1 300 737 205

Configuring Active Directory Federation Services (AD FS) – Part 1

This article explores how to Configure Active Directory Federation Services (AD FS) on Windows Server.

 

Configuring IIS Web Services

When originally installing AD FS, if you chose Create a Self-Signed Certificate for SSL Encryption on the Choose a Server Authentication Certificate for SSL Encryption page (as shown below), then you need to configure IIS web services.

ADFS-configure-IIS-web-server-SSL-encryption-option

The IIS web services needs to be managed to require SSL on the resource and account domains’ federation servers.

Navigate to Start – Administrative Tools – Internet Information Services (IIS) Manager.

ADFS-configure-IIS-web-server

In the IIS Manager in the left window pane, double click the relevent AD FS server listed in the Connections panel. Double click Default Web Site in the Sites Folder.

ADFS-IISM-Default-Web-Site

Scroll down to the IIS section in the middle pane and double click SSL Settings.

ADFS-IISM-SSL-Settings

In SSL Settings, you have the option to require SSL or Require 128-bit SSL (stronger security). You also can select if you want to enhance security by requiring certificates. For our example, we tick the check box Require SSL and select Accept for Client certificates. Click Apply for changes to take effect.

ADFS-IISM-SSl-Settings-Apply

 

Create a self signed certificate

Once the IIS server has been configured, you are required to create and export the necessary certificates to configure the web and federation servers.

Navigate to the relevant server, scroll down to IIS and double click on Server Certificates.

ADFS-IISM-Domain-Server-Certificates

In the Server Certificates pane, select Create Self-Signed Certificate.

ADFS-IISM-Server-Certificates-Create-Self-Signed-Certificate

The Specify Friendly Name dialog box appears where you need to specify a file name for the certificate request. Enter in FS certificate and click OK. 

ADFS-IISM-Create-Self-Signed-Certificate-Specify-Name

The self signed certificate has been created and is now listed.

ADFS-IIS-Server-Certificates-FS-certificate

 

Export Token-signing certificates

You are now required to export the token-signing certificates from the federation server of the account domain to a file. This certificate will need to be imported to the resource domain’s federation server.

Navigate to Start – Administrative Tools – Active Directory Federation Services. Right click the server and select Properties from the drop down list.

ADFS-Federation-Service-Properties

The Federation Service Properties dialog box appears. In the General tab, select the View… button.

ADFS-Federation-Service-Properties-View

The Certificate dialog box displays. Navigate to the Details tab and select Copy to File.

ADFS-Properties-Details-Copy-To-File

The Certificate Export Wizard welcome page displays. Click Next to continue. On the Export Private Key page, accept the default setting No, do not export the private key and click Next.

ADFS-Certificate-Export-Wizard-Export-Private-Key-No

On the following page, select the format you want the certificate to be exported in. In our case, we decide to retain the default option DER encoded binary x.509 (.CER) and click Next.

ADFS-Export-File-Format-DER

Specify the name of the file you want to export. Select Next.

ADFS-File-to-Export-File-name

The Completing the Certificate Export Wizard appears that shows the settings you have specified. If you are fine with the selection, click Finish.

ADFS-Completing-the-Certificate-Export-Wizard-Finish

The Certificate Export Wizard should confirm that the export was successful and you can click OK to close the Wizard. 

ADFS-Certificate-Export-Wizard-successful

 

 

‘Configuring Active Directory Federation Services – Part 2’ will be posted at a later date.

Request Your Free Consultation Today

We’ll come to your place of business, and give you a full diagnostic snapshot of your IT systems.