Configure the first federation server in the federation server farm
Applies To: Azure, Office 365, Power BI, Windows Intune
You can use the following procedures to set up the computer to become the first federation server in a new federation server farm using the AD FS Federation Server Configuration Wizard.
Important
AD FS can be installed and configured as a separate package (referred to as AD FS 2.0) for the Windows Server 2008 and Windows Server 2008 R2 operating system platforms. AD FS can also be installed and configured by adding the Federation Service server role as part of the Windows Server 2012 operating system.
Create the first federation server in the federation server farm using AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2
Create the first federation server in the federation server farm using AD FS on Windows Server 2012
Create the first federation server in the federation server farm using AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2
Membership in Domain Admins, or a delegated domain account that has been granted write access to the Program Data container in Active Directory, is the minimum of access required to complete this procedure.
After the AD FS 2.0 software installation is complete, click Start, then Administrative Tools, and then AD FS 2.0 Management to open the AD FS 2.0 Management snap-in.
On the Overview page, click AD FS 2.0 Federation Server Configuration Wizard.
On the Welcome page, verify that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, click New federation server farm, and then click Next.
On the Specify the Federation Service Name page, verify that the SSL certificate that is showing matches the name of the certificate that was imported into the Default Web Site in IIS previously. If this is not the correct certificate, select the appropriate certificate from the SSL certificate list.
Note
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that any intended prior IIS configuration for SSL certificates is preserved. To work around this issue, you can go back and import the certificate to the Default Web Site of IIS again.
If you have previously reinstalled AD FS on this computer, then the Existing AD FS Configuration Database Detected page appears. If that page appears, click Delete database, and then click Next.
On the Specify a Service Account page, click Browse. In the Browse dialog box, locate the domain account that will be used as the service account in this new federation server farm, and then click OK. Type the password for this account, confirm it, and then click Next.
On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring AD FS 2.0 with these settings.
On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
Note
When you finish the steps in this procedure, the AD FS 2.0 Management snap-in will automatically open and a message will appear indicating that the Required Configuration is Incomplete and that you should Add a trusted relying party. You can disregard this message.
A relying party trust for Microsoft Azure Active Directory (Microsoft Azure AD) will be added in a later step. For more information, see Install Windows PowerShell for single sign-on with AD FS. Once this step has been completed, this message will disappear from the AD FS 2.0 Management snap-in.In the right-hand pane, click Edit Federation Service Properties and modify the Federation Service display name field to be that of your federation brand name, for example, your company name. This name is visible to your end users when they log in to access your SSO-enabled applications.
Create the first federation server in the federation server farm using AD FS on Windows Server 2012
There are two ways to start the AD FS Federation Server Configuration Wizard. To start the wizard, do one of the following:
After the Federation Service role service installation is complete, open the AD FS Management snap-in and click the AD FS Federation Server Configuration Wizard link on the Overview page or in the Actions pane.
Any time after the setup wizard is complete, open Windows Explorer, navigate to the C:\Windows\ADFS folder, and then double-click FsConfigWizard.exe.
On the Welcome page, verify that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, click New federation server farm, and then click Next.
On the Specify the Federation Service Name page, verify that the SSL certificate that is showing is correct. If this is not the correct certificate, select the appropriate certificate from the SSL certificate list.
This certificate is generated from the Secure Sockets Layer (SSL) settings for the Default Web Site. If the Default Web Site has only one SSL certificate configured, that certificate is presented and automatically selected for use. If multiple SSL certificates are configured for the Default Web Site, all those certificates are listed here and you must select from among them. If there are no SSL settings configured for the Default Web Site, the list is generated from the certificates that are available in the personal certificates store on the local computer.
Note
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that any intended prior IIS configuration for SSL certificates is preserved. To work around this restriction, you can remove the certificate or reconfigure it manually with the IIS Management Console.
If the AD FS database that you selected already exists, the Existing AD FS Configuration Database Detected page appears. If that page appears, click Delete database, and then click Next.
Warning
Select this option only when you are sure that the data in this AD FS database is not important or that it is not used in a production federation server farm.
On the Specify a Service Account page, click Browse. In the Browse dialog box, locate the domain account that will be used as the service account in this new federation server farm, and then click OK. Type the password for this account, confirm it, and then click Next.
On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring AD FS with these settings.
On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
.gif "security")
Security NoteFor secure deployment purposes, artifact resolution and reply detection are disabled when you use the AD FS Federation Server Configuration Wizard to configure a federation server farm. This wizard automatically configures the Windows Internal Database for storing service configuration data. You might, however, mistakenly undo this change by enabling the Artifact Resolution endpoint using either the Endpoints node in the AD FS Management snap-in or the Enable-ADFSEndpoint cmdlet in Windows PowerShell. Be careful to not reconfigure the default setting so that this endpoint remains disabled when you use a federation server farm and the Windows Internal Database together.
Note
After you have configured the first federation server in your farm, in the right-hand pane, click Edit Federation Service Properties and modify the Federation Service display name field to be that of your federation brand name, for example, your company name. This name is visible to your end users when they log in to access your SSO-enabled applications.
Next step
Now that you have configured the first federation server in your federation server farm, navigate back to Checklist: Deploy your federation server farm on legacy versions of Windows Server and complete the rest of the steps.
See Also
Concepts
Checklist: Deploy your federation server farm on legacy versions of Windows Server
Checklist: Use AD FS to implement and manage single sign-on