Step-by-Step Guide to Installing and Configuring ADFS 3.0
Pre-requisites:
- Windows server 2012 R2
- SSL certificate for ADFS
- Only members of the domain controller admins can install and configure ADFS 3.0
Installing the Active Directory Federation Services role with Server Manager
1. Log in to the Server and Click “Add roles and features” on the Server Manager Dashbord:
2. Click “Next” on the following screen:
3. Choose “Role-based or feature-based installation” and then Click “Next”
4. Choose “Select a severe from the server pool” and choose the ADFS server from the Server Pool list, and then click “Next”
5. Select “Active Directory Federation Services” role, then Click “Next”
6. Select “.NET Framework 4.5 Features”, then Click “Next”
7.Click “Next” on the following screen
8. Click “Install” to begin installing ADFS
Configuring the Active Directory Federation
1. After install is completed, click "Configure the federation service on this server".
2. In the new window that opens, choose default option which is "Create the first federation server in a federation server farm". Even though you do not plan to create a farm, even a single server is still a farm. You can at any time extend your one-server farm to a larger farm by adding additional nodes.
3. Choose the account used for the action. I recommend using a Domain Administrator, but you can get away with using an account by granting write permissions to a container in AD.
4. Select the SSL certificate and type your federation service name. The certificate can be a wildcard (like mine), or with a subject. The federation server farm name must match the subject of the certificate. The display name can be changed at a later stage, but the federation server name cannot be changed later.
5. Specify AD FS service account. On the specify service account page, there are two options. The first option is to create a group managed service account (GMSA). This option requires at least one Windows Server 2012 domain controller in the domain where the GMSA is created. The second option is to use an already existing GMSA or a regular domain user account. Here we use a regular domain user account.
6. Specify the type of configuration database. Here too there are two options. The default option is using Windows Integrated Database (WID). WID is mostly the same as SQL Server Express, this is sufficient for most customers and actually recommended when the federation server farm contains less than 8 servers. If installing more than 8 servers in the federation server farm, choose SQL instead. Note that there are some security features that require an SQL server.
7. Review the settings, you can click on view script to see the script to automate additional server installs.
8. Verify prerequisites are completed successfully and click Configure.
9. Create a A-record (Do not use a c-name record, as this will give you errors with windows authentication / single sign-on!) that points to the ADFS server's IP address. If you are doing a highly available setup, point the A-record to your load balancing IP address.
10. Test the ADFS server. Use the url https://Your ADFS federation service name /adfs/ls/IdpInitiatedSignon.aspx (such as https://adfs.frontedge.com/adfs/ls/IdpInitiatedSignon.aspx ) to test your federation server. Start by testing from a domain user on a domain joined client. You should see one of the following options:
NOTE: Please email the SchoolFront Team the URL
If you have added the ADFS site as an Intranet Site in security settings, you should get Single Sign-On (SSO) and get directed to the following. Best practice would be to configure a GPO to add this to all domain machines.
You can manually add the ADFS site to the Local Intranet Sites in Internet Explorer as follows:
You can manually add the ADFS site to the Local Intranet Sites in Internet Explorer as follows: