This article is part 2 in our SharePoint 2013 ADFS 3.0 Installation and Configuration series for SharePoint 2013. However this can be a stand alone article on how to configure the Certificate Authority on Windows Server 2012. In this post we’ll walk through the procedures to setup a Certificate Authority (CA) by provisioning the Active Directory Certificate Services role. This is necessary because ADFS uses certificates for the purpose of encrypting and signing SAML tokens. In production you may opt to use 3rd Party Certificates from a trusted issuer and in a lab setup you may opt to use the self-signed certificates that ADFS will provide in the absence of a certificate being available during the installation process.
- SharePoint 2013 and ADFS 3.0 Installation Guide
- Part 1: Lab Environment
- Part 3: ADFS Prerequisites
- Part 4: How to Install and Configure ADFS 3.0
- Part 5: Configure Relying Party in ADFS 3.0
- Part 6: Configure Web Application for ADFS
- Part 7: Configure User Profile Service for ADFS
- Part 8: Validate Configuration with “Claims Viewer Web Part”
- Supplemental 1: Configure People Picker to resolve ADFS Identities
- Supplemental 2: Adding Host Name Site Collections to Existing Web Application Configured to use ADFS
- Supplemental 3: Configure Automatic Sign-In with Mixed Authentication
This post in no way is intended to outline how you would setup a CA for production use, but will instead guide you through the installation for a lab environment. The lab used for this blog series includes the following machines:
- DC1– Windows Server 2012 R2 Standard Domain Controller
- SQL1– SQL 2014 Server Enterprise on Windows Server 2012R2
- SP-APP-1– SharePoint 2013 Application Server on Windows Server 2012R2
- SP-WFE-1– SharePoint 2013 Web Front End Server on Windows Server 2012R2
- SP-Win7-01– Windows 7 Professional
In this example we’ll provision the Active Directory Certificate Services role on DC1.
Install Active Directory Certificate Services
- Launch Server Manager
- Click “Add roles and features”in the center pane under “Configure this local server”
- Click “Next” to skip the wizard instruction page
- Leave the “Role-based or feature-based installation” default radio checked and click “Next“
- Select the server you wish to deploy to, we are using “DC1.splab.local” then click “Next“
- Under “Roles” select “Active Directory Certificate Services“
- It will ask you to add features that are required for this service. Click “Add Features“
- Click “Next” and then “Next” again and “Next” one more time to move past the Features page.
- Under “Role Services” select “Certification Authority” and “Certification Authority Web Enrollment” service and accept the required features. Then click “Next“.
- On the “Confirm installation selections” page you may have to designate an alternate source page for you Windows Server installation media if it doesn’t already know where it is. Otherwise just click “Install” to begin the installation.
- Wait for the installation to complete
- Once the installation is complete you can click the yellow exclamation point on the Server Manager dashboard to configure the AD CS service.
- This is asking what credentials you want to use to configure the CA services. The admin role you are using must be an Enterprise Admin to create the Enterprise CA. So make sure you have those permissions before continuing or choose an account that does. Then click “Next“
- Select both “Certification Authority” and “Certification Authority Web Enrollment” to configure and then click “Next >“
- On the “Setup Type”screen select the “Enterprise” option and click “Next >” to continue
- On the “CA Type”screen select the “Root CA” option and click “Next >”
- On the “Private Key”screen select the “Create a new private key” option and click “Next >”
- On the “Cryptography for CA”screen accept the defaults and click “Next >”
- On the “CA Name”screen select a common name and click “Next >”
- On the “Set Validity Period” screen accept the default of 5 years and click “Next >”
- On the “Certificate Database”screen accept the default location of the database and log files and click “Next >”
- On the “Confirmation”screen review the settings and click “Configure” to begin provisioning the CA.
- On the “Results”screen verify the components were successfully installed and click “Close”
Now that the “Active Directory Certificate Services” role has been provisioned on the “DC1”domain controller we can verify it’s installed in “Server Manager”.
- Click on “AD CS” in the left pane. It will display the servers that have that role installed on them in the center pane. Right-click on “DC1” and then select “Certification Authority”.
- This will launch the CA snap-in and verifies your CA is running properly