Preparing to run the ADFS Configuration<\/strong><\/span><\/p>\n For the setup\u00a0you will need to create a Domain User for the ADFS service (This will be your ADFS service account). You will also need to run the command\u00a0logged on to the ADFS server with an\u00a0account (Not the ADFS Service Account) that has the correct access to\u00a0wite\u00a0to Active Directory and the account will also need proper rights to SQL for creating the Databases. I just used a Domain Admin account and granted that account DB Creator and Security Admin in SQL.<\/p>\n Also, for the configuration to succeed, you will need to create a self signed cert as mentioned earlier. It seems when creating a self signed cert in IIS 7.5, it will only let you create a cert that uses the server name itself for the subject. For this reason, I used SelfSSL which is part of\u00a0the IIS 6 resource kit because\u00a0it gives you the freedom to create\u00a0a subject name of your choice. The subject name of the Service Communication Certificate MUST<\/strong>\u00a0match the name of the Federation Service Name. To create a self signed cert, download Selfssl to the ADFS server and open a command prompt as administrator. Change to the directory which contains the the Selfssl executable and type the following command replacing “adfs.pipe2text.com”\u00a0with your own federation service name:<\/p>\n selfssl.exe \/T \/N:cn=adfs.pipe2text.com \/V:365<\/p>\n Note: You may receive an error about being unable to open the metabase when running this command. You can safely ignore this error.<\/p>\n Using the \/T will make sure the cert is place in the “Trusted Root Certificate Authorities” in addition to the “Personal” certificates on the local machine. Since this\u00a0is a self signed cert and not issued by a trusted 3rd party CA like Verisign, it\u00a0will need to be placed in “Trusted Root Certificate Authorities” for any machine that will\u00a0be accessing\u00a0the service using this certificate or there will be certificate errors. The \u00a0“\/V:365” switch \u00a0will make the cert valid for 365 days. You can increase this if you desire.<\/p>\n Now that you have your self sign cert created, you will need to bind it the default website in ISS following these steps:<\/p>\n 1. Open the IIS Manager and right click the “Default Website” and select “Edit Bindings”.<\/p>\n 2. Under “Type” choose “https” and under “SSL Certificate” choose the cert that was created using SelfSSL and click “OK”.<\/p>\n 3. You will now see “https” and “443” in the\u00a0list of site bindings. Click “Close”.<\/p>\n Now its time to configure the ADFS server. As mentioned earlier, since we are using SQL for the configuration database we will need to run the configuration from the command line. To do this you will need to use the fsconfig utility. To use the fsconfig utility, open a command prompt as administrator and switch to the \u201cActive Directory Federation Services 2.0\u2033 folder under the “Program Files” directory\u00a0where fsconfig.exe is located. where fsconfig.exe is located.\u00a0Type the following command replacing the information with information that is specific to your environment.<\/p>\n FSConfig.exe CreateSQLFarm \/ServiceAccount pipe2text\\adfslabuser \/ServiceAccountPassword Password<\/em> \/SQLConnectionString “database=AdfsConfiguration;server=sqlservername\\instance<\/em>;integrated security=SSPI” \/CleanConfig \/FederationServiceName adfs.pipe2text.com \/AutoCertRolloverEnabled<\/p>\n You will see the following output if everything ran ok.<\/p>\n A few notes about the above command.<\/p>\n The \/ServiceAccount specifies the ADFS Service account (an account you created in your domain as mentioned earlier) to be configured to run the ADFS Service.<\/p>\n \/ServiceAccountPassword is the password of the service account. If you don’t specify this switch it will prompt you for the password before it proceeds.<\/p>\n \/SQLConnection is the name of the configuration database (It must always be “AdfsConfiguration”) and server is the name of the SQL server and instance name.<\/p>\n \/Cleanconfig will clear out an existing ADFS configuration Database if one already exist.<\/p>\n \/AutoCertRolloverEnabled enable the automatic rollover feature for signing and decrypting certificates. When this is enabled, self signed certs are used for the Token signing and decrypting certificates and they are renewed automatically.\u00a0There are other\u00a0switches\u00a0that can be used to specify\u00a03rd party\u00a0certs for the token and decrypting certs but for this scenario I simply enabled the automatic rollover feature.<\/p>\n For\u00a0detailed\u00a0information on the using\u00a0fsconfig to configure your ADFS server using\u00a0different options and configurations you can simply type “fsconfig \/help”.<\/p>\n Having a look around after the configuration was run<\/strong><\/span><\/p>\n If you open the ADFS 2.0 management console you can look and see your Service Communication, Token Signing and Decrypting Certificates have been configured under “Service\\Certificates”. Under\u00a0“rust Relationships”\u00a0you will\u00a0see that Active Directory has been configured as a “Claims Provider Trust” and as an “Attribute Store”. Additionally, if you if you open the Services Console (service.msc) you will notice that the “AD FS 2.0 Windows Service” is configured to use the ADFS Service account. You can also open the IIS console and have a look under the default website to see that everything has been configured.<\/p>\n Now,\u00a0if you look look in “Active Directory Users and Computers” (must be in “Advanced Feature View”) you will see the certificate sharing container was created under “Program Data\\Microsoft\\ADFS”.<\/p>\n On your SQL server you will notice that the ADFS Configuration and Artifact Resolution databases have been created.<\/p>\n Create an A Record in DNS for your Federation Service Name<\/strong><\/span><\/p>\n You will need to create an A record on your DNS server for client’s browsers to be able to resolve the\u00a0Federation Service Name. It\u00a0MUST be an A record and\u00a0NOT\u00a0an alias (CNAME).\u00a0\u00a0<\/strong>If you use an alias you may run into things such as the browser prompting for credentials when hitting the ADFS server. In my case I added an A record for “adfs.pipe2text.com” with the IP address of my ADFS server. Just a note: If I had multiple ADFS servers in the farm\u00a0I would have them behind a load balancer and then I would point the A record for the Federation Service Name to the\u00a0Virtual IP\u00a0Address on the\u00a0load balancer.<\/p>\n Verifying your ADFS Server is Operational<\/strong><\/span><\/p>\n To verify the ADFS server is now operational you can hit the following URL\u00a0using your\u00a0Federation Service name:<\/p>\n https:\/\/federationservicename\/adfs\/fs\/federationserverservice.asmx<\/a><\/p>\n For Example using my federation service name it would be as follows:<\/p>\n https:\/\/adfs.pipe2text.com\/adfs\/fs\/federationserverservice.asmx<\/a><\/p>\n If the server is working properly you will see an XML document displayed with the service description document.<\/p>\n Note: Since you are using self signed certs for the service communications cert,\u00a0you will get a certificate error when connecting to the site since the cert is not trusted. You can just click continue to site. To avoid getting this error, you can export the certificate from your ADFS Server and import it to the “Trusted Root Certificate Authorities” of your client machine or just deal with the error.<\/p>\n Another step in verifying your ADFS server is by looking in the Event Viewer on the ADFS Server under “Applications and Service Logs\\AD FS 2.0\\Admin”. In the Admin log you should see event ID 100.<\/p>\n Now that your ADFS Server is setup you can add a relying party but I will save that for another blog. I will also be adding a blog\u00a0on how to add\u00a0additional ADFS Servers to the farm. I hope this was helpful. If you have any questions, comments or feedback please feel free to post them.<\/p>\n Related Links:<\/p>\n Installing Active Directory Federation Services (ADFS) 2.0<\/a><\/p>\n Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database<\/a><\/p>\n Configuring your ADFS 2.0 Farm to use a SQL Mirror<\/a><\/p>\n Installing and Configuring an ADFS 2.0 Proxy Server<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Hi All, After you have installed ADFS 2.0 on your server you will need to configure it for use (For information on installing ADFS 2.0 see Installing Active Directory Federation Services (ADFS) 2.0)\u00a0. Using the configuration wizard is great but … Continue reading ![\"\"](\"https:\/\/pipe2text.com\/wp-content\/uploads\/2012\/02\/RunFSConfig.png\" "\\"RunFSConfig\\"")
<\/a><\/p>\n