This introduction demonstrates how to prepare an Active Directory domain's DNS, certificate, and key distribution services prior to installing AD FS.
- [Instructor] Active Directory Federation Services is the central point of identity service between an active directory domain and anything else. ADFS can be used to issue identity claims to outside resources or to verify claims by outside directories. And it also allows us to make protected resources available across traditional lines. But before we can even install the server role, there are a couple of things that we need to put in place.
We're going to need a DNS entry, an SSL certificate, and the ability to use group-managed service accounts in our domain, and specifically, on our ADFS server. First, the DNS entry. Applications and work stations within our domain need to know where to find the ADFS farm. A cluster of ADFS servers is known as a farm. And we need to create a host entry in DNS to point to that farm.
Here I am on the domain controller for the landonhotel.com domain. In addition to having Active Directory Directory Services installed, this is also my DNS server, so in DNS, I'm going to browse to the forward lookup zone for my domain. And here, I'm going to right-click in the empty space and create a new host. Now, I don't need to create a host entry for the server. The ADFS role will be installed on this hotel federation 01 server, and it already has a host entry.
What I'm going to create is a host entry for the ADFS farm, and I need to assign it a name. I'm going to call it adfs. And the IP address that I'm going to assign it is the one being used by the server that will take on this role. So it is 10.35.4.81. And click Add Host. The host was created successfully.
So I can close this box. That host name is going to be important later on. So make a note of it, or don't be afraid to come back to the DNS manager and confirm what host name you assigned. Now that I've created this host record, I can move on to the certificate. If you're using federation services to create trusts with external partners, you'll probably want to get your certificates from a generally trusted third party certificate authority.
If you're using ADFS to protect internal resources, and allow internal users to access those resources from the externet, you may choose to issue your own certificates. Either way, the principle name, or at least the alternate name, for the certificate needs to be the same as the DNS entry that was just created. Here I am, back on my domain controller and certificate authority.
And here, I've created a template specifically for the ADFS server farm. If I right-click on Certificate Templates and choose Manage, I can see my ADFS certificate template right here at the top of the list. If I double-click on it, we can confirm the special settings that were put in this template. For one, the subject name is going to be supplied when the certificate is requested. Another important feature is that the private key can be exported.
And finally, on the Security tab, the server that is going to be our first ADFS server has the ability to enroll in this certificate. With that template in place, let me close the template management, I can check the certificate templates and confirm that that template is being deployed and is available in my network. And now I'm ready to switch over to the Windows server that is a member of this domain, the one that I will be installing the ADFS role on later.
This is that server. I've already joined the domain. So I'm going to request the certificate from this server. I'm going to do that by right-clicking on the Windows button and selecting Run, and opening a Microsoft Management Console, MMC. From the file menu here, we can add a snap-in. And specifically, we want to add the certificate snap-in, and we want to add it for the computer account. The certificate that we're adding has nothing to do with the specific user.
So after selecting computer account, I'm going to say next and finish and close out of this selection box. Now as I expand the certificates and the personal certificate store, I can right-click on Personal, and under All Tasks, I can request a new certificate. If I move forward to the certificate enrollment policy for active directory, when I select Next, it will show me the certificates that I can select for this computer.
And here's my ADFS certificate. And here's the prompt to add the certificate name. When I click on that, I can use the subject name to add the ADFS entry that I put in DNS previously. The type of subject name is going to be common name. And the value will be the host entry that I created. Adfs.landonhotel.com.
And I'll add that. Under alternative name, I'm going to make three entries here. One is the DNS type with the exact same value that I used as the subject name. The second is certauth, followed by the entire FQDN that we just used. Adding this entry will allow this certificate to be used for user certificate authentication later on.
And the third DNS alternative name that I'm going to add is enterpriseregistration, dot, and my domain name. So enterpriseregistration.landonhotel.com. So I'll add that alternative name, apply these changes and select OK. Now I can check the box for my ADFS certificate and enroll. And we've successfully requested this certificate, and it's now been installed on this server.
So let me go ahead and click Finish. And we can close out of this certificates box. Just in case we need to come back to the certificates tool, I am going to save these console settings, and I'm going to call it certificates. The third preparation that we need to take care of is making group-managed service accounts available in our domain. There was a time when administrators would set the properties of executable files to allow them to log in as a service.
It's much more secure to actually create service accounts that are fully managed by Windows and used by specific applications or services to access various active directory or local system resources. So what we're going to do is set a key distribution services root key on our ADFS server to allow this to happen. This is done from PowerShell. And I'm logged in as a domain administrator.
So I could just launch PowerShell, and that would do the trick. But I've gotten into the habit of right-clicking on PowerShell and selecting "Run as Administrator," just to be sure. The commandlet to add this KDS root key is Add-KDSRootKey. And I'm going to set an effective time. By default, the effective time is 10 hours after I run this commandlet.
And under some conditions, Windows will need that 10 hours to make sure this information can be replicated throughout the active directory forest. But since my demo environment is very small, it consists of two servers, I'm going to dispense with this 10-hour delay by setting an effective time. And the effective time that I'm going to set is Get-Date. So PowerShell will go out and retrieve today's date. And I'm going to add hours.
More accurately, I'm going to add negative 10 hours. I'm going to be reminded throughout the configuration process that I haven't allowed that 10 hours to elapse. But again, in this demo environment, the 10 hours is not necessary, so I am going to move forward. At this point, our server and our domain are fully prepared for the installation and configuration of our first ADFS server. And that's what we're going to do next.
- Installing and configuring ADFS
- Configuring multi-factor authentication
- Integrating Azure, Office 365, devices, and Microsoft Passport
- Implementing Web App Proxy (WAP)
- Installing and configuring AD Rights Management Service