Installing Enterprise CA for AD FS on Windows Server 2012
Articles,  Blog

Installing Enterprise CA for AD FS on Windows Server 2012


Welcome to the ITFreeTraining video on setting
up an Enterprise CA for use with Active Directory Federation Services. This video will set up
an Enterprise Root CA for use with Active Directory Federation Services. If you already
have an Enterprise CA configured on your network, you can follow the steps in the later part
of this video for creating a template to issue certificates. If you do not have a certificate
hierarchy already, this video will get you up and going with the basic requirements.
If you are planning to use certificates in your company, I would recommend doing some
additional research on how to deploy a certificate hierarchy, as this is a big, long term investment
for your company. I will now change to my computer running Windows Server 2012 to have a look
at how to set up an Enterprise Root CA for use with Active Directory Federation Services. This is a basic Windows Server 2012 standard
install. No additional roles have been added. The only change to the base install was to
add it to the ITFreeTraining domain. To start with, I need to add the certificate role to
the server. To do this, I will need to open Server Manager. Once Server Manger has opened,
I next need to select the option “Add roles and features” found on the welcome screen
to start the add roles and features wizard. Once I am past the welcome screen, I will
leave it on the default option to install a “role-based or feature based installation”
and then, on the next screen, leave it on the default option of the current server. On the next screen I need to select which
role I want to install. In this case, the only role that I need to select is “Active
Directory Certificate Services”. Once selected, Windows will prompt for some additional features
that need to be installed. So, I will press “add features” and then move onto the
next screen of the wizard. This screen will allow you to select additional
features of which there are none. For this reason I will press next and move on. The next screen is the welcome screen for
certificates services. Once I move pass this screen, I next need to select which components
of certificates services that I want to install. In this case, the default option of “Certification
Authority” is the only component that is required, so I will leave it selected and
move on to the next screen of the wizard. The last screen will show me the options that
I have selected. Once I press install, the role will be installed. This process does take
a few minutes to complete, so I will pause the video and return shortly. Now that the role has been installed, I can
close the wizard. The next step is to configure the role. To do this, I need to select the
exclamation mark at the top of the screen and then select the option “Configure Active
Directory Certificate Services on the destination server”. The first screen of the configuration wizard
will ask which user account you want to use. By default it will use the currently logged
in user, which is a domain administrator. This has enough rights to perform the install
so I will press next to move on. On the next screen I need to select which
components I want to configure. In this case the only component that has been installed
is the “Certification Authority” component so I will tick that component and move on
to the next screen of the wizard. On the next screen I need to make sure that
“Enterprise CA” is selected. If this option is grayed out, check to make sure the server
has been added to the domain. In a later video I will configure the High Cost Training CA,
for which I will use the Standalone CA option, if you are interested in how to do this. With “Enterprise CA” selected, I will
move on to the next screen of the wizard. In this particular case I will select the
option “Root CA”. In a production environment I would use an offline standalone CA for the
root CA, for additional security. In this case I am performing just the basic install
to obtain a certificate for the Active Directory Federation Server. For the next few screens, I will accept the
default options. If you are planning to configure certificates in your organization, you should
take your time to understand and configure these options to meet your needs. In this
case, the default options will work fine to install and use AD FS, but remember, the options
you select here cannot be changed later. So if you plan to deploy certificates services for
use in your company, do your research first. Once I press configure, the server will be
configured as an Enterprise Root CA. This does take a minute or so to complete so I
will pause the video and return shortly. Once the server has been configured, I will
close the wizard. The next step is to configure a certificate template to be used with Active
Directory Federation Services. To do this, I will select the tools menu,
and then select the option “Certification Authority”. Once open, I will need to expand
down to “Certificate Template”, right click it and select the option manage. From the list of templates I need to select
one that provides the basic functionality for Federation Services. Since Federation
Services uses web protocols, I will scroll down to the bottom and select the Web Server
template. The next step is to right click the template
and select the option “Duplicate Template”. Once selected, the properties for the copy
of the “Web Server” template will be displayed. It is now just a matter of customizing this
template for use with Active Directory Federation Services. The first change that I will make can be found
on the tab “General”. For the display name, I will enter in “ADFS SSL Certificate
2012” to make it is easy to tell apart from the other certificates. Next I will select the “Subject Name”
tab. On this tab I will need to select the option “Build from this Active Directory
information”. When the Active Directory Federation Server requests a certificate from
the Certificate Authority, it will supply this information. If you are using a stand-alone
certificate authority you would need to enter in this information. I will look at how to
configure these settings manually when I set up the CA for High Cost Training. Under “Subject name format” I need to
select the option “Common name”. Active Directory Federation Services requires that
both the common name in the certificate and also the DNS name be configured. To configure
the DNS information, make sure the tick box “DNS name” is ticked. The other tickbox’s
do not need to be ticked. Next I need to select the security tab to
ensure that the server has enough access to request a certificate. To do this, I will press
the add button and press button “Object Types”. Before I can enter in the names of the server
to search for, I first need to tick the option “Computers”. If this option is not selected,
the search will not find the computer account associated with the server. Once ticked, I can go back and enter the computer
name of my Active Directory Federation Server. This server has had the base install performed
and been added to the domain, but nothing else has happened to it, as yet. Once the server has been added to the permissions
list, I need to also ensure that “Enroll” permission is ticked, which can be found in
the allow column. If the read and enroll permissions are not set to allow, the server will not
be able to request a certificate. Once I exit out of here, you will notice the
new template has been added to the list of available templates; however, it will not
be available to the CA yet. To make it available, I need to close this Window and go back to
“Certification Authority”. From here I need to right click “Certificate Templates”
and select the option “Certificate Template to Issue” under the new menu. Once selected, a Window will appear showing
all the available templates. It is just a matter of selecting the template that I want
to use and press the o.k. button. You will notice the template is now available and listed
in Certificate Templates. The certificate template has now been configured
and added to the Enterprise CA. Now the server that is running Active Directory Federation
Services will be able to request the certificate to be used with Active Directory Federation
Services. But the install of Active Directory Federation Services I will leave to another
video. Till that time, I hope you have found this video useful and I look forward to seeing
you in the next video from this series on Active Directory Federation Services. Until
then, thanks for watching.

7 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *