Estimated reading time: 4 minutes
Thank you for reading this post, don't forget to subscribe! Happy New Year 2024!
Deploying and configuring Active Directory Federation Services (ADFS) 2012 R2 for Office 365 can be broken down into 4 blog posts:
-
Install and Configuring ADFS (this post)
- Configuring Name Resolution and additional nodes
-
Install ADFS Proxy (Coming Soon)
-
Leverage ADFS with Office 365 (Coming Soon)
- New automated methods of setting up ADFS with Office 365 (Coming Soon)
Planning And Prerequisites, and Other Fun Details
Prerequisites
Here are is the list of prerequisites from TechNet. But in general, you need to make sure you have a SSL certificate. The certificate must be trusted publicly (chained to a public root certification authority) or explicitly trusted by all computers that require access to the federation service. A wildcard certificate would work or a standard web certificate with the name you desire (i.e. fs.example.com – FS = federation service)
For this lab, you will need a Windows 2012 R2 Server with 4 cores, 4 Gigs of RAM and 100 Gig OS drive.
ADFS Role Planning
The ADFS role should be deployed within the corporate network, and not in the DMZ. The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, ADFS uses WID as the store for the configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.
Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant proxy infrastructure. On Nutanix, make sure the ADFS servers are running on different nodes and/or cluster’s for complete site resilience. Running Active Directory Federation Services on Windows 2012 R2 is fully supported across all hypervisors including Acropolis Hypervisor (AHV).
For more information on different designs, please review the design guidance information on TechNet.
Step by Step Install Guide
ADFS is installed as a role as shown below:
Ok, that’s the easy part, now on to configuration.;)
Step by Step Configuration Guide
Welcome Active Directory Federation Services Configuration Wizard…!!
Before you begin your configuration, you must have the following:
- An Active Directory domain administrator account.
- A publicly trusted certificate for SSL server authentication installed in IIS before starting wizard.
If you click on View script, you can see the automated version:
# Windows PowerShell script for AD FS Deployment
Import-Module ADFS
Install-AdfsFarm
-CertificateThumbprint:"3923273B4862WEE0CBAF3WEWE99125EDBWEWEWC0C5"
-FederationServiceDisplayName:"ADFS POC" `
-FederationServiceName:"fs.poc.lan" `
-GroupServiceAccountIdentifier:"POCadfs`$" `
-OverwriteConfiguration:$true
Verifying that AD FS is working fine:
Checkout your (IdentityProvider) IdP Sign-on landing page by navigating to https://fs./adfs/ls/IdpInitiatedSignon.aspx
And that’s how the is ADFS is initially setup, no matter you are a large or small environment, …Next up….Configuring Name Resolution and additional nodes…
Until next time….Rob