Active Directory Federation Services – Part 1 (Installation and Configuration)

Learn how to install and configure Active Directory Federation Services by using an on-premise server. Secure your environment and end users while reducing the need to remember passwords.

The series in split into 4 separate sections.

Table of Contents

• Part 1 – Installation and Configuration
• Part 2 – Theme Customization
• Part 3 – Adding SSO Provider such as FreshDesk
• Part 4 – Enable MFA with Duo Security – significantly delayed (sorry)

Notes

Throughout this series you will see me using cloudrigs.com which is my internal Active Directory Domain. Simply replace this domain name with yours, such as mydomain.tld

Requirements

• Create a Public Trusted Wild Card Certificate (*.cloudrigs.com). In the guide I used Lets-Encrypt but, due to its short lifespan I do not recommend this option in Production.
• Create a DNS Alias for your ADFS Farm. (adfs.cloudrigs.com) Even if you build out 1 server, this is highly recommended.
• Create a Service Account to run ADFS such as “svc_adfs”. Normal low level user privileged account is fine.
• Create a dedicated Windows Server for ADFS (NYC-ADFS01) with a static IP of 192.168.0.43

Configure DNS

1. Build a Windows Server which will run the ADFS Service named NYC-ADFS01
2. Within Windows DNS Manager, create a dns entry called “adfs.cloudrigs.com” point it to the same IP address as NYC-ADFS01 which is 192.168.0.43.
   • You should have 2 Entries in DNS now pointing to the same IP address.
   • nyc-adfs01.cloudrigs.com > 192.168.0.43
   • adfs.cloudrigs.com > 192.168.0.43

Install ADFS on NYC-ADFS01

1. Open up Server Manager
2. Click on “Add roles and features”, click next
3. On “Installation Type” page select “Role-based or feature based installation“, click next
4. On “Server Selection” page verify the server is correct, click next
5. On “Server Roles” page select “Active Directory Federation Services“, click next
6. On “Features” page, click next
7. On “AD FS” page, click next
8. On “Confirmation” page select “Restart”, click install.

Activate/Configure ADFS

1. Open up Server Manager
2. Click on the “Warning Icon” flag (top menu bar)
3. Click on “Configure the federation service on this server”
4. Select “Create the first federation server..” click next,
5. On “Connect to AD DS” ensure the account your using has the correct permissions and then click next.
6. On “Specificy Service Properties”
   • SSL Certificate: choose the wild card certificate that you created.
   • Federation Service Name (dns entry you created for the ADFS Farm): adfs.cloudrigs.com
   • Federation Service Display Name (This will be displayed to your end users): ADFS – Your Company
7. On “Specify Service Account” page
   • We are going to use a standard service account.  Choose the service account you created.  “svc_adfs” and type in the password,
8. On “Specify Database” page choose “Create a database on this server using Windows Internal Database” this fine for clients with up to 1500 users.  The WID databases will replicate between the ADFS farm members click next
9. Review the Options, click next
10. Click “Configure”.

Enable Additional Web Browser Agents

By default only some Web Browsers are allowed to authenticate.  In order to activate others like Google Chrome run the following commands.

Shows Current Web Browser Agent Strings

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

Enables Google Chrome / Mozilla / MS Edge

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Firefox" + "=~Windows\s*NT.*Edge" + "Mozilla/5.0")

Restarts AD FS Service and applies settings

Restart-Service -Name adfssrv

Reset AD FS Browser Agents to Defaults (If you want to revert back to defaults)

Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client")

Group Policy – WhiteList Settings (missing content)

• Google Chrome ADMX Template
  • User or Computer Policy > Admin Templates > Google Chrome > HTTP Authentication > Authentication server whitelist
    • *cloudrigs.com,cloudrigs.com

• Internet Explorer/Edge
  • User or Computer Policy > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > IE > Site to Zone Assignment

AD FS Verification

Verify you are able to access the IDP Initated SignOn page.

https://adfs.cloudrigs.com/adfs/ls/idpinitiatedsignon.aspx

**Important Server 2016 and Server 2019 Deployments**

This page is disabled by default.  In order to access this page you must run the following command in an elevated PowerShell prompt.

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Restarts AD FS Service and applies settings

Restart-Service -Name adfssrv

You now have installed AD FS.