How to Install & Configure AD FS 2019

How to Install & Configure AD FS 2019

September 11, 2021 ADFS 1

Active Directory Federation Services (AD FS) also popularly known as SAML/Federation Services/SSO. It provides Web single-sign-on (SSO) to authenticate a user to multiple Web applications while utilizing a single account.

AD FS Pre-requisite,

  • Windows Server 2019
  • SSL Certificate
  • Federation Services DNS name
  • Service Account or Group Managed Service Account (gMSA)
  • Domain Admin Permissions

 

Installing AD FS Role,

  • Open Server Manager console and click on Manage > Add Roles and Features
  • Click on Next
  • Select Active Directory Federation Services and click on Next
  • Click on Install
  • Click on Close

Configure AD FS Server Role

Kindly ensure SSL Certificate installed before configuring AD FS Role.

  • Server Manager, navigate to the Flag icon click and select Configure the federation service on this server
  • Ensure Create the first federation server in a federation server farm and is selected and click Next
  • Select SSL Certificate provide Federation Service Display Name and click Next
  • Service Account page, you can either use a Group Managed Service Account (gMSA) or Specify an existing Service Account
  • Select a Group Managed Service Account or Existing Service Account, provide a name and click on Next
  • Database Selection > Create a database on this server using Windows Internal Database
Note: You could also specify a SQL Server, make sure you have a sysadmin or dbcreator permissions
  • Review options and click on Next
  • Click on Configure
  • Click on Close
  • Restart your server after clicking on Close

Verify AD FS Services

  • Open the Event Viewer and navigate to the ADFS View and search for the Event ID 100.

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Browse to the ADFS sign-in page and test authentication. https://federationservicename/adfs/ls/idpinitiatedsignon

 

Now, we are see How to install & Configure AD FS via PowerShell

Install AD FS Role,

Install-windowsfeature adfs-federation –IncludeManagementTools

Install the Certificate,

$password = Read-Host -AsSecureString
certutil -f -p $password -importPFX C:\install\certificate.pfx

Verify the Certificate installation status

dir cert:\LocalMachine\My

Configure Primary AD FS Node (WID-Windows Internal Database)

If you use a domain Service Account for AD FS Service,

$ADFSCred = Get-Credential “CloudApex\Service-Account”

$ADFSCert = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx” # SSL Certificate Thumbprint

Install-AdfsFarm -CertificateThumbprint $ADFSCert -FederationServiceDisplayName “Cloud Apex” –FederationServiceName “adfs.cloudapex.com” –ServiceAccountCredential $ADFSCred

For Group Managed Service Account use below parameter instead of –ServiceAccountCredential

-GroupServiceAccountIdentifier CloudApex\GMSA-Adfs$

Append below parameter if you’re planning to use separate SQL Server for AD FS

-SQLConnectionString “Data Source=SQL;Integrated Security=True”

To add an additional server to the AD FS Farm, 

$ADFSCred = Get-Credential “domain\sa-adfs”
$ADFSCert = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx” # SSL Certificate Thumbprint

For Domain Service Account

Add-AdfsFarmNode -ServiceAccountCredential $ADFSCred -PrimaryComputerName Primary-ADFS -CertificateThumbprint $ADFSCert

For Group Managed Service Account

Add-AdfsFarmNode -GroupServiceAccountIdentifier “CloudApex\GMSA-Adfs$” -CertificateThumbprint $ADFSCert

 4,181 total views,  4 views today

One Response

  1. Rishikesh Ranjan says:

    Nice

Leave a Reply

Your email address will not be published. Required fields are marked *