Setting up an AD FS server can be difficult, as there are many options and configurations that you need to be aware of.
In Microsoft Active Directory, federated identity and access management are enabled by the Active Directory Federation Service (AD FS) and often used to enable the use of single sign-on functionality to internet-facing applications. Though we are not going to go through the process of setting up a full AD FS server in this article, we will discuss how this service is used, design considerations, and common tips to make configuration successful.
Fitting AD FS into an Active Directory Environment
Before Windows Server 2012, you would often need to create a dedicated AD FS server. This primary reason being that there was a default enabled web service that was not recommended to co-exist on a domain controller, which was the typical setup for simple deployments. Now the recommendation is that there is no problem installing AD FS on a domain controller if it is intended to be used for 1000 users and under.
The actual installation process itself is not too complicated, especially when some of the common knowledge is taken into consideration. The complication for configuring AD FS in any environment is that of the Relying Party Trust and Claims configurations.
- Relying Party Trust - This is the application that is making the authentication request and how to trust and handle that incoming request.
- Claims Provider - An application that has made an authorization request is requesting a claim, and this configuration is how the AD FS server will treat and respond to that claim. If authenticated, then you will have the option to transform the claim information and pass back the appropriate properties.
Though AD FS has traditionally been used for SAML authentication workflows, there are several options that you have when it comes to AD FS. Modern versions of AD FS support the full multi-factor flow that Azure offers as well.
- Forms Authentication
- Certificate Authentication
- Device Authentication
- Azure MFA
- Microsoft Passport Authentication
Azure AD and AD FS
How does Azure AD fit into the landscape with AD FS? For cloud-centric organizations, primarily Office 365 users, there may not be much need for a more traditional on-premise solution like AD FS. Though AD FS can work with Azure AD, the configuration when using Azure AD is more straightforward. It means that you can take advantage of the scalability and management of the Azure AD solution.
With simplicity, though, comes a lack of management options. There is far more that an AD FS server can do when presented with complex authentication scenarios. Therefore, depending on an organization’s needs, an AD FS server may still be the best solution.
Common Tips, Tricks, and Concerns when Configuring AD FS
Several common issues that are encountered when configuring AD FS that with some knowledge can be avoided and make the installation process that much smoother and more manageable.
Certificate Authority
It’s recommended that you have a certificate authority, which is commonly configured for Active Directory environments, to enable the creation of SSL certificates that can be used to properly authentication and trust the AD FS server.
SSL Certificate
When you are installing AD FS you will need an SSL certificate. To do this, you need to make sure that the DNS is set up correctly to make AD FS work effectively. When creating the certificate, add the following alternate DNS names.
- {FQDN of AD FS Server}.domain
- domain
Group Managed Service Accounts
When installing the AD FS server, you will need to configure an account to have the service run as. Traditional service accounts use the sMSA (standalone Managed Service Account) method, but with newer Active Directory services, it is best to use a gMSA (group Managed Service Account). The primary difference is that the Windows operating system manages the password for the account. To make this work with AD FS, you must first add a KDS Root Key. Using a PowerShell administrative prompt, run the following code to generate a KDS Root Key for 10 hours prior, which avoids non-blocking warnings later in the installation process.
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
After you have added the KDS Root Key, you need to create a gMSA account to be used to manage the AD FS service. This is best accomplished using PowerShell, as seen below. One unique aspect that you might notice is the odd syntax in the http://win2019server.ad.test.local. This SPN is there to enable Kerberos authentication between domain-joined clients and AD FS.
$Name = 'sa_adfs'
$Params = @{
"Name" = $Name
"DNSHostName" = 'win2019server.ad.test.local'
"PrincipalsAllowedToRetrieveManagedPassword" = 'win2019server$'
"ServicePrincipalNames" = 'http/win2019server.ad.test.local'
}
New-ADServiceAccount @Params
Install-ADServiceAccount -Identity $Name
Add-ADComputerServiceAccount -Identity 'win2019server' -ServiceAccount $Name
If you get an access denied error when running Install-ADServiceAccount you may need to restart the server first
Enable the IdP Signon Page
Often missed when configuring an AD FS server is the IdP Initiated Signon page, which can help not only with troubleshooting but also with applications that may need this. The fastest way to enable this is by using PowerShell.
Set-ADFSProperties -EnableIdPInitiatedSignonPage $True
Verifying the Metadata of the AD FS Server
The quickest way to verify that the proper metadata is being returned is to use the following URL, updated to use the FQDN of your AD FS Server.
https://{FQDN of AD FS Server}/adfs/fs/federationserverservice.asmx
Conclusion
This article merely scratches the surface of how to configure and setup AD FS. Still, with the information presented here on how to avoid common pitfalls and configuration issues, your organization should be much more successful. If you are using Azure AD, there are authentication processes that can be configured from Azure Portal that does not need an AD FS server. This is best used for more complicated authentication workflows and for on-premise Active Directory environments. Deploy AD FS to take advantage of seamless authentication workflows today!