Step 2: Installing AD FS Role Services and Configuring Certificates

Applies To: Windows Server 2008 R2

Now that you have configured the computers and joined them to the domain, you are ready to install Active Directory Federation Services (AD FS) role services on each of the servers. This step includes the following procedures:

  • Install the Federation Service

  • Configure IIS to require SSL on both federation servers

  • Install the AD FS Web Agent

  • Create, export, and import certificates

Administrative credentials

To perform all the procedures in this step, log on to the adfsaccount computer and the adfsresource computer with the Administrator account for the domain. Log on to the adfsweb computer with the local Administrator account.

Install the Federation Service

Use the following procedure to install the Federation Service component of AD FS on the adfsaccount computer and the adfsresource computer. After the Federation Service is installed on a computer, that computer becomes a federation server.

This Federation Service installation procedure guides you through the process of creating a new trust policy file, self-signed Secure Sockets Layer (SSL) certificates, and token-signing certificates for each federation server.

To install the Federation Service

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Right-click Roles, and then click Add Roles to start the Add Roles Wizard.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.

  5. On the Select Role Services page, select the Federation Service check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.

  6. On the Choose a Server Authentication Certificate for SSL Encryption page, click Create a self-signed certificate for SSL encryption, and then click Next.

  7. On the Choose a Token-Signing Certificate page, click Create a self-signed token-signing certificate, and then click Next.

  8. On the Select Trust Policy page, click Create a new trust policy, and then click Next twice.

  9. On the Select Role Services page, click Next to accept the default values.

  10. Verify the information on the Confirm Installation Selections page, and then click Install.

  11. On the Installation Results page, verify that everything installed correctly, and then click Close.

Configure IIS to require SSL on both federation servers

Use the following procedures to configure Internet Information Services (IIS) to require SSL on the default Web site of both the adfsresource federation server and the adfsaccount federation server.

To configure IIS on the adfsaccount server

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, double-click ADFSACCOUNT, double-click Sites, and then click Default Web Site.

  3. In the Actions pane, click Bindings.

  4. In the Site Bindings dialog box, click Add.

  5. In Type, click https.

  6. Under SSL certificate, click adfsaccount.adatum.com, click OK, and then click Close.

  7. In the center pane, double-click SSL Settings, and then select the Require SSL check box.

  8. Under Client certificates, click Accept, and then click Apply.

To configure IIS on the adfsresource server

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, double-click ADFSRESOURCE, double-click Sites, and then click Default Web Site.

  3. In the center pane, double-click SSL Settings, and then select the Require SSL check box.

  4. Under Client certificates, click Accept, and then click Apply.

Install the AD FS Web Agent

Use the following procedure to install the claims-aware Web Agent on the Web server (adfsweb).

To install the AD FS Web Agent

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Right-click Roles, and then click Add Roles to start the Add Roles Wizard.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.

  5. On the Select Role Services page, select the Claims-aware Agent check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.

  6. On the Web Server (IIS) page, click Next.

  7. On the Select Role Services page, in addition to the preselected check boxes, select the Client Certificate Mapping Authentication and IIS Management Console check boxes, and then click Next.

    The Client Certificate Mapping Authentication check box installs the components that IIS must have to create a self-signed server authentication certificate that is required for this server.

  8. After you verify the information on the Confirm Installation Selections page, click Install.

  9. On the Installation Results page, verify that everything installed correctly, and then click Close.

Create, export, and import certificates

The most important factor in setting up the Web server and the federation servers successfully is creating and exporting the required certificates appropriately. Because you previously used the Add Roles Wizard to create the server authentication certificate for both of the federation servers, all you have to do now is create the server authentication certificate for the adfsweb computer. This section includes the following procedures:

  • Create a server authentication certificate for adfsweb

  • Export the token-signing certificate from adfsaccount to a file

  • Export the adfsresource server authentication certificate to a file

  • Import the server authentication certificate for adfsresource to adfsweb

Note

In a production environment, certificates are obtained from a certification authority (CA). For the purposes of the test lab deployment in this guide, self-signed certificates are used.

Create a server authentication certificate for adfsweb

Use the following procedure on the Web server (adfsweb) to create a self-signed server authentication certificate.

To create a server authentication certificate for adfsweb

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ADFSWEB.

  3. In the center pane, double-click Server Certificates.

  4. In the Actions pane, click Create Self-Signed Certificate.

  5. In the Create Self-Signed Certificate dialog box, type adfsweb, and then click OK.

Export the token-signing certificate from adfsaccount to a file

Use the following procedure on the account federation server (adfsaccount) to export the token-signing certificate from adfsaccount to a file.

To export the token-signing certificate from adfsaccount to a file

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Federation Service, and then click Properties.

  3. On the General tab, click View.

  4. On the Details tab, click Copy to File.

  5. On the Welcome to the Certificate Export Wizard page, click Next.

  6. On the Export Private Key page, click No, do not export the private key, and then click Next.

  7. On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.

  8. On the File to Export page, type d:\adfsaccount_ts.cer, and then click Next.

Note

The adfsaccount token-signing certificate will be imported to adfsresource later when the Account Partner Wizard prompts you for the Account Partner Verification Certificate. (See Step 4: Configuring the Federation Servers.) At that time, you access adfsresource over the network to obtain this file.

  1. On the Completing the Certificate Export Wizard, click Finish.

Export the adfsresource server authentication certificate to a file

So that successful communication can occur between both the resource federation server (adfsresource) and the Web server (adfsweb), the Web server must first trust the root of the resource federation server.

Note

The Web server must trust the root of the resource federation server because Certificate Revocation List (CRL) checking is enabled by default. You can disable CRL checking to remove this dependency, although procedures for disabling CRL checking are not provided in this guide. Disabling CRL checking can compromise the integrity of AD FS. Therefore, it is not recommended in a production environment. For more information about how to disable CRL checking, see Turn CRL checking on or off (https://go.microsoft.com/fwlink/?LinkId=68608).

Because self-signed certificates are used in the scenario that is described in this guide, the server authentication certificate is the root. Therefore, you must establish this trust by exporting the resource federation server (adfsresource) authentication certificate to a file and then importing the file to the Web server (adfsweb). To export the adfsresource server authentication certificate to a file, perform the following procedure on adfsresource.

To export the adfsresource server authentication certificate to a file

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ADFSRESOURCE.

  3. In the center pane, double-click Server Certificates.

  4. In the center pane, right-click adfsresource.treyresearch.net, and then click Export.

  5. In the Export Certificate dialog box, click the button.

  6. In File name, type d:\adfsresource, and then click Open.

Note

This certificate must be imported to adfsweb in the next procedure. Therefore, make this file accessible over the network to adfsweb.

  1. Type a password for the certificate, confirm it, and then click OK.

Import the server authentication certificate for adfsresource to adfsweb

To import the server authentication certificate for adfsresource, perform the following procedure on the Web server (adfsweb).

To import the server authentication certificate for adfsresource to adfsweb

  1. Click Start, click Run, type mmc, and then click OK.

  2. Click File, and then click Add/Remove Snap-in.

  3. Select Certificates, click Add, click Computer account, and then click Next.

  4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

  5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.

  6. On the Welcome to the Certificate Import Wizard page, click Next.

  7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next.

Note

You may have to map the network drive to obtain the adfsresource.pfx file. You can also copy the adfsresource.pfx file directly from adfsresource to adfsweb, and then point the wizard to that location.

  1. On the Password page, type the password for the adfsresource.pfx file, and then click Next.

  2. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

  3. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.