1. Click the Server Manager shortcut on the toolbar to open Server Manager.
2. Click Manage.
3. Click Add Roles and Features.

1. Click Installation Type.
2. Select Role-based or feature-based installation.
3. Click Next.

1. Ensure Select a server from the server pool is selected.
2. The controlcenter.corp.local server should be the only option.
3. Click Next.

1. Check Active Directory Federation Services.
2. Click Confirmation to skip adding features since no changes are required.

Confirm that the Active Directory Federation Services role is confirmed for this installation and click Install.

Wait until the installation is completed and continue.  This may take several minutes to finish.

Click Close once the installation finishes.

Return to Server Manager, and close the Add Roles and Features Wizard from the previous steps if it is still opened.

1. Click the Notification icon.  You should see a warning sign since we still need to configure AD FS after installation.
2. Click Configure the federation service on this server.

1. Select Create the first federation server in a federation server farm. We are creating the first server for this lab, but if you already had an existing federation server farm and were scaling out, you would choose to the option to add a federation server to a federation server farm.
2. Click Next.

This step allows you to specify which account will be used to perform the federation service configuration.  This account must have Active Directory domain administrator permissions to be used, but the default administrator (CORP\Administrator) meets these requirements so we can continue.

Click Next.

1. Select the *.airwlab.com certificate from the list of SSL Certificates.  This will determine which SSL Certificate our AD FS service will use.
2. Enter "adfs.airwlab.com" for the Federation Service Name.  This is the endpoint where our AD FS service will reside.
3. Enter "AIRWLAB Federation Services" for the Federation Service Display Name.  This is the name on the webpage users will see when re-directed to authenticate via Forms Authentication for AD FS.  
4. Click Next.

The Service Account is responsible for retrieving user information from your LDAP attribute store.  The requirements for the Service Accounts are as follows (cited from AD FS Requirements on docs.microsoft.com):

• Any standard service account can be used.  Group Managed Service Accounts are also supported, but this requires at least one domain controller (recommended you deploy two or more DCs) that are running Windows Server 2012 or higher.
• For Kerberos authentication to function between domain-joined clients and AD FS, the ‘HOST/<adfs_service_name>’ must be registered as a SPN on the service account. By default, AD FS will configure this when creating a new AD FS farm if it has sufficient permissions to perform this operation.
• The AD FS service account must be trusted in every user domain that contains users authenticating to the AD FS service.

You'll notice the warning message that Group Managed Service Accounts are not available because the KDS Root Key has not been set.  For simplicity, we will just use an existing domain user account.

1. Click Select for Use an existing domain user account.
2. Enter "Administrator" for the object search field.
3. Click Check Names.
4. Click OK.

1. Enter "VMware1!" for the Account Password.
2. Click Next.

AD FS requires a SQL Server database to store all the configuration data for your Federation Service.  The AD FS configuration database defines the set of parameters that a Federation Service requires to identify partners, certificates, attribute stores, claims, and various data about these associated entities.

You can specify an existing SQL Server database, or you can create a database on the server using Windows Internal Database (WID).  The Windows Internal Database is a variant of SQL Server Express that is included in Windows Server 2008 and above which is designed to only be accessible by other Windows Services running on the same server.  Unlike the standalone versions of SQL Server, Windows Internal Database does not have its own management UI, requiring admins to modify the database by either using the AD FS Management snap-in, Fsconfig.exe or PowerShell.

SQL Server has many benefits over Windows Internal Database, including:

• High Availability configurations available to reduce single points of failure
• Increased performance to handle higher traffic
• Supports artifact resolution and SAML/WS-Federation token replay detection (see here for additional details) which ensures multiple requests using the same token are not honored more than once.

For simplicity, we will use the Windows Internal Database since we will not be concerned with modifying the elements of our configuration database.

1. Select Create a database on this server using Windows Internal Database.
2. Click Next.

If an existing AD FS configuration database already exists on this server's Windows Internal Database, choose to overwrite the existing database to ensure your current AD FS configuration is stored properly.

1. Enable Overwrite existing AD FS configuration database data.
2. Click Next.

1. Review your configuration on the Review Options page as needed.
2. Click Pre-requisite Checks to validate your configuration.
3. Click Configure.

Wait until the configuration process has completed.

Confirm that the server was successfully configured and close the AD FS Configuration Wizard.

1. From Server Manager, click Tools.
2. Click AD FS Management.

Alternatively, you can search for "AD FS Management" from the Start menu.

NOTE - If you see a message indicating that the AD FS configuration is still being pulled from the database, you will need to wait until that completes before continuing.  If you see items under the AD FS folder, you can continue.

To locate your Federation Metadata endpoint, navigate to:

1. Expand Service under AD FS.
2. Click Endpoints.
3. Scroll down to find the Metadata section.
4. Locate the Metadata object with the type Federation Metadata.  Note the URL Path, which will be used in the next step to download the Federation Metadata XML.

1. Open Google Chrome (or any browser)
2. Enter the Federation Metadata URL path behind your Federation Service Name (endpoint) you configured during the AD FS configuration.  This full path should be: "https://adfs.airwlab.com/FederationMetadata/2007-06/FederationMetadata.xml". Press Enter to navigate to this path.
3. The FederationMetadata.xml file should download.  Hold onto this file for a future step.