Installing ADFS on Windows Server 2012 R2
Articles,  Blog

Installing ADFS on Windows Server 2012 R2


In this video I will be installing Active
Directory Federation Services on Windows Server 2012 R2. In order to complete the install
you need a certificate to use with certificates services. If you do not have certificates
services installed on your network, see our previous video on how to install an enterprise
CA for use with Active Directory Federation Services. This will provide basic certificates
services allowing you to get Active Directory Federation Services running; however, in a
production environment you will most likely deploy a more sophisticated certificate solution.
I will now change to my Windows Server 2012 R2 server and start the install of Active
Directory Federation Services. To start the install, first of all, I will
open Server Manager. Once Server Manager is open, I will select the option “Add roles
and features”. This will start the “Add Roles and Features Wizard”. Once past the
welcome screen I will select the default option “Role-based or feature-based installation”. On the next screen, I need to select the server
that I want to install the Active Directory Federation Services role on. Once I have selected
the server and moved on in the wizard, on the next screen I need to select the role
“Active Directory Federation Services”. Once selected I will move on to the “Select
feature” screen. In this case, I will not select any additional features and will move
on to the next screen of the wizard. The next screen is the welcome screen for
the Active Directory Federation Services part of the install. Once I skip past this screen,
I will get to the confirm selection screen. This screen will show me which roles and features
are about to be installed, in this case only the one role is being installed. When I press install, the “Active Directory
Federation Services” role will be installed which takes a minute or two to complete so
I will pause the video and return shortly. Now that the install is complete, the next
step is to configure Active Directory Federation Services. The Active Directory Federation
Services wizard will ask for a certificate, so I first need to obtain a certificate from
my Enterprise CA. To do this, I will right click the start menu, select run and enter
in MMC. The certificate admin tool does not appear
in Server Manager so it needs to be accessed using MMC. Once running, I need to select
“Add/Remove Snap-in” from the file menu and then select certificate from the list
of available snap-ins. Once selected, when I press add, I will be
prompted for the scope of certificates that I will want to look at. In this case, I will
select the option for computer account as the server itself will require this certificate. The next screen asks which computer you want
to manage certificates on. In this case, I will accept the default option of the local
computer and then complete the wizard and exit MMC. If I expand down to the ‘Personal Folder’
under ‘Certificates’, this will show all the certificates created for that server.
This is not the view that I want, so the view needs to be changed. To do this, right click
“Personal” and select “options” under the “view” sub menu. If this sub menu
does not appear, refresh the Personal folder as the option may not appear if a refresh
has not been performed. Once options has been selected, I next need
to tick the option “Certificate purpose” under “Organize view mode by”. Once I
press o.k., you will notice that the view has changed. The certificate that I want to
create needs to go under the folder “Server Authentication”. To create a new certificate under “Server
Authentication” right click “Server Authentication” and select “Request New Certificate” under
the sub menu “All Tasks”. Once selected, this will launch the Certificate Enrollment
wizard. Once past the welcome screen, the next screen
will ask which enrollment policy you want to use. In this case, I have not created any
additional enrollment polices so I will leave it on the default option of “Active Directory
Enrollment Policy”. What enrollment does is allows this server to obtain a certificate
automatically from a Certificate Authority with no administrator interaction. Also the
enrollment polices takes care of renewing the certificate or replacing it as required,
taking all the hard work out of the process for the administrator. In this case I have
used enrollment, as it is a simple process to get Active Directory Federation Services
going. For a better understanding of which certificates should be used and how they should
be used, see our certificate course. Once I press next I will be able to select
a certificate from the templates available on the CA. In the previous video I created
this template, “ADFS SSL Certificate”. If you need to do this, please see our previous
video on how to do so. Once the certificate is ticked, all I need
to do is press “enroll” and the server will obtain a certificate from the CA. The
good thing with enrollment is that it will also keep the certificate up to date, renewing
it and obtaining a new certificate if required. Once I press finish, the certificate has been
added to the local store so I can now close MMC. The next step is to configure Active
Directory Federation Services, which I will do by selecting the exclamation mark and then
selecting the option “Configure the federation service on this server” which will launch
the configuration wizard. On the welcome screen, notice the option “Create
the first federation server in a federation server farm” is selected. In this case I
do not have any existing federation servers on the network so I will leave it on this
option. Notice the second option “Add a federation server to a federation server farm”.
If you have an existing federation server on the network, you can combine these federation
servers together to form a cluster. When these servers are in a cluster, they will work together
– meaning federation services will be available even if one the federation servers were to
fail. If you have used previous Active Directory Federation Services on a previous version
of Windows Server, you will remember an option for standalone. This option would allow a
single Active Directory Federation Server to be installed which could not be added to
a farm later on. This option has been removed in Windows Server 2012 R2. Once I press next, on this screen I will be
asked which user I want to use to perform the configuration. In this case, I am logged
into the server using a Domain Administrator account so I will leave this user selected
and move on. On the next screen, I need to select which
SSL certificate I want to use. You will notice in the drop box is the certificate that I
obtained earlier using “enrollment”. I used enrollment as it is a simple way to get
a certificate; however, you can also use the “import” option if you were given a certificate
in a file. At the bottom of the screen, I need to enter
in a user friendly name for the Federation Service. This will be displayed to the end
user, so choose a display name that is meaningful to the end user. Once I move onto the next screen, a service
account needs to be created to run Active Directory Federation Services with. Notice
the warning message at the top of the screen. When I press “show more” I can see the
whole message. This is telling me that a PowerShell command needs to be run to create a KDS root
key. A managed service account is one in which
Windows manages the creation and passwords for the service account. Rather than having
the administrator have to worry about configuring a password for this account, Windows does
this for you. In Windows Server 2012, in order for this to occur, a root key needs to be
created and replicated to all Domain Controllers. This root key is used to generate passwords.
By having the one root key, this helps managed service accounts (that are being used on multiple
systems) to have the same password. This command runs in PowerShell but does require
Active Directory tools to be installed on the server, which are not installed on this
server. In order to run the PowerShell command, I will navigate back to Server Manager and
select the option “All Servers”. This will show NYDC1 which is a Domain Controller,
which I will right click on and select the option “Windows PowerShell” to launch
an instance of Windows PowerShell on NYDC1. Once PowerShell has opened, I can now run
the command which should only take a couple of seconds to run. Once complete, the KDS root key will be created
on this Domain Controller. This is an important fact to remember as this Domain Controller
will need to replicate this information to the other Domain Controllers in the domain.
As a safety measure, Domain Controllers will wait up to 10 hours from when the key is created
to ensure they are able to answer password related queries that relate to that key. Now that the key has been created, I will
exit out of here and go back to the configuration wizard. The option “Create a Group Managed
Service Account” is grayed out so I will press the previous button and then the next
button to refresh this screen. Notice now I can select the option “Create a Group
Managed Service Account” and I will enter in the name FSGMSA for Federation Services
Group Managed Service Account. Once the name is entered, I will move on to the next screen. On this screen the wizard will ask if you
want to use the Windows Internal Database or SQL Server. In this case I do not have
a SQL Server configured on my network so I will select the default option of Windows
Internal Database and move on. The next screen will allow the administrator
to review what is going to happen. In this case, the Windows Internal Database is not
installed on this system so the wizard will also install this. The next screen will perform a perquisites
check. Notice a warning message has appeared about the managed service account. When a
new KDS key is created, 10 hours must pass before Windows can start using it for managed
service accounts. For this reason, the Active Federation Service may fail to start until
10 hours have passed. If you know that you are installing Active Directory Federation
Services in the future and will be using a group managed service account, it is worth
the time to run the PowerShell command in advance. Once I press the configure button, the server
will be configured to run Active Directory Federation Services. The process does take
a minute or so to complete so I will pause the video and return shortly. Once the configuration is complete, notice
that I get the same warning message telling me the KDS key has just been created and 10
hours need to elapse. If you attempt to run the Active Directory Federation Service before
then, the service may fail to start. That’s it, the basics for Active Directory
Federation Services install and configuration is now complete. In the upcoming videos I
will look at how to use Active Directory Federation services so you can start deploying it in
your organization. I look forward to seeing you in those videos and thanks for watching.

26 Comments

  • Gadgetproblem Noproblem

    Thank you and this was of great help to me, highly recommend your videos, best by a mile when it comes to explaining.

  • Shahbaz Saleem

    Thanks you so much for making such a wonderful video series. I learned a lot from your videos. If you can make a small video on the claim based app configuration on High Cost Training organization this will complete the course and help people like me. Thank you once again for you efforts.

  • Bradford Hart

    why is this so complicated???? does Microsoft do anything anymore, or are we going to be righting code for windows next?

  • 8472 IT

    @itfreetraining: Thank you so much for these videos! Amazing work. I've got a question though. I watched all videos and did all exact steps up untill this one and I get an error message while doing the steps in this video (in the end at installing ADFS): "An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.". Everything seems to work fine though but I'm not quite sure about what to do with this message and if this will get away in later videos.

  • Devidutta Panda

    An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.

  • Devidutta Panda

    facing the following issue —An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.

  • Daniel Nozzrep

    Hi! Great videos:) I got one question tho.
    When i get to the step at 9:00 , the NYDC1 doesn't show… What am i doing wrong?

  • It passion

    hi, I follow your videos and I appreciate the work that you are doing and the level of detailing you provide. One thing I would request you to do is add some numbering so I can easily sort out the videos . Thank you

  • Louis Razo

    When I get to the AD FS Federation Server Configuration Wizard, I select Create new Federation Service > New Federation server farm > then i get a message that says "The Selected certificate cannot be used to determine the Federation Service name because the selected certificate has a dotless (shrot-named) Subject name, select another certificate without a dotless (Short-named) subject name (for example, fs.fabrikam.com) and then try again"

  • Aram Julfalakyan

    Thanks again for the video! Unfortunately, I can't do the same in Windows Server 2016 – it doesn't accept the certificate's alternative name:

    "The SSL certificate subject names do not support host name 'certauth.adfs.contoso.com'. Configuring certificate authentication binding on port '49443' and hostname 'adfs.contoso.com'.

    I've issued a wildcard certificate as decribed in your previous video, and on 2012R2 it works perfectrly. But not on 2016…

  • Dáv Ur

    Just for anyone else looking, the "pre-requisite" video about installing certificates mentioned in the first 20 seconds is this one "Installing Enterprise CA for AD FS on Windows Server 2012" – https://www.youtube.com/watch?v=fpvvbeyr7ec (perhaps you could add this to your video description)

  • gus

    hello itfreetraining 🙂 i have one question. i'm trying to remotely promote ADFS on a server core, but when dealing with mmc and trying to use "request new certificate" option, it doesn't appear. any help?

  • Joseph Miller

    I received an error when specifying a service account. The error reads "Group Managed Service accounts require a domain with atleast one domain controller running Windows Server 2012, 2012R2 or later os. A domain controller that meets these requirements could not be found". Is there anyway around this without doing the obvious of installing a domain controller with 2012 on it?

  • shilezi

    Thanks for the very informative video, your voice is very well suited for teaching….i got an extra error at the end of this installation though. any thoughts on how to sort that out?…An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.

  • zarkaa yamama

    Thank you very much sir for your all your videos,for your efforts;i really appreciate your work ,i'm from Morocco and i leanred a lot of things from your videos because i'm preparing My MCSA 2012 and i want to thank you because you have helped me a lot.ou explain very well and you give all details,God bless you Sir

  • MuckeyDuck Duck

    I complement the quality of your video. However you still leave large gaps that are hard to cross. For example, you indicate in the Installing ADFS on Windows Server video that you will need a Certificate, and then say, if you do not have a certificate, refer to how to install enterprise CA. The video on Installing Enterprise CA does not cover creating certificate. In my case I want to create a *.wildcard cert that I can use in test deployment.

    Do I do a Certificate Request from within IIS on ADFS server, or do I create Certificate on Domain Controller where Enterprise CA was created.

    If you comment to my feedback, please make you comment relevant to my questions.

Leave a Reply

Your email address will not be published. Required fields are marked *