This video will look at how to install Active Directory Federation Services on Windows Server 2008 R2. Active Directory Federation Services requires a certificate in order for the install to be performed. In a previous video Active Directory Certificate Services was installed on a separate server on this network. This will be used during the install to create a certificate for use with Active Directory Federation Services to be used during the install of Active Directory Federation Services.
The version of Active Directory Federation Services or AD FS that comes with Windows Server 2008 R2 is version 1.0. Version 2.0 is a free update from Microsoft and will be the version that is install in this demonstration.
1) To install version 2.0, it first needs to be downloaded and installed. The install can be found by googling “AD FS 2.0 RTW”. RTW stands for “release to web”. It is just a matter of downloading the 32bit or 64bit version depending on what operating system that you are running. Otherwise you can visit the following link.
2) Once the download has completed, it is just a matter of running the executable.
3) Once past the welcome screen and license screen, the install will ask if you want to install the “Federation Server” or “Federation Server Proxy”. In this case the “Federation Server” was selected as the full product is required. If you wanted only the proxy service, the second option could be chosen.
4) The next screen of the install wizard will show you what perquisites are required by the install. The administrator does not need to install these, the install wizard will install these automatically if they are not already present on the system.
5) Once the wizard is completed, AD FS 2.0 will be added to the system and the next step is to configure it.
Once AD FS 2.0 has been installed, it next needs to be configured.
1) To configure, open “AD FS 2.0 Management” from Administrative Tools under the start menu.
2) On the home page, select the option “AD FS 2.0 Federation Server Configuration Wizard” to start the setup wizard.
3) On the first screen of the wizard you need to decide if you are creating a new federation service or adding this server to an existing farm. In this case, this is the Federation Server install on the network so the option “Create a new Federation Service” was selected.
4) The next screen of the wizard will ask if you want to create a new farm or if you want to install the server as a standalone server. Both options will give you the same set of features. The advantage of installing a new server farm is that additional servers can be added to the farm later on if required. The stand-alone option is generally recommend for testing, and the server farm option for production environments. In this case the option “New federation Server Farm” was selected.
5) The next screen of the wizard will ask for a certificate to be selected that will be used with Active Directory Federation Services. It is a matter of selecting an available certificate. If one is not available in the drop down list, you will need to request one following the procedure below.
6) If an existing AD FS database is found on the server, the install wizard will ask you if you want to remove this database from the server.
7) The next screen will ask for a service account that will be used to run Active Directory Federation Services. The user account can be a general domain user, however it will need to be added to the local administrator group on the server. To do this, open “Computer Management” from Administrative tools under the start menu. Once open, expand down to groups, right click the Administrators group and then select the option “Add to group”. It is just a matter then of adding the user name that you are planning to use as the service account.
8) The next screen of the wizard shows a summary of the configuration that was selected in the wizard, once next is pressed, the server will be configured. The process does take a few minutes to complete.
Creating a certificate
To create a certificate to be used with AD FS, a request for a certificate first needs to be created. In this case auto enrollment will be used to obtain a certificate and renew that certificate automatically.
1) To do this, run mmc from the start menu to access the certificate snap-in. There is no shortcut in the start menu to access this snap-in so it needs to be accessed this way.
2) To add the snap-in, select file and then select the option “Add/Remove Snap-in”. From the list of snap-ins, select certificates and then press the button add.
3) When the certificate snap-in is added, the administrator will be prompted for which certificate store that they want to manage. In this case, the certificates that Active Directory Federation Services will use is found in “Computer account” so this option will need to be selected and then next needs to be pressed to move on.
4) On the next screen, the wizard will ask which computer you want to manage certificates on. In this case this will be the local computer so the default option of “Local computer” will be left selected and then the wizard will be completed.
5) By default, the view of the certificate will be “Logical certificate stores”. To change it, select the view menu and then select options. From the option, change the view mode to “Certificate purpose”.
6) The certificate for AD FS needs to be used with “Server Authentication”, thus right click this container and select the option “Request New Certificate” which can be found under “All Tasks” to start the enrollment wizard.
7) Once past the welcome screen, the next screen will ask you to select an enrollment policy. In this case the default Active Directory enrollment policy will be selected.
8) The next screen will show the certificate templates that are available. In the previous video, a template for AD FS was created called “AD FS SSL Certificate 2008 R2”. For this video that template will be selected and then the enroll button will be pressed.
9) The enrollment should not take too long to complete. Once complete, the certificate will be obtained via enrollment and be added to the local certificate store.
“Active Directory Federation Services 2.0 RTW” http://www.microsoft.com/en-au/download/details.aspx?id=10909