Configure a computer for the federation server proxy role
Applies To: Azure, Office 365, Power BI, Windows Intune
After you configure a computer with the required certificates and have installed the AD FS software, you are ready to configure the computer to become a federation server proxy.
Important
Before you run through the steps below to configure the federation server proxy, make sure that you have followed all the steps for the checklists provided in Checklist: Deploy your federation server farm on legacy versions of Windows Server. Make sure that at least one federation server is deployed and that all the necessary credentials for authorizing a federation server proxy configuration are implemented. You must also configure Secure Sockets Layer (SSL) bindings on the Default Web Site or this wizard will not start. All these tasks must be completed before this federation server proxy can function.
Configure a federation server proxy using AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2
Configure a federation server proxy using AD FS on Windows Server 2012
Configure a federation server proxy using AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2
On the Completed the AD FS 2.0 Setup Wizard page in the AD FS 2.0 Setup Wizard, a check box named Start the AD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes is selected by default. Start the wizard, and then, on the Welcome page, click Next.
On the Specify Federation Service Name page, under Federation Service name, type the name that represents the Federation Service for which this computer will act in the proxy role (for example, fs.fabrikam.com).
Based on your specific network requirements, determine whether you will need to use an HTTP proxy server to forward requests to the Federation Service. If so, select the Use an HTTP proxy server when sending requests to this Federation Service check box, under HTTP proxy server address type the address of the proxy server, click Test Connection to verify connectivity, and then click Next.
When you are prompted, specify the credentials that are necessary to establish a trust between this federation server proxy and the Federation Service.
By default, only the service account used by the Federation Service or a member of the local BUILTIN\Administrators group can authorize a federation server proxy.
On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring this computer with these proxy settings.
On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
Important
It is strongly recommended that instead of using the default option of Integrated Windows Authentication, you switch to using forms-based authentication on your AD FS federation server proxies. For detailed instructions on how to customize your local authentication type, see https://go.microsoft.com/fwlink/?LinkID=285972.
After you finish setting up the computer, verify that the federation server proxy is working as expected.
Configure a federation server proxy using AD FS on Windows Server 2012
There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do one of the following:
On the Start screen, type AD FS Federation Server Proxy Configuration Wizard, and then press ENTER.
Anytime after the setup wizard is complete, open Windows Explorer, navigate to the C:\Windows\ADFS folder, and then double-click FspConfigWizard.exe.
Using either method, start the wizard, and on the Welcome page, click Next.
On the Specify Federation Service Name page, under Federation Service name, type the name that represents the Federation Service for which this computer will act in the proxy role.
Based on your specific network requirements, determine whether you will need to use an HTTP proxy server to forward requests to the Federation Service. If so, select the Use an HTTP proxy server when sending requests to this Federation Service check box, under HTTP proxy server address type the address of the proxy server, click Test Connection to verify connectivity, and then click Next.
When you are prompted, specify the credentials that are necessary to establish a trust between this federation server proxy and the Federation Service.
By default, only the service account used by the Federation Service or a member of the local BUILTIN\Administrators group can authorize a federation server proxy.
On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring this computer with these proxy settings.
On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
There is no Microsoft Management Console (MMC) snap-in to use for administering federation servers. To configure settings for each of the federation servers in your organization, use Windows PowerShell cmdlets.
Important
It is strongly recommended that instead of using the default option of Integrated Windows Authentication, you switch to using forms-based authentication on your AD FS federation server proxies. For detailed instructions on how to customize your local authentication type, see https://go.microsoft.com/fwlink/?LinkID=285972.
Next step
Now that you have configured a computer for the federation server proxy role, navigate back to Checklist: Configure extranet access for AD FS on legacy versions of Windows Server and complete the rest of the steps.
See Also
Concepts
Checklist: Configure extranet access for AD FS on legacy versions of Windows Server
Checklist: Use AD FS to implement and manage single sign-on