ADFS 2016 Technical Preview 4 Install Guide

Posted on by Alan Schmarr

Introduction

Microsoft is in the process of releasing a new version of Windows Server 2016, with this new release it will include and new version of ADFS.

In this article I will be only focusing on the installation process of ADFS 2016 preview (The easy bit), future guides will have more focus on integration.

Here is also some related reading material from my previous posts:

  • Group Managed Service Accounts – This is highly recommended for all ADFS implementations. This article was written on 2012 but still relevant for 2016.

My Lab

The lab is running in Microsoft Azure, the following relevant services for ADFS 2016 is running in this lab:

  • Active Directory – Single Forest, Single Domain
    • OS – Windows 2012 R2
    • Server Name – DC2012R2
  • PKI Certificate Server running on the domain controller (Not a recommended for production)
  • ADFS 2016 Backend Server
    • OS – Windows 2016 Technical Preview 4
    • Server Name – S2016PR4ADFS01
  • ADFS 2016 Web Applications Proxy Server
    • OS – Windows 2016 Technical Preview 4
    • Server Name – S2016PR4PRX01

Preparation

All ADFS implementation will require the following high-level preparation tasks before starting with the installation: (Microsoft has a well documented checklist that should be follow)

  • Split Brain DNS – This allows internal users to resolved the ADFS URL to the Internal ADFS backend servers. Info can be found here.
  • DNS records
    • External DNS
      • A Record – adfs2016.schmarr.com
        • Point to Web Application Proxy Server external IP
      • A Record – enterpriseregistration.schmarr.com
        • Point to Web Application Proxy Server external IP
      • A Record – certauth.adfs2016.schmarr.com
        • Point to Web Application Proxy Server external IP
    • Internal DNS
      • A record – adfs2016.schmarr.com
        • Point to ADFS 2016 backend server internal IP
      • A Record – enterpriseregistration.schmarr.com
        • Point to ADFS 2016 backend server internal IP
      • A Record – certauth.adfs2016.schmarr.com
        • Point to ADFS 2016 backend Server internal IP
  • ADFS features – ADFS has additional feature which needs to be consider before proceeding in acquiring the required certificate for encryption. e.g. workplace join have some additional requirements for the certificate, Read more about workplace join here.
  • Certificate – All ADFS communication between the client and ADFS is encrypted, so the certificate should be trusted by all parties. A External Certificate is advised.
    • In this article a internal certificate was used.
    • Lab SSL Certificate attributes:
      • Subject Name (CN): adfs2016.schmarr.com
      • Subject Alternative Name (DNS): adfs2016.schmarr.com
      • Subject Alternative Name (DNS): enterpriseregistration.schmarr.com
  • Group Managed Service Account  – how-to
    • Enable Managed Service Accounts (On Domain Controller running 2012 R2 or higher)
    • ADFSGmsa
      • Powershell command  – “New-ADServiceAccount ADFSGmsa -DNSHostName adfs2016.schmarr.com -ServicePrincipalNames http/adfs2016.schmarr.com”
  • Topology – Choose the correct topology to fit business requirements. More information about topologies can be found here.
    • Stand-Alone Federation Server using WID (Windows Internal Database) will be used in this article.
      • Gotcha – Limit memory usage for WID

Installation

ADFS 2016 backend server installation

  1. Install the required SSL certificate.
    1. Here is a guide for requesting a SAN certificate for internal PKI or External certificate provider.
    2. ADFS2016Preview-ScreenShot2
    3. Additional information for the “certauth” url can be found here
  2. Install Active Directory Federation Services role on server
    1. Powershell command – “Install-windowsfeature adfs-federation –IncludeManagementTools
    2. Get the 2012 R2 wizard options from here
  3. Configure Active Directory Federation Services
    1. Powershell command – “Install-AdfsFarm -CertificateThumbprint ff236398ad5b51b9dd427cf819e6586b43d2009b -FederationServiceName adfs2016.schmarr.com -GroupServiceAccountIdentifier AS\ADFSGmsa$
    2. Get the 2012 R2 wizard options from here
  4. Limit WID memory usage
    1. Install SQL Management Studio Express – Download from here
    2. Open admin Command prompt – “osql -E -S \.pipeMICROSOFT##WID
    3. Enter the following commands
      1. exec sp_configure ‘show advanced option’, ‘1’;
      2. reconfigure;
    4. To check current config:
      1. exec sp_configure;
      2. go
    5. Reconfigure to use 2GB
      1. exec sp_configure ‘max server memory’, 2048;
      2. reconfigure with override;
      3. go
      4. quit
    6. Restart the Windows Internal Database service
    7. Optional – Uninstall SQL Management Studio Express
  5. Testing Installation
    1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
    2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
      1. User should be able to sign-in from domain joined machine on the internal network
      2. User should be able to sign-in from non domain joined machine on the internal network
    3. Optional – Disabled IdPInitiatedSignonPage
      1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false

 ADFS 2016 Web Application Proxy Server installation

  1. Export the certificate from the ADFS backend server with private key
  2. Import into computer store of Web Application proxy server
  3. Install Web Application Proxy Role
    1. Powershell Command – “Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
    2. Get the 2012 R2 wizard options from here
  4. Configure Web Application Proxy Role
    1. Powershell Command – “Install-WebApplicationProxy –CertificateThumbprint ‘‎ff236398ad5b51b9dd427cf819e6586b43d2009b’ -FederationServiceName adfs2016.schmarr.com
    2. Get the 2012 R2 wizard options from here
  5. Testing Installation
    1. On ADFS backend Server run Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
    2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
      1. User should be able to sign-in from domain joined machine on the external network
      2. User should be able to sign-in from non domain joined machine on the internal network
    3. Optional – Disabled IdPInitiatedSignonPage
      1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false

Conclusion

This article demonstrated installing ADFS 2016 preview 4 in a Stand-Alone Federation Server using WID topology.

Advertisement