SharePoint 2013 ADFS 3.0 Prerequisites

Overview

This is part 3 in our SharePoint 2013 ADFS 3.0 Installation and Configuration series.  In this article we explain the prerequisites for ADFS 3.0 on Windows Server 2012R2.

Below is a list of prerequisites that we need to take care of prior to installing ADFS:

  • Create DNS Entry
  • Create a Service Account
  • Create ADFS Certificate Template
  • Request Certificates

Create DNS Entry

In this step we’ll create a DNS A-record called “adfs” to be used by applications that authenticate via ADFS.  For example in SharePoint this would be the provider URI:

This could also be a CNAME DNS entry, but we prefer to create A-records when dealing with SharePoint due to using Kerberos for authentication.  This will keep all my DNS requests consistent and won’t raise any red flags when working when troubleshooting Kerberos issues.

  • On “DC1” open the “DNS Manager” console
  • Expand the server node
  • Expand “Forward Lookup Zones”
  • Right click on the DNS domain (i.e. splab.local in this example) and select “New Host (A or AAAA)”

adfspre-01

 

 

 

 

 

 

  •  In the “New Host” dialog for the A-record enter “adfs” and the IP address of the server that will host ADFS followed by clicking the “Add Host” button.

adfspre-02

 

 

 

 

 

 

 

 

 

 

  • Verify the entry has been created

adfspre-03

Create Service Account

In this step we’ll create the service account that the “AD FS 3.0 Windows Service” executes under.  In our lab we’ll create the account in the “ADFS Service Accounts” OU however it could be provisioned anywhere in the directory.

  • Launch “Active Directory Users and Computers”
  • Navigate to the location in the directory where you wish to create the account.  In this example we’ll create the account in the “ADFS Service Account” OU.
  • Identify the OU or container where you wish to create the service account and select“New” –> “User”
  • Fill out the required fields in the “New Object – User” screen and click “Next >” to continue

adfspre-10

 

 

 

 

 

 

 

  • Enter the desired password and select the “User cannot change password” and“Password never expires” check boxes.  Click “Next >” to continue.
  • Review the details of the new user account and click “Finish”
  • Verify the account has been created by navigating to the container or OU it was created in.

adfspre-06

 

 

 

 

 

Create ADFS Certificate Template

Next we’ll create a copy of the “Web Server” template to be used when requesting certificates for the “Service Communication”, “Token-decrypting”, and “Token-signing” certificates in ADFS.  During this process we’ll need to grant the “Read” and “Enroll” permissions on the template to the following:

  • ADFS service account
  • AD Group that contains the machine account( s ) from where the certificate will be requested (“WebServers” in our example).

The certificate template will be based off the “Web Server” template and consists of the following steps:

  • Open the “Server Manager” console and click the “Tools” –> “Certificate Authority” in the upper right corner.

adfspre-07

 

 

 

 

 

 

 

  • Expand the Certificate Authority and right click on “Certificate Templates” and select “Manage

adfspre-08

 

 

 

 

 

 

 

 

 

  • In the “Certificate Templates Console” scroll down and right-click on the “Web Server” template in the right hand pane and select the “Duplicate Template” option

adfspre-09

 

 

 

 

 

 

 

 

 

 

 

 

 

  • On the “General” tab enter “ADFS” in the “Template display name:” and “Template name:” fields
  • Click the “Security” tab
  • On the “Security” tab of the “Properties of New Template” dialog click the “Add”button
  • Add the “WebServers” or whatever group that you created to hold computers that will request the certificate.  Even though DC1 technically isn’t a webserver that is the server we are requesting the cert from so we added it to that group.
  • Select the “Allow” checkboxes for the “Read” and “Enroll” entries.

adfspre-11a

 

 

 

 

 

 

 

 

 

 

 

  • Click “OK” to create the template.
  • The “ADFS” template should now be displayed in the list of “Certificate Templates”

adfspre-12

 

 

 

 

 

 

  • Return to the “Certificate Authority” MMC and right click on the “Certificate Templates” -> “New” -> “Certificate Template to Issue

adfspre-14

  • Select the “ADFS” template and then click “OK

adfspre-15

 

 

 

 

 

 

 

 

 

 

  • You will now see the “ADFS” template available to request

adfspre-16

 

Request Certificates

In this step we’ll process the request to create the “Service Communication”, “Token-decrypting”, and “Token-signing” certificates used in ADFS.  We could request these through multiple methods and also post installation, but requesting them prior to the deployment of ADFS will provide us the opportunity of using the “Service Communication” certificate during the ADFS installation process.  ***Please note if you are using 3rd Party or Self-Signed Certificates you can skip this step***

Create Service Communications Certificate

  • Open the Microsoft Management Console (Start –> Run –> mmc.exe )
  • Click File –> Add/Remove Snap-in….
  • Select “Certificates”, click “Add” followed by “OK”
  • Navigate to Certificates (Local Computer) –> Personal –> Certificates
  • Right click the “Certificates” folder and select “All Tasks” –> “Request New Certificate”

adfspre-17

 

 

 

 

 

 

  • The “Certificate Enrollment” wizard will be displayed.  Click “Next”
  • Select the “Active Directory Enrollment Policy” option and click “Next”
  • Select the “ADFS” template and click the “More information is required to enroll for this certificate.” link

adfspre-18

 

 

 

 

 

 

 

  • On the “Subject” tab select the “Common Name” drop down option in the “Subject name:” section
  • In the “Value:” field type in the FQDN which is the “adfs.splab.local” DNS A-record we created in a previous step
  • Click the “Add >” button to insert the entry to the right hand column

adfspre-19

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Click the “General” tab and fill in the friendly name and description of the certificate

adfspre-20

 

 

 

 

 

 

  •  Select the “Private Key” tab and verify under the “Key options” section that the “Make private key exportable” check box is selected
  • Click “OK’
  • The yellow caution sign will no longer be present and you can click “Enroll” to process the request
  • The enrollment process should display a successful status

adfspre-22

 

 

 

 

 

 

  • Click “Finish”

Create Token-Decrypting and Token-Signing Certificates

We need to repeat the same steps to create both the “Token-Decrypting” and “Token-Signing”certificates so I’ll provide the steps minus the screen shots.

Token-Decrypting

  • Navigate to Certificates Computer) –> Personal –> Certificates
  • Right click the “Certificates” folder and select “All Tasks” –> “Request New Certificate”
  • The “Certificate Enrollment” wizard will be displayed.  Click “Next”
  • Select the “Active Directory Enrollment Policy” option and click “Next”
  • Select the “ADFS” template and click the “More information is required to enroll for this certificate.” link
  • On the “Subject” tab select the “Common Name” drop down option in the “Subject name:” section
  • In the “Value:” field type in the FQDN “decrypting.splab.local”
  • Click the “Add >” button to insert the entry to the right hand column
  • Click the “General” tab and fill in the friendly name and description of the certificate
  • Select the “Private Key” tab and verify under the “Key options” section that the “Make private key exportable” check box is selected
  • Click “OK’
  • The yellow caution sign will no longer be present and you can click “Enroll” to process the request
  • The enrollment process should display a successful status
  • Click “Finish”

Token-Signing

  • Navigate to Certificates (Local Computer) –> Personal –> Certificates
  • Right click the “Certificates” folder and select “All Tasks” –> “Request New Certificate”
  • The “Certificate Enrollment” wizard will be displayed.  Click “Next”
  • Select the “Active Directory Enrollment Policy” option and click “Next”
  • Select the “ADFS” template and click the “More information is required to enroll for this certificate.” link
  • On the “Subject” tab select the “Common Name” drop down option in the “Subject name:” section
  • In the “Value:” field type in the FQDN “signing.splab.local”
  • Click the “Add >” button to insert the entry to the right hand column
  • Click the “General” tab and fill in the friendly name and description of the certificate
  • Select the “Private Key” tab and verify under the “Key options” section that the “Make private key exportable” check box is selected
  • Click “OK’
  • The yellow caution sign will no longer be present and you can click “Enroll” to process the request
  • The enrollment process should display a successful status
  • Click “Finish”

The local certificate store should now list the adfs, decrypting, and signing certificates.

adfspre-23

Advertisements
Tagged with: , , , , , ,
Posted in ADFS, ADFS 3.0, SharePoint 2013, SSL, Windows Server 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: