How to Deploy Active Directory Federation Services (ADFS) on Windows Server 2019

No comments

Deploying Active Directory Federation Services (ADFS) on Windows Server 2019

Active Directory Federation Services (AD FS) also popularly known as SAML/Federation Services/SSO. It provides Web single-sign-on (SSO) to authenticate a user to multiple Web applications while utilizing a single account which makes end users life much easier at the time to login to their HR cloud-based app etc. ADFS also facilitates Azure AD Connect deployment for Office 365 and Azure deployments and integration.
ADFS 2019 had so many great features to facilitate and improve our deployments for more details see What's new in Active Directory Federation Services for Windows Server 2019

ADFS Requirements

This will be the setup on my lab, this might vary depending on your environment and needs.
  1. One Application Server with Windows Server 2016
  2. One SSL Certificate CRS or AD Request Template
  3. Federation Services DNS name
  4. Service Account or Group Managed Service Account (gMSA)
  5. Domain Admin Permissions
More info at Microsoft Docs : AD FS Requirements

Installing Active Directory Federation Services (ADFS) Role on Windows Server 2019

To install utilizing PowerShell (Preferred/Easier method)

  • Open PowerShell as administrator and run the following command:
Install-windowsfeature adfs-federation –IncludeManagementTools

Installing via the Server Manager interface

  • Open Server Manager console, then navigate to Manage and select Add Roles and Features:

  • On the Before You Begin page, click Next.
  • On the Installation Type page, Select Role-Based and Next.
  • On the Server Selection page, Select ADFS Primary Farm Server and Next.
  • On the Server Roles page, Select Active Directory Federation Services Role and Next.

  • On the Features page, Next.
  • On the ADFS overview page, Next.
  • On the Confirmation page, click Install.
  • On the Results page Review and Close.

Configuring the ADFS Primary Farm Server Role

  • Open the Server Manager, navigate to the Flag Icon click and Select Post-Deployment Configuration for ADFS.

  • On the Welcome page of the Configuration, wizard select Create the first federation server in a federation server farm and click Next.

  • On the Connect to AD DS page, specify a Domain Admin account and Next.

  • On the Specify Service properties page, Import/Select Certificate, Select Federation Service Name and Specify Federation Service Display Name then Next.

Note: In my case, I will import a CSR cert which will prompt for the password. For more details see Microsoft, How to enroll an SSL Certificate for ADFS

  • On the Specify Service Account page, you can either Create a Group Managed Service Account (gMSA) or Specify an existing Service or gMSA Account.
Important: KDS Root Key needs to be set at this step or previous in order to enable AD to operate with gMSA's. One key benefit of gMSA's is auto-negotiated password update feature.

  • In order to enable set the KDS Root Key, proceed to login to one of your Domain Controllers and run the below PowerShell Command: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

  • After the command is successfully run go back to your ADFS Server and go to the previous page and then Next.
  • Select Create a Group Managed Service Account, enter the preferred name then Next.

  • On the Specify Database page, select Create a Database on this server Using WID and Next.

Note: you could also specify a SQL Server, make sure you have a sysadmin or a least dbcreator permissions. For more details see Microsoft

If using a gMSA then you will need to pre-create gMSA Account via PowerShell unitizing the following script:
#User at your own risk :)
#Define gMSA account name.
$gMSA_Account = 'ADFS_gMSA_Farm'
#gMSA DNS Name.
$gMSA_FQDN = ''
#gMSA Servers Group Name (Optional, you could pre-stage servers that will need to retrieve the passwords such as SQL)
$gMSA_ServersGroupName = 'gMSA_ADFS_Farm_Group'
#Create new gMSA Account
New-ADServiceAccount -Name $gMSA_Account -DNSHostName $gMSA_FQDN -PrincipalsAllowedToRetrieveManagedPassword $gMSA_ADFSServersGroup
  • On the Review Options page, Review and Next.
  • On the Pre-requisite Checks page, review and click Configure.

  • On the Results page, review any warnings and close.

Verify ADFS Services

  • Open the Event Viewer and navigate to the ADFS View and search for the Event ID 100.


ADFS Deployment

I hope you've found this article helpful, have a nice day and thank you for reading. :)

No comments :

Post a Comment