Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008
Now that you have configured the computers and joined them to the domain, you are ready to install Active Directory Federation Services (AD FS) role services on each of the servers. This section includes the following procedures:
Install the Federation Service
Configure IIS to require SSL on both federation servers
Install the AD FS Web Agent
Create, export, and import certificates
Administrative credentials
To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain. Log on to the adfsweb computer with the local Administrator account.
Use the following procedure to install the Federation Service component of AD FS on the adfsaccount computer and the adfsresource computer. After the Federation Service is installed on a computer, that computer becomes a federation server.
This Federation Service installation procedure walks you through the process of creating a new trust policy file and self-signed Secure Sockets Layer (SSL) and token-signing certificates for each federation server.
Click Start, point to Administrative Tools, and then click Server Manager.
Right-click Roles, and then click Add Roles to start the Add Roles Wizard.
On the Before You Begin page, click Next.
On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.
On the Select Role Services page, select the Federation Service check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.
On the Choose a Server Authentication Certificate for SSL Encryption page, click Create a self-signed certificate for SSL encryption, and then click Next.
On the Choose a Token-Signing Certificate page, click Create a self-signed token-signing certificate, and then click Next.
On the Select Trust Policy page, click Create a new trust policy, and then click Next twice.
On the Select Role Services page, click Next to accept the default values.
Verify the information on the Confirm Installation Selections page, and then click Install.
On the Installation Results page, verify that everything installed correctly, and then click Close.
Use the following procedure to configure IIS to require SSL on the default Web site of both the adfsresource and adfsaccount federation servers.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, double-click ADFSACCOUNT or ADFSRESOURCE, double click Sites, and then click Default Web Site.
In the center pane, double-click SSL Settings, and then select the Require SSL check box.
Under Client certificates, click Accept, and then click Apply.
You can use the following procedure to install the claims-aware Web Agent on the Web server (adfsweb).
Click Start, point to Administrative Tools, and then click Server Manager.
Right-click Roles, and then click Add Roles to start the Add Roles Wizard.
On the Before You Begin page, click Next.
On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.
On the Select Role Services page, select the Claims-aware Agent check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.
On the Web Server (IIS) page, click Next.
On the Select Role Services page, in addition to the preselected check boxes, select the Client Certificate Mapping Authentication and IIS Management Console check boxes, and then click Next.
The Client Certificate Mapping Authentication check box installs the components that IIS needs to create a self-signed server authentication certificate that is required for this server.
After verifying the information on the Confirm Installation Selections page, click Install.
On the Installation Results page, verify that everything installed correctly, and then click Close.
The most important factor in setting up the Web server and the federation servers successfully is creating and exporting the required certificates appropriately. Because you previously used the Add Roles Wizard to create the server authentication certificate for both of the federation servers, all you have to do now is to create the server authentication certificate for the adfsweb computer. This section includes the following procedures:
Create a server authentication certificate for adfsweb
Export the token-signing certificate from adfsaccount to a file
Export the adfsresource server authentication certificate to a file
Import the server authentication certificate for adfsresource to adfsweb
Note
In a production environment, certificates are obtained from a certification authority (CA). For the purposes of the test lab deployment in this guide, self-signed certificates are used.
Use the following procedure on the Web server (adfsweb) to create a self-signed server authentication certificate.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click ADFSWEB.
In the center pane, double-click Server Certificates.
In the Actions pane, click Create Self-Signed Certificate.
In the Create Self-Signed Certificate dialog box, type adfsweb, and then click OK.
Use the following procedure on the account federation server (adfsaccount) to export the token-signing certificate from adfsaccount to a file.
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Right-click Federation Service, and then click Properties.
On the General tab, click View.
On the Details tab, click Copy to File.
On the Welcome to the Certificate Export Wizard page, click Next.
On the Export Private Key page, click No, do not export the private key, and then click Next.
On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.
On the File to Export page, type C:\adfsaccount_ts.cer, and then click Next.
Note
The adfsaccount token-signing certificate will be imported to adfsresource later when the Account Partner Wizard prompts you for the Account Partner Verification Certificate. (See Step 4: Configuring the Federation Servers.) At that time, you access adfsresource over the network to obtain this file.
- On the Completing the Certificate Export Wizard, click Finish.
So that successful communication can occur between both the resource federation server (adfsresource) and the Web server (adfsweb), the Web server must first trust the root of the resource federation server.
Note
The Web server must trust the root of the resource federation server because Certificate Revocation List (CRL) checking is enabled by default. CRL checking can be disabled to remove this dependency, although procedures for disabling CRL checking are not provided in this guide. Disabling CRL checking can compromise the integrity of AD FS. Therefore, it is not recommended in a production environment. For more information about how to disable CRL checking, see Turn CRL checking on or off (https://go.microsoft.com/fwlink/?LinkId=68608).
Because self-signed certificates are used in the scenario that is described in this guide, the server authentication certificate is the root. Therefore, you must establish this trust by exporting the resource federation server (adfsresource) authentication certificate to a file and then importing the file to the Web server (adfsweb). To export the adfsresource server authentication certificate to a file, perform the following procedure on adfsresource.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click ADFSRESOURCE.
In the center pane, double-click Server Certificates.
In the center pane, right-click adfsresource.treyresearch.net, and then click Export.
In the Export Certificate dialog box, click the … button.
In File name, type C:\adfsresource, and then click Open.
Note
This certificate must be imported to adfsweb in the next procedure. Therefore, make this file accessible over the network to adfsweb.
- Type a password for the certificate, confirm it, and then click OK.
Perform the following procedure on the Web server (adfsweb).
Click Start, click Run, type mmc, and then click OK.
Click File, and then click Add/Remove Snap-in.
Select Certificates, click Add, click Computer account, and then click Next.
Click Local computer: (the computer this console is running on), click Finish, and then click OK.
In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, type \\adfsresource\c$\adfsresource.pfx, and then click Next.
Note
You may have to map the network drive to obtain the adfsresource.pfx file. You can also copy the adfsresource.pfx file directly from adfsresource to adfsweb, and then point the wizard to that location.
On the Password page, type the password for the adfsresource.pfx file, and then click Next.
On the Certificate Store page, click Place all certificates in the following store, and then click Next.
On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.