Install and Configure AD FS
The below video will demonstrate how to install and configure a basic AD FS deployment, integrating VMware Identity Manager as a relying party to AD FS, and then how to process claims from AD FS to authenticate your domain users. Feel free to follow along, or continue to the next steps for a step-by-step walkthrough.
1. Install AD FS
First, we need to install AD FS on the designated server.
1.1. Open Server Manager
- Click the Server Manager shortcut on the toolbar to open Server Manager.
- Click Manage.
- Click Add Roles and Features.
1.2. Select Installation Type
- Click Installation Type.
- Select Role-based or feature-based installation.
- Click Next.
1.3. Select Server
- Ensure Select a server from the server pool is selected.
- The controlcenter.corp.local server should be the only option.
- Click Next.
1.4. Select Server Roles to Install
- Check Active Directory Federation Services.
- Click Confirmation to skip adding features since no changes are required.
1.5. Install Server Roles
Confirm that the Active Directory Federation Services role is confirmed for this installation and click Install.
Wait until the installation is completed and continue. This may take several minutes to finish.
1.6. Close the Add Roles and Features Wizard
Click Close once the installation finishes.
2. Configure AD FS
The previous steps installed the Active Directory Federation Services role for this server, but AD FS still requires additional configuration to function.
2.1. Open AD FS Configuration Wizard
Return to Server Manager, and close the Add Roles and Features Wizard from the previous steps if it is still opened.
- Click the Notification icon. You should see a warning sign since we still need to configure AD FS after installation.
- Click Configure the federation service on this server.
2.2. Determine Federation Server Farm Deployment
- Select Create the first federation server in a federation server farm. We are creating the first server for this lab, but if you already had an existing federation server farm and were scaling out, you would choose to the option to add a federation server to a federation server farm.
- Click Next.
2.3. Provide Active Directory domain admin account
This step allows you to specify which account will be used to perform the federation service configuration. This account must have Active Directory domain administrator permissions to be used, but the default administrator (CORP\Administrator) meets these requirements so we can continue.
2.4. Configure Service Properties
- Select the *.airwlab.com certificate from the list of SSL Certificates. This will determine which SSL Certificate our AD FS service will use.
- Enter "adfs.airwlab.com" for the Federation Service Name. This is the endpoint where our AD FS service will reside.
- Enter "AIRWLAB Federation Services" for the Federation Service Display Name. This is the name on the webpage users will see when re-directed to authenticate via Forms Authentication for AD FS.
- Click Next.
2.5. Configure Service Account
The Service Account is responsible for retrieving user information from your LDAP attribute store. The requirements for the Service Accounts are as follows (cited from AD FS Requirements on docs.microsoft.com):
- Any standard service account can be used. Group Managed Service Accounts are also supported, but this requires at least one domain controller (recommended you deploy two or more DCs) that are running Windows Server 2012 or higher.
- For Kerberos authentication to function between domain-joined clients and AD FS, the ‘HOST/<adfs_service_name>’ must be registered as a SPN on the service account. By default, AD FS will configure this when creating a new AD FS farm if it has sufficient permissions to perform this operation.
- The AD FS service account must be trusted in every user domain that contains users authenticating to the AD FS service.
You'll notice the warning message that Group Managed Service Accounts are not available because the KDS Root Key has not been set. For simplicity, we will just use an existing domain user account.
- Click Select for Use an existing domain user account.
- Enter "Administrator" for the object search field.
- Click Check Names.
- Click OK.
2.6. Enter Service Account Password
- Enter "VMware1!" for the Account Password.
- Click Next.
2.7. Create a Windows Internal Database
AD FS requires a SQL Server database to store all the configuration data for your Federation Service. The AD FS configuration database defines the set of parameters that a Federation Service requires to identify partners, certificates, attribute stores, claims, and various data about these associated entities.
You can specify an existing SQL Server database, or you can create a database on the server using Windows Internal Database (WID). The Windows Internal Database is a variant of SQL Server Express that is included in Windows Server 2008 and above which is designed to only be accessible by other Windows Services running on the same server. Unlike the standalone versions of SQL Server, Windows Internal Database does not have its own management UI, requiring admins to modify the database by either using the AD FS Management snap-in, Fsconfig.exe or PowerShell.
SQL Server has many benefits over Windows Internal Database, including:
- High Availability configurations available to reduce single points of failure
- Increased performance to handle higher traffic
- Supports artifact resolution and SAML/WS-Federation token replay detection (see here for additional details) which ensures multiple requests using the same token are not honored more than once.
For simplicity, we will use the Windows Internal Database since we will not be concerned with modifying the elements of our configuration database.
- Select Create a database on this server using Windows Internal Database.
- Click Next.
2.8. (Optional) Override existing AD FS configuration database
If an existing AD FS configuration database already exists on this server's Windows Internal Database, choose to overwrite the existing database to ensure your current AD FS configuration is stored properly.
- Enable Overwrite existing AD FS configuration database data.
- Click Next.
2.9. Review Pre-requisite Checks and Configure
- Review your configuration on the Review Options page as needed.
- Click Pre-requisite Checks to validate your configuration.
- Click Configure.
Wait until the configuration process has completed.
2.10. Close AD FS Configuration Wizard
Confirm that the server was successfully configured and close the AD FS Configuration Wizard.
3. Download the Federation Metadata XML
Before continuing with additional configurations, we need to use the Federation Metadata from our AD FS instance to establish trust between our Identity Provider (AD FS) and our Service Provider (VMware Identity Manager).
3.1. Open AD FS Management
- From Server Manager, click Tools.
- Click AD FS Management.
Alternatively, you can search for "AD FS Management" from the Start menu.
3.2. Locate FederationMetadata.xml Endpoint
NOTE - If you see a message indicating that the AD FS configuration is still being pulled from the database, you will need to wait until that completes before continuing. If you see items under the AD FS folder, you can continue.
To locate your Federation Metadata endpoint, navigate to:
- Expand Service under AD FS.
- Click Endpoints.
- Scroll down to find the Metadata section.
- Locate the Metadata object with the type Federation Metadata. Note the URL Path, which will be used in the next step to download the Federation Metadata XML.
3.3. Download FederationMetadata.xml
- Open Google Chrome (or any browser)
- Enter the Federation Metadata URL path behind your Federation Service Name (endpoint) you configured during the AD FS configuration. This full path should be: "https://adfs.airwlab.com/FederationMetadata/2007-06/FederationMetadata.xml". Press Enter to navigate to this path.
- The FederationMetadata.xml file should download. Hold onto this file for a future step.