Category: ADFS

Welcome back! This is part 3, and we are going to jump right in by configuring the security certificates on our identity server for the ADFS and IIS roles. If you’ve been following along as I’ve been publishing this multi-part article, I apologize for the delay between part 2 and 3, I had a hardware failure that delayed my writing.

 

Create a Certificate

If you are following along using a local network and VM machines then creating your own self-signed security certificates is likely going to be sufficient. This is what I will be doing for this tutorial.

However, for a production system you will likely want to use professionally created and signed certificates for your domain and server. Now is the time to get them and install them.

So we start by creating a certificate. Open up Powershell ISE once again and run the following script with your domain information.

New-SelfSignedCertificate -DnsName fs.martialdeveloper.local -CertStoreLocation Cert:\LocalMachine\My

The Thumbprint and the Subject will be displayed for you on the console after creation. Make a note of these two fields for future reference. Shown below.

 

Bind the Certificate

Now we are going to hope over to IIS Manager by opening the server manger window, right clicking on the Tools menu and selecting “Internet Information Services (IIS) Manager” as shown below.

Once the IIS Manager window comes up, we will navigate to the Default Wed Site, right click, and select the “Edit Bindings” option, as shown below.

On the window that pops up select “Add”, and configure the new binding for HTTPS and the security certificate you just created, like shown.

 

Create the ADFS Service

Now we are going to set up the ADFS service. Go to the Server Manager window, right click Tools, and select “AD FS Management”.

When the ADFS Management window comes up, click the configuration wizard link.

Click “Next” on the first screen that appears, then select the “Stand-alone federation server” as shown below.

For large production environments you may want to create a federation server farm, but for this tutorial we only need one.

Click next then verify the certificate that is auto populated is the one you created earlier, and then click Next three more times.

 

Create the Application Server Security Certificate

Now we have to jump back over to our application server and configure it for use.

Lets start by creating a security certificate for it. You have two options, either use the same PowerShell ISE command string as you did on the identity server(with application server specific substitutes), or navigate to the IIS Manager and create the certificate through the IIS GUI.  I’m going to show the IIS Manager approach since the PowerShell command has already been demonstrated.

Open the IIS Manager through the Tools menu of the Server Manager on the Application server.

Now navigate the the local server and click the “Server Certificates” icon at the bottom of the list of options in the center of the GUI.

Now we are going to create a self signed security certificate by clicking the link on the right side of the Server Certificates panel in the IIS Manager.

Now type in a friendly name for the security certificate. I use a similar name to the one created for the identity server.

Click next and the certificate will appear in the security certificates list on the previous screen. Next right click on the newly created certificate and select the view option.

On the screen that pops up navigate to the Details tab and click the Copy to File button towards the bottom right.

Now, on the screen that pops up click Next three times, then give the exported certificate file an easy to use and remember name and export location. Then click next.

Click Next, Finish and Okay to complete the certificate export. You can now close the IIS Manager. Now we are going to copy the newly exported certificate to the identity server. Once this is done, we will use it to configure a relying part with the ADFS server.

In Part 4 we will continue by configuring the Identity server’s DNS roll with resource records to allow IPv4 lookups for our two servers, and then the we will configure the Identity server’s ADFS roll with a relying part pointing to our application server.

If you have any questions or comments about the above article please comment below!

 

References:

See references from Part 2.

 

In Part 2 we will continue configuring the Identity server starting with installing the Active Directory Domain Services role.

 

Active Directory Domain Services

Begin by opening the Server Manager panel if it is not already. Click on Manage -> Add Roles and Features.

Continue through the wizard until you get to the role selection window and select the Active Directory Domain Services role shown below.

Add the additional features that automatically pop up and click “Next”. Continue clicking next until you reach the “Install” page, select the “Restart the Destination server automatically if required” check box, and click “Install”.

 

Static IP

Before continuing configure your Identity Server with a static IPv4 address, and disable IPv6. Since I am on a local network, my static IP is an internal IP only, but this is sufficient for this tutorial.

 

DNS Server and Domain Controller

 

The next things we are going to do are to, promote the identity server to a domain controller, install the DNS Server role onto the identity server, and to create a forest on the DNS Server with forward and reverse lookup zones for our local domain that we will be using for this tutorial. This next step is one good reason to use Virtual Machines if you are performing these configurations strictly as a learning exercise since you would have to have a dedicated domain if the machines were not on a private network.

Start by clicking the notification icon that has appeared since ADDS was added, shown below.

Next click the “Promote this server to a domain controller” link in the notifications drop down.

In the wizard that comes up select the “Add a new forest” radio button shown below. Then type in the domain that you will be using.

Click next, then select the forest functional levels you want. I leave these at Server 2012 since I don’t plan on interacting with older DNS servers. Then enter a password for the DSRM, I use the admin password for this so it’s easy to remember for the demo but you will likely want a unique password for a production system.

Click “Next”. You will be warned about DNS Delegation options. For this demo on a local network this is not important, for a production environment, creating this delegation should be your next step.

Click OK and Next. Then on the next page click Install. Wait till the installation has finished to proceed.

Once the Identity server has completed it will then be a Domain Controller for martialdeveloper.local, and have the DNS Server role installed and integrated with Active Directory for the domain we created.

Application server IIS

While you are waiting for the Identity server to finish this installation you can start installing IIS on the Application server. Refer back to Part 1 of this series of articles if you forgot how to do this.

 

Configure Active Directory

We will continue by creating Organizational Units in Active Directory. We will be doing this in PowerShell. Please see Stefan Severin’s blog in the references section for the source of these commands. I am very happy to have found them on his blog!

Start by running Powershell ISE in administrative mode, and setting the execution policy to RemoteSigned.

Set-ExecutionPolicy RemoteSigned

Now run the following script to set the Organizational Units. Making sure to replace the first line with one appropriate for the domain you are using.

$domain = "dc=martialdeveloper,dc=local"; 
$ouAdmin = "ou=Adfs Administration"; 
$ouServiceAccounts = "ou=Service Accounts"; 
$ldapConnection = [ADSI] "LDAP://$domain"; 
$newAdminOu = $ldapConnection.Create("OrganizationalUnit", $ouAdmin); 
$newAdminOu.SetInfo(); 
Set-ADOrganizationalUnit "$ouAdmin,$domain" -ProtectedFromAccidentalDeletion $True; 
$ouAdminPath = [ADSI]($newAdminOu.path) 
$newAccountOu = $ouAdminPath.Create("OrganizationalUnit", $ouServiceAccounts); 
$newAccountOu.SetInfo(); 
Set-ADOrganizationalUnit "$ouServiceAccounts,$ouAdmin,$domain" -ProtectedFromAccidentalDeletion $True;

Now create the service account for the ADFS farm. Make sure to enter your domain specifics on line 4. Also, since this is a domain controller the strong password requirements are enabled, so get creative unless you want to have to recreate the account a few times when it fails on the password strength.

$dnsRoot = (Get-ADDomain).dnsroot 
$pwd = read-host "Enter strong password" -AsSecureString 
$upn = "SVC-ADFS" + "@" + $dnsRoot 
New-ADUser –Name "SVC-ADFS" –SamAccountName SVC-ADFS –DisplayName SVC-ADFS -Description "Service account for ADFS farm" -userprincipalname $upn -Path "OU=Service Accounts,OU=ADFS Administration,DC=martialdeveloper,DC=local" –Enabled $true –ChangePasswordAtLogon $False -PasswordNeverExpires $true -AccountPassword $pwd

Configure the SPN (Service Principle Name) for the ADFS service account. Making sure to remember to replace the hostname, and domain information for your environment.

setspn -S host/WIN-924FNOTSB0B.martialdeveloper.local martialdeveloper.local\svc-adfs

Now we install the ADFS Feature onto our identity server machine.

Install-WindowsFeature AD-Federation-Services

We now have ADFS installed, our domain is configured, and we have Active Directory setup. When we continue in Part 3, we will begin by configuring our security certificates for ADFS and IIS.

 

References:

As always, please have a look at my references for further information on the topics discussed above.

Adding Additional Domain Controller (Windows Server 2012)

http://blogs.msdn.com/b/stseverin/archive/2012/12/29/deploying-adfs-2-1-on-windows-server-2012-using-powershell.aspx

Before I get into it, I wanted to give a little back ground about what this series of articles is, and what caused them to be written.

A while back I had a project come up that needed to use some WCF services for data sharing across multiple device types, and multiple domains.  Given that there were going to be potentially dozens of different corporate domains needing to access these services I thought ADFS or Active Directory Federation Services would be an ideal fit.

Ultimately we used far fewer of the ADFS features than originally thought but regardless, I struggled so much to understand the whole end to end process of building the servers and hosting up from scratch to deploy my services to, that I decided that I needed to document that learning experience in case any developer in the future who, like me, has to build a custom environment from the ground up needs some guidance.

For this tutorial you will need to have at least two Server 2012 machines to work with. You can accomplish this a number of ways, Hyper-V VMs, VMware VMs, two separate physical boxes, Amazon EC2 Instances, etc.. For this tutorial I will be using a single Server 2012 machine running VMs on Hyper-V, but the steps in this guide can be applied to a number of different computing environments. However, I would suggest using VMs on a private network if you are doing this strictly as a learning exercise. In later steps we will have to promote the Identity server to a Domain Controller.

In this tutorial I will be providing a concrete example of creating and configuring a custom application domain and implementing an ADFS server to handle token distribution.

I’m not entirely sure how many parts this series of articles will contain as there is a substantial amount of work and understanding involved here.

 

Before We Begin

Before we can get started, we need to have our first two machines up and running. Creating the VMs that you will be using or building the physical boxes is an exercise for the reader since there are so many ways of going about this.

Okay, so go ahead, get your machines set up, I’ll wait… done yet? No… Now? Okay good! Let’s move on!

 

First Steps

Our first several tasks are going to involve configuring the Identity server for all the various tasks it will be performing in the near future.  The Application server has much less configuration required but we will get to that later.

We are going to start by installing the IIS Role on the identity server. Log into your identity machine, the Server Manager panel should launch automatically. On the Server Manager panel click Manage->Add Roles and Features.

When the Roles and Features wizard comes up, you can click “Next” through the first three screens until you come to the roles selection screen shown below.

Check the “Web Server (IIS)” box. There will be an automatic pop up asking to install the IIS management tools with the IIS role. Click the “Add Features” button shown below.

Then click “Next”. You will now be presented with the “Features Selection” screen. Strictly speaking, nothing should be absolutely necessary on this page but I like to add a few things as a personal preference, mostly for backwards compatibility. The three additional options I select are shown below.

The HTTP Activation feature will require additional dependencies. Once your features are selected, click “Next” twice.

Now you’re presented with the Role Services selection window. A lot of the choices here are going to be based on your needs, but I have a set of capabilities that I like or need in most IIS installations that I will show below in the next three images.

Most of the selections I make here are not strictly necessary but the two categories you need to think about the most are the Security and Logging options.  Additional Security services will allow you the freedom of choosing to authenticate your WCF services/users in more ways, and the additional logging options are extremely handy when you’re getting a very generic authentication failure error message and can’t figure out why.

Now click “Next” and on the following page make sure to select the automatic restart check box as shown below.

Then click “Install”. A progress bar screen will be displayed, and the server will automatically restart during the installation process if necessary.

In Part 2 we will continue configuring the Identity server with the additional roles and services that it needs to act as an identity server, starting with ADDS(Active Directory Domain Services).

Now that you have been through the process of adding a Role, the next section will not have as much detail about how to do this, unless an important configuration needs to be pointed out during the role installation.