This is part 4 in our SharePoint 2013 ADFS 3.0 Installation and Configuration series of articles. This article will outline the procedures to install ADFS 3.0 on a Windows Server 2012R2 domain controller. In a production environment you typically wouldn’t co-locate the “Domain Controller” and the “ADFS” role on the same server, but for a lab environment this shouldn’t be an issue.
- SharePoint 2013 and ADFS 3.0 Installation Guide
- Part 1: Lab Environment
- Part 2: Install Windows Certificate Authority
- Part 3: ADFS Prerequisites
- Part 5: Configure Relying Party in ADFS 3.0
- Part 6: Configure Web Application for ADFS
- Part 7: Configure User Profile Service for ADFS
- Part 8: Validate Configuration with “Claims Viewer Web Part”
- Supplemental 1: Configure People Picker to resolve ADFS Identities
- Supplemental 2: Adding Host Name Site Collections to Existing Web Application Configured to use ADFS
- Supplemental 3: Configure Automatic Sign-In with Mixed Authentication
Prior to starting the installation please verify the following:
In Windows Server 2012R2 ADFS is a role there isn’t any extra media to download like there was for previous versions. To install ADFS simply install it from the “Add Roles and Features“.
- Launch Server Manager
- From the Dashboard or the “Manage” menu in the upper right corner launch the “Add Roles and Features“
- Skip the “Before you begin” page if you don’t already by default
- On the “Select installation type” page select “Role-Based or feature-based installation“
- On the “Select destination server” page select the server you wish to deploy ADFS too. We’re using DC1. Click “Next“
- Select “Active Directory Federation Services” and then click “Next“
- Click “Next” again to skip the features selection
- Click “Next” again to verify the ADFS requirements
- Click “Install” to initiate the installation and wait for the installation to complete.
- Once the installation has completed go ahead and close the wizard
Post Install Configuration
This step will consist of a handful of tasks ranging from creating a new Federation Service, importing the “adfs.splab.local” certificate that we previously created, creating the farm, configuration database, default claim set and finally configuring the token decrypting and signing certificates in the AD FS console.
AD FS Federation Server Configuration Wizard
- On the “Server Manager” dashboard there should now be a yellow exclamation warning in the top right of the dashboard. We can click on this and see that there are some post-deployment activities to complete for Active Directory Federation Services. Go ahead and click the “Configure the federation service on this server.“
- On the “Welcome” page we are told that there are some prerequisites that we should have already completed in the <Insert PREREQ LINK> post. Here we are going to “Create the first federation server in a federation server farm“. So select that and click “Next >“
- On the “Connect to Active Directory Domain Services” page we need to supply a user that has Domain Admin permission to complete the configuration. This doesn’t need to be the service account we created since this is just for the configuration. Click “Change” and enter a domain admin credential into the “Windows Security” prompt and then click “Next >“. NOTE: This user must be a Domain Admin. An Enterprise Admin won’t be good enough.
- On the “Specify Service Properties” page we are going to specify the SSL certificate we created as well as the FS name and display name.
- SSL Certificate: adfs.splab.local (this should be the first SSL cert you created)
- Federation Service Name: This is filled out for you with the name from the certificate
- Federation Service Display Name: SPLab ADFS (this is the name users will see when the select which ADFS provider to log into)
- Click “Next >“
- On the “Specify Service Account” we simply need to enter the information for the ADFS Service account we created during the prerequisites. Click “Select” and then enter in the service account name and then password. Click “Next >“
- On the “Specify Configuration Database” page you have the option of hosting the database on a SQL server. Since we are just doing this for a lab we are going to use the Windows Internal Database. Click “Next >”
- Review the “Review Options” page and once satisfied click “Next >“
- If everything on the “Pre-requisite Checks” page checks out click “Configure” to initiate the configuration.
- Once the installation is successful click “Close” to exit the wizard and move on to configuring the Relying party.
Configure ADFS Certificates
In this step we need to configure ADFS to use the “Token-decrypting” and “Token-signing”certificates that were created previously. Once configured, the “Token-signing” certificate needs to be exported and a copy placed on the SharePoint server to be imported in a subsequent step.
- Navigate to the “Certificates” folder in the AD FS console
- Enter the following commands to disable certificate rollover
- In the right hand pane click the “Add Token-Signing Certificate…” action
- Select the appropriate certificate from the list of installed certificates. These were created in a previous step.
- In the “Token-signing” section two certificates will be listed. Highlight the new entry,“CN=signing.splab.local” and click “Set as Primary”. Acknowledge that changing the certificate will break the current relying party. That is fine since we haven’t used it yet.
- Repeat the steps for the Decrypting certificate. “Add Token-Decrypting Certificate…” entry
- Select the appropriate certificate from the list of installed certificates to function as the decrypting certificate. You can use the token-signing, but I choose to create individual certificates for each function.
- Highlight the “CN=decrypting.2008r2.local” entry in the “Token-decrypting” section and click the “Set as Primary” action
- The new certificates should be set as primary in each section. Optionally you could delete the secondary certificates which are self signed certificates created during the ADFS installation.
Export Token Signing Certificate
The Token-signing certificate needs to be exported and a copy placed on the SharePoint server that will be used to run the PowerShell commands to configure the “Trusted Identity Provider”. In this example we’ll copy it to the web front end server “SP-WFE-1”.
- Navigate to the “Certificates” folder in the AD FS console
- Highlight the primary token-signing certificate “CN=signing.splab.local” and click on the “View Certificate…” entry in the “Actions” pane
- Click the “Details” tab
- Click the “Copy to File…” button
- Select the “No, do not export the private key” option and click “Next >”
- Select the “DER encoded binary X.509 (.CER)” radio button and click “Next >”
- Click the “Browse…” button and navigate to a location on the local file system to save a copy of the export certificate.
- Click “Finish” to complete the action
- Copy the file to the SharePoint web front end server to be used in a later step
Test ADFS Connectivity
Now that ADFS has been configured we can verify the health of ADFS prior to configuring a“Trusted Identity Provider”.
- Access the WS-Metadata Exchange Endpoint
- Access the Federation Metadata endpoint
In both examples an XML result should be returned which validates the endpoints are functioning correctly: