Learn role-based installation of Active Directory Federation Services (AD FS) in Server 2012 R2.
- In this chapter we will be implementing claims based authentication to allow our users access to outside resources, applications and even other domains. The key component of a single sign-on or claims based authentication plan that uses Active Directory as it's app is Active Directory Federation Services. We have here the domain controller for our Active Directory domain for Landon Cafe, and we're going to install Active Directory Federation Services into this domain.
We'll go through that in just a minute. The installation itself is really very simple if you've ever installed a role or a feature before. We'll step through it pretty quickly after we go over the prerequisites. To us Active Directory Federation Services you have to be part of an active director domain as I just showed you. Most administrators will also tell you not to install this on a domain controller because previous versions used IIS, a huge security hole on a domain controller. Fortunately for those that run very small environments and are trying to get everything they can from every single server, AD FS on server 2012 R2 uses http.sis instead of IIS.
So those threats are not in play. It has a different problem instead. The new problem is that the AD FS service will often hang during boot. After we go thought the installation and before we configure I'll take a minute to show you the fix for that. That's it for prereqs for installation. Configuring has its own list of requirements, but we'll cover those in a little bit. We have here a server that is a member of the Landon Cafe domain, and we have administrative access to that domain.
So we can go to the server manager to install the Federation Services role. The default options will be fine for us so I'll move fairly quickly through most of this. I'm going to select the Add Roles and Features from the dashboard, and because I am installing this on the local server I'll move forward with all of these defaults until it gives me the list of possible roles. Luckily for us the list is sorted alphabetically and we can find Active Directory Federation Services with no scrolling required.
I'm only going to check the one box and continue. There are no additional features required so we'll keep right on moving. Right before the confirmation screen we get two notes that would have been helpful to know before we ever began. We already touched on the need for a domain. The second note is that the web application proxy cannot be installed on the same machine as AD FS. Chalk up another point for planning the deployment before beginning the installation.
We'll now fast forward through the boring part of the installation as we install. This will take anywhere from about 30 seconds up to two or three minutes to complete and the results screen tells us that while it is installed nothing is actually configured. We will do that in the next video.
Note: The topics covered here map to the Configure Identity and Access Solutions domain for Microsoft Certified Solutions Associate (MCSA) Exam 70-412, Configuring Advanced Windows Server 2012 Services. Use these tutorials to study for the exam.
- Implementing Active Directory Federation Services (AD FS)
- Configuring AD FS authentication policies
- Configuring multifactor authentication
- Installing and configuring Active Directory Certificate Services (AD CS)
- Creating certificate templates
- Configuring certificate authority backup and recovery
- Managing certificates, including templates and renewal
- Installing and configuring Active Directory Rights Management Services (AD RMS)