Configuring ADFS On Windows Server 2012
While configuring ADFS on Windows server, we face too many issues although these issues were minor in severity but higher in priority, so thought to me summarize these nitty gritty of installation in one place to save time and efforts.
Pre-requisites
1. Windows server 2012.
2. IIS installation on server.
Install the ADFS role in server Windows Server 2012
Following are the steps to install the ADFS Role in Server using server manager
1. Open Server Manager
2. Click on Manage Button
You are able to see Popup window of “Add Roles and Features Wizard”.
3. Click on Next – Select “Role-based or feature-based installation” installation type to configured a single server by adding role services, and features.
4. Click on Next – “Select a server from the server pool” option to install roles and features.
5. Click on Next – Select one or more roles to install on the selected server and make sure that below roles are checked to install on the
1. Federation Service
2. AD FS 1.1 Web Agents
6. Click on Next – Select one or more features to install on selected server. (Optional)
7. Click on Install to install selected server roles and features.
Prepare IIS for ADFS
A SSL Certificate is required to complete the ADFS configuration, this can be created from the IIS or it can be bought off the shelf from any third party vendor. The steps to create the same are as follows.
Note: This certificate is not recommended for a production environment.
To Request Domain cert – ..com or Import the federation service URL cert on the Server.
You can either import it directly into IIS, or into the Personal Store of the Local computer using the Certificates Snap-in in an MMC.
Note: The certificate needs to be in PFX format, with the private key when importing into the ADFS proxy servers.
Accomplish this by first importing the cert into the server that created the CSR i.e. Certificate Signing Request, then export it as a .pfx with the private key.
Update IIS bindings on default web site for 443 and run iisreset.
Common Issues:
While you are trying to Complete Certificate Request, SSL certificates might be disappearing from the certificate list when we restart the IIS or Restart the Certificate console. Following steps are to resolve for the same.
1. Open Command Prompt / PowerShell as an Administrator, pressing Win+R and typing cmd, / Win+A
2. Certutil -repairstore my xxxxxxxxxxxxxxxxxxxxxx Where xxxxxxx is the serial key of the certificate
This will repair your personal certificate store.
Configure ADFS Federation service
-
- Run ADFS Management Console – Use shift+right click on ADFS Management and run as domain administrator.
- Run ADFS config wizard –> Create new federation service –> New federation server farm.
- Specify properties for service account.
-
- Configured certificate for Service Communications, Token-decrypting, Token-signing. [Set as Primary certificate if multiple certificates are configured].
- Restart “Active Directory Federation Windows” services.
- Make Sure that the federation service has started successfully. To verified that you can gone through Event Viewer –> Applications and Services Logs –> AD FS –> Admin
-
- You can find log which contain details as below:
“The Federation Service started successfully. The following service hosts have been added:”
-
- Federation Server Proxy ServiceHost
- AD FS 1.x Trust Information Service
Configuring Application to interact with ADFS for Authentication
In order to allow an application to interact with ADFS, we need to configure a trust relationship between ADFS and our Application, following are the steps to do the same.
Add Relying Part Trust relationship to AD FS.
Click Tools menu, and then click AD FS Management
In the left-hand pane, navigate under AD FS > Trust Relationships. Select Relying Party Trust and click on Add Relying Party Trust from the Actions panel.
The AD FS screen is displayed.
Click Start and select the data Source screen is displayed.
Click Next, The Specify Display Name screen is displayed
In the Display name box, type a name for the Relying Party Trust you are configuring for your application and AD FS and click Next.
Profile screen is displayed. Click AD FS profile, and then click Next
The Configure Certificate screen is displayed, Click Next.
The Configure URL screen is displayed. Select Enable Support for the WS-Federation Passive protocol check box. This will validate the authentication request and check for the Active Directory user.
The Configure Identifiers screen is displayed.
Click Next, The Choose Issuance Authorization Rules screen is displayed. Permit all users to relying this party.
Click Next, The Ready to Add Trust screen is displayed. Click each tab and verify the data selected in the earlier screens, and then click Next. The Finish screen is displayed.
Click the checkbox Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and then click Close.
Claim Mapping for Relying Party Trust
Claims are the fields that we need ADFS to verify and share as part of the authentication Edit Claim popup is displayed for you application.
Click on Add Rule. Select “Send LDAP Attributes as Claims” as a rule template. Click Next.
Enter rule name and select “Active Directory” from the Attribute store.
Click Finish.
Click Apply. You can see “Your Application Name” in Relying Party Trust list.
Verify ADFS installation
From AD FS and client machine, test https://xxx.domain.com/adfs/ls/IdpInitiatedSignon.aspx
Major issues after initial setup
Issue 1: “TCP error code 10061: No connection could be made because the target machine actively refused it”
To change the services net.tcp port from 1501 to 1601
1. Launch PowerShell on AD FS server.
2. Add the AD FS PowerShell snap-in: add-pssnapin microsoft.adfs.powershell
3. Configure the Services net.tcp port via the Set-ADFSProperties cmdlet:
Set-ADFSProperties -nettcpport 1601
4. Confirm the change: Get-ADFSProperties
5. Restart the AD FS Windows service in the Services console
To change the administration net.tcp port from 1500 to 1600
1. Launch PowerShell
2. Get a WMI object into a $temp variable: $temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
3. Set the ConfigurationServiceAddress property to the new net.tcp address using the new port: $temp.ConfigurationServiceAddress=”net.tcp://localhost:1600/policy”
4. Write your change back to the object: $temp.put()
5. Restart the AD FS Windows service in the Services console
6. Verify the change from an elevated Command Prompt:
a. netstat -anob > netstat.txt
b. Open netstat.txt in Notepad
c. Find 1600
Issue 2: Login with windows logon prompt (not AD FS logon form, this is ADFS issue)
As expects a login in the form of domain\user instead of Windows popup box.
We have to need replace login prompt with form, for that we need to change the sequence of local authentication type for ADFS server.
On the ADFS server: Open IIS Manager –> Expand the Default Site –> adfs –> ls, Right-Click the site and Explore to get to the web.config folder.
Here we have need to put the forms login above the integrated login. Reorder the first two lines so that the localauthentication section looks like below:
Default XML:
Re-Order Authentication Type:
ADFS will present form instead of login prompt after saving above changes.
Author: Ankit Bhatt
