This article explores how to Configure Active Directory Federation Services (AD FS) on Windows Server.
Configuring IIS Web Services
When originally installing AD FS, if you chose Create a Self-Signed Certificate for SSL Encryption on the Choose a Server Authentication Certificate for SSL Encryption page (as shown below), then you need to configure IIS web services.
The IIS web services needs to be managed to require SSL on the resource and account domains’ federation servers.
Navigate to Start – Administrative Tools – Internet Information Services (IIS) Manager.
In the IIS Manager in the left window pane, double click the relevent AD FS server listed in the Connections panel. Double click Default Web Site in the Sites Folder.
Scroll down to the IIS section in the middle pane and double click SSL Settings.
In SSL Settings, you have the option to require SSL or Require 128-bit SSL (stronger security). You also can select if you want to enhance security by requiring certificates. For our example, we tick the check box Require SSL and select Accept for Client certificates. Click Apply for changes to take effect.
Create a self signed certificate
Once the IIS server has been configured, you are required to create and export the necessary certificates to configure the web and federation servers.
Navigate to the relevant server, scroll down to IIS and double click on Server Certificates.
In the Server Certificates pane, select Create Self-Signed Certificate.
The Specify Friendly Name dialog box appears where you need to specify a file name for the certificate request. Enter in FS certificate and click OK.
The self signed certificate has been created and is now listed.
Export Token-signing certificates
You are now required to export the token-signing certificates from the federation server of the account domain to a file. This certificate will need to be imported to the resource domain’s federation server.
Navigate to Start – Administrative Tools – Active Directory Federation Services. Right click the server and select Properties from the drop down list.
The Federation Service Properties dialog box appears. In the General tab, select the View… button.
The Certificate dialog box displays. Navigate to the Details tab and select Copy to File.
The Certificate Export Wizard welcome page displays. Click Next to continue. On the Export Private Key page, accept the default setting No, do not export the private key and click Next.
On the following page, select the format you want the certificate to be exported in. In our case, we decide to retain the default option DER encoded binary x.509 (.CER) and click Next.
Specify the name of the file you want to export. Select Next.
The Completing the Certificate Export Wizard appears that shows the settings you have specified. If you are fine with the selection, click Finish.
The Certificate Export Wizard should confirm that the export was successful and you can click OK to close the Wizard.
‘Configuring Active Directory Federation Services – Part 2’ will be posted at a later date.