Active Directory Federation Services (ADFS) provides Web Single-Sign-On(SSO) capabilities to authenticate a user to multiple Web applications using a single user account. It uses a claims-based access control authorization model to maintain application security and implement federated identity.

A federation server on one side authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.

Before Specifying service properties, it is needed to Import SSL certificate.

What is SSL Certificate?

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.

Download Banner

How to install SSL Certificate?

To install SSL Certificate

  • Click Start->Run->Type mmc.exe and click OK. Now Console page will open
  • In console page, choose Certificate template in snap->click Add->then click OK
  • In another side of the certificate template, right click template display name as Web Server->choose Duplicate Template
  • In Security tab add Domain Computer and give rights to Write, Enroll and Autoenroll certificate
  • In Request handling, Enable the option Allow Private key to be exported and click apply
  • Choose Computer account for Certificate snap

To enable Certification Authority web Enrollment, it needs to Add role Active Directory
Certification Services.

  • Here, Active Directory Certification service configuration page is in end stage
  • Active-directory-certification-confirmation

  • Once it is completed, proceed next step
  • To get private key, type mentioned link in web browser,localhost/certsrv/
  • Download CA certificate
  • Microsoft-active-directory-certification-services

  • The Certificate must in pfx format

Export an SSL certificate to file

  • Right click certificate name->All tasks->Export.In Certificate Export Wizard, Choose Yes, export the private key
  • Exported file format is in PFX.So, choose the option Personal Information Exchange-PKS #12 (.PFX) and click next
  • By using password, Protect private key to security and click next
  • Browse the Exported file and click next
  • Click Finish to complete Certificate Export Wizard

Certificte-export-wizard

Import an SSL certificate to file

  • Copy the file to ADFS server, right-click on it and select install certificate
  • Choose Store location as Local machine and click next
  • Choose Certification store and click next
  • Click Finish to import certificate

certificate-store-selected

Let us see an overview of ADFS installation and configuration using Windows server 2016.

  1. Install ADFS server role
  2. Configure Federation service on server

Install ADFS server role

To install ADFS server role, following below steps

  • Open server manager and click Manage->Add Roles and Features
  • Choose Role-based or feature-based installation and click Next
  • Enable Active Directory Federation Service role and click next
  • Active-directory-federation-services

  • Click Install to complete the Installation process
  • Under Notifications in server manager, click the message Configure the federation service on this server

ADFS configuration having pre-requisite

  1. Active Directory domain administrator account
  2. A publicly trusted certificate for SSL server authentication
  • Choose the option Create the first federation server in a federation server farm and click next
  • Active-directory-federation-service-configuration-wizard

  • Specify an account with Active Directory domain administrator permissions to perform the federation service configuration and click next
  • Connect-to-AD-DS

  • Import SSL Certificate in Active Directory Federation Services Wizard
  • Specify a Federation Service Name and Federation Service Display Name and click next
  • Specify-service-properties

  • Specify a domain user account or group Managed Service Account
  • Specify-service-account

  • Create a database on this server using Windows Internal Database and click next
  • Once get “All prerequisite checks passed successfully” message click Configure
  • Pre-request-check

  • Now ADFS installation in completed
  • To Assure ADFS working status, Open a web browser using this link
    https://vembu.active.com/adfs/ls/IdPInitiatedSignon

Signin

Conclusion

With a single user account, ADFS grants web Single-Sign-On(SSO) efficiency to authenticate a user to multiple Web applications.

Like what you read? Rate us
Active Directory Federation Services in Windows Server 2016
Rate this post