks!
Do ADFS support the integration with VMware products VC and ESXi
Thank You for the article. I was looking for clarification on which A record to set up. Working signon page now!
Very helpful.
Where does the cert come from that is Imported on the “Specify Service Properties” dialog? Is it generated by the same DC I am setting up ADFS on?
I cannot see the certificates in drop down. I have also created the self signed certificate and tried to import but it does not load.
Did you face any issue or what can be wrong if I see this issue ?
I had to set this parameter, then I could see the sign in page. Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
In the instructions you say: Note about Federation Service Name: If you are installing AD FS on a Domain Controller or want to use a different FQDN for AD FS than the server you will need to ensure the name you enter has a DNS Record created.
Is it a requirement to have a separate name for the Federation Service Name or is it ok to use the same FQDN as what the DC has? Will it cause problems if I use the same name?
If you enabled:
https://ADFS_FQDN/adfs/ls/idpinitiatedSignOn.aspx
via:
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
(Get-AdfsProperties).EnableIdPInitiatedSignonPage
and want seamless sign-on to work (so not even needing to press “sign-in” make sure to add your adfs server’s adfs-url to the intranet zone in internet explorer, it will send you current username+password+domain to the adfs server for authentication.
If anyone wants to quickly setup a simple one node ADFS server from single script . It requires only to provide communication certificate thumbprint details. And as a bonus it deploys MFA feature for ADFS with OTP codes. There is a information how to Install ADFS Demo with OTP under following link: https://www.securemfa.com/downloads/mfa-otp#h.p_0CFeLwIix8Fa
Excellent write up! I shall use this for the work i am doing now while setting up ADFS to work with AWS. I’m glad you made this article.
Very helpful! Thank you!
I followed the steps above to setup my ADFS. When I tried to login via idpinitiatedsignon.aspx, using the correct credential, I keep seeing the same login page which says “Sign in with your organizational account” and the “Sign In” button, instead of a page saying “You are signed in” with the “Sign Out” button, as shown in the screenshot in this post. I know the login is successful, because if the login fails, I will see an error message saying “Incorrect user ID or password. Type the correct user ID and password, and try again.” and also can see the failed login attempt in Windows Event log. I tried re-install and re-configure ADFS a few times but am still not able to get the correct successful login behaviour. Can you advise what could the cause be? Thank you.
Hi: Did you fix this issue, I create a adfs environment and having exactly the same issue described by you. If you already fixed it, can you please let me know how you did it?
Thanks
Really Great documentation. I followed and complete the settings. Page is opening for me but the signing options not going through. Repeatedly the signing options coming after providing the correct credentials. Do you have any Idea on that ?