In general installation of ADFS Service is a very straight forward process, nevertheless there are a couple of points worth paying special attention to:
- Registration of the SPN for the ADFS Service
- Granting access to the private key of the SSL certificate to the ADFS Service account
Steps outlined below should help you avoid some common pitfalls during ADFS installation.
Create Service Account for ADFS 2.0 Service
You don’t need to add this account to any groups, the required privileges will be assigned to this account by the ADFS setup.
Create Web Server Certificate Template
This step might be optional if you already have a template for Web Server.
By giving Domain Computers Enroll and Read rights to this template we will be able to utilize certificate request wizard from the ADFS server.
ADFS does not require the private key to be exportable and in production environment you should not enable this setting. But in a lab, if you plan to request certificates from one machine and then export them to another you need to enable this setting. ,
Create DNS Alias for ADFS Service
I strongly recommend creating a CNAME for ADFS service. Doing this will avoid a potential issues with duplicate Service Principal Names (SPN). Let me explain.
ADFS configuration wizard will try to create an SPN of the following format HOST/servername.domainname domainname\adfsserviceaccount, where servername is the value of the subject field of the certificate assigned to the ADFS Service. The problem is if you use the physical name of the host the SPN HOST/physicalname.domainname will already be present, so the setup will fail to register the required SPN (HOST/servername.domainname domainname\adfsserviceaccount). Hence it is best to utilize a DNS alias to avoid such conflict. Of course the DNS alias and the subject field of the certificate assigned to ADFS Service should match.
Request certificate for ADFS Service
Make ADFS Service Certificate Private Key accessible to the ADFS service Account
This step is optional since ADFS setup will perform this operation for us, but if you change the ADFS Service certificate manually you would need to perform this step, hence I provide the instructions here for your reference.
Install ADFS 2.0
Run ADFS Configuration Wizard
Use the stand-along option only for testing and evaluation purposes, since this option does provide high-availability capabilities.
Now you are ready to utilize for ADFS for building trust relationships with claims-aware applications and/or with federated partners.
For more information on how to how to create trust relationships see these links:
How to build a test claims-aware application
How to create federated trust
How to publish claims-aware applications via UAG