Export (0) Print
Expand All
6 out of 11 rated this helpful - Rate this topic

Step 2: Installing AD FS Role Services and Configuring Certificates

Updated: November 15, 2007

Applies To: Windows Server 2008

Now that you have configured the computers and joined them to the domain, you are ready to install Active Directory Federation Services (AD FS) role services on each of the servers. This section includes the following procedures:

Administrative credentials

To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain. Log on to the adfsweb computer with the local Administrator account.

Use the following procedure to install the Federation Service component of AD FS on the adfsaccount computer and the adfsresource computer. After the Federation Service is installed on a computer, that computer becomes a federation server.

This Federation Service installation procedure walks you through the process of creating a new trust policy file and self-signed Secure Sockets Layer (SSL) and token-signing certificates for each federation server.

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Right-click Roles, and then click Add Roles to start the Add Roles Wizard.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.

  5. On the Select Role Services page, select the Federation Service check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.

  6. On the Choose a Server Authentication Certificate for SSL Encryption page, click Create a self-signed certificate for SSL encryption, and then click Next.

  7. On the Choose a Token-Signing Certificate page, click Create a self-signed token-signing certificate, and then click Next.

  8. On the Select Trust Policy page, click Create a new trust policy, and then click Next twice.

  9. On the Select Role Services page, click Next to accept the default values.

  10. Verify the information on the Confirm Installation Selections page, and then click Install.

  11. On the Installation Results page, verify that everything installed correctly, and then click Close.

Use the following procedure to configure IIS to require SSL on the default Web site of both the adfsresource and adfsaccount federation servers.

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, double-click ADFSACCOUNT or ADFSRESOURCE, double click Sites, and then click Default Web Site.

  3. In the center pane, double-click SSL Settings, and then select the Require SSL check box.

  4. Under Client certificates, click Accept, and then click Apply.

You can use the following procedure to install the claims-aware Web Agent on the Web server (adfsweb).

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Right-click Roles, and then click Add Roles to start the Add Roles Wizard.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.

  5. On the Select Role Services page, select the Claims-aware Agent check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.

  6. On the Web Server (IIS) page, click Next.

  7. On the Select Role Services page, in addition to the preselected check boxes, select the Client Certificate Mapping Authentication and IIS Management Console check boxes, and then click Next.

    The Client Certificate Mapping Authentication check box installs the components that IIS needs to create a self-signed server authentication certificate that is required for this server.

  8. After verifying the information on the Confirm Installation Selections page, click Install.

  9. On the Installation Results page, verify that everything installed correctly, and then click Close.

The most important factor in setting up the Web server and the federation servers successfully is creating and exporting the required certificates appropriately. Because you previously used the Add Roles Wizard to create the server authentication certificate for both of the federation servers, all you have to do now is to create the server authentication certificate for the adfsweb computer. This section includes the following procedures:

noteNote
In a production environment, certificates are obtained from a certification authority (CA). For the purposes of the test lab deployment in this guide, self-signed certificates are used.

Use the following procedure on the Web server (adfsweb) to create a self-signed server authentication certificate.

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ADFSWEB.

  3. In the center pane, double-click Server Certificates.

  4. In the Actions pane, click Create Self-Signed Certificate.

  5. In the Create Self-Signed Certificate dialog box, type adfsweb, and then click OK.

Use the following procedure on the account federation server (adfsaccount) to export the token-signing certificate from adfsaccount to a file.

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Federation Service, and then click Properties.

  3. On the General tab, click View.

  4. On the Details tab, click Copy to File.

  5. On the Welcome to the Certificate Export Wizard page, click Next.

  6. On the Export Private Key page, click No, do not export the private key, and then click Next.

  7. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.

  8. On the File to Export page, type C:\adfsaccount_ts.cer, and then click Next.

    noteNote
    The adfsaccount token-signing certificate will be imported to adfsresource later when the Account Partner Wizard prompts you for the Account Partner Verification Certificate. (See Step 4: Configuring the Federation Servers.) At that time, you access adfsresource over the network to obtain this file.

  9. On the Completing the Certificate Export Wizard, click Finish.

So that successful communication can occur between both the resource federation server (adfsresource) and the Web server (adfsweb), the Web server must first trust the root of the resource federation server.

noteNote
The Web server must trust the root of the resource federation server because Certificate Revocation List (CRL) checking is enabled by default. CRL checking can be disabled to remove this dependency, although procedures for disabling CRL checking are not provided in this guide. Disabling CRL checking can compromise the integrity of AD FS. Therefore, it is not recommended in a production environment. For more information about how to disable CRL checking, see Turn CRL checking on or off (http://go.microsoft.com/fwlink/?LinkId=68608).

Because self-signed certificates are used in the scenario that is described in this guide, the server authentication certificate is the root. Therefore, you must establish this trust by exporting the resource federation server (adfsresource) authentication certificate to a file and then importing the file to the Web server (adfsweb). To export the adfsresource server authentication certificate to a file, perform the following procedure on adfsresource.

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ADFSRESOURCE.

  3. In the center pane, double-click Server Certificates.

  4. In the center pane, right-click adfsresource.treyresearch.net, and then click Export.

  5. In the Export Certificate dialog box, click the button.

  6. In File name, type C:\adfsresource, and then click Open.

    noteNote
    This certificate must be imported to adfsweb in the next procedure. Therefore, make this file accessible over the network to adfsweb.

  7. Type a password for the certificate, confirm it, and then click OK.

Perform the following procedure on the Web server (adfsweb).

  1. Click Start, click Run, type mmc, and then click OK.

  2. Click File, and then click Add/Remove Snap-in.

  3. Select Certificates, click Add, click Computer account, and then click Next.

  4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

  5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.

  6. On the Welcome to the Certificate Import Wizard page, click Next.

  7. On the File to Import page, type \\adfsresource\c$\adfsresource.pfx, and then click Next.

    noteNote
    You may have to map the network drive to obtain the adfsresource.pfx file. You can also copy the adfsresource.pfx file directly from adfsresource to adfsweb, and then point the wizard to that location.

  8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.

  9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

  10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.