In general installation of ADFS Service is a very straight forward process, nevertheless there are a couple of points worth paying special attention to:

  • Registration of the SPN for the ADFS Service
  • Granting access to the private key of the SSL certificate to the ADFS Service account

Steps outlined below should help you avoid some common pitfalls during ADFS installation.

Create Service Account for ADFS 2.0 Service

You don’t need to add this account to any groups, the required privileges will be assigned to this account by the ADFS setup.

clip_image001

 

Create Web Server Certificate Template

This step might be optional if you already have a template for Web Server.

clip_image004

clip_image005

clip_image006

clip_image007

By giving Domain Computers Enroll and Read rights to this template we will be able to utilize certificate request wizard from the ADFS server.

clip_image008

ADFS does not require the private key to be exportable and in production environment you should not enable this setting. But in a lab, if you plan to request certificates from one machine and then export them to another you need to enable this setting. ,

clip_image009

clip_image010

 

Create DNS Alias for ADFS Service

I strongly recommend creating a CNAME for ADFS service. Doing this will avoid a potential issues with duplicate Service Principal Names (SPN). Let me explain.

ADFS configuration wizard will try to create an SPN of the following format HOST/servername.domainname domainname\adfsserviceaccount, where servername is the value of the subject field of the certificate assigned to the ADFS Service. The problem is if you use the physical name of the host the SPN HOST/physicalname.domainname will already be present, so the setup will fail to register the required SPN (HOST/servername.domainname domainname\adfsserviceaccount). Hence it is best to utilize a DNS alias to avoid such conflict. Of course the DNS alias and the subject field of the certificate assigned to ADFS Service should match.

clip_image011

clip_image012

 

Request certificate for ADFS Service

clip_image013

clip_image014

clip_image015

 

Make ADFS Service Certificate Private Key accessible to the ADFS service Account

This step is optional since ADFS setup will perform this operation for us, but if you change the ADFS Service certificate manually you would need to perform this step, hence I provide the instructions here for your reference.

clip_image016

clip_image017

 

Install ADFS 2.0

clip_image018

clip_image019

clip_image020

 

Run ADFS Configuration Wizard

clip_image021

clip_image022

clip_image023

Use  the stand-along option only for testing and evaluation purposes, since this option does provide high-availability capabilities.

clip_image024

clip_image025

clip_image026

Now you are ready to utilize for ADFS for building trust relationships with claims-aware applications and/or with federated partners.

For more information on how to how to create trust relationships see these links:

How to build a test claims-aware application

How to create federated trust

How to publish claims-aware applications via UAG