Welcome back! This is part 3, and we are going to jump right in by configuring the security certificates on our identity server for the ADFS and IIS roles. If you’ve been following along as I’ve been publishing this multi-part article, I apologize for the delay between part 2 and 3, I had a hardware failure that delayed my writing.
Create a Certificate
If you are following along using a local network and VM machines then creating your own self-signed security certificates is likely going to be sufficient. This is what I will be doing for this tutorial.
However, for a production system you will likely want to use professionally created and signed certificates for your domain and server. Now is the time to get them and install them.
So we start by creating a certificate. Open up Powershell ISE once again and run the following script with your domain information.
New-SelfSignedCertificate -DnsName fs.martialdeveloper.local -CertStoreLocation Cert:\LocalMachine\My
The Thumbprint and the Subject will be displayed for you on the console after creation. Make a note of these two fields for future reference. Shown below.
Bind the Certificate
Now we are going to hope over to IIS Manager by opening the server manger window, right clicking on the Tools menu and selecting “Internet Information Services (IIS) Manager” as shown below.
Once the IIS Manager window comes up, we will navigate to the Default Wed Site, right click, and select the “Edit Bindings” option, as shown below.
On the window that pops up select “Add”, and configure the new binding for HTTPS and the security certificate you just created, like shown.
Create the ADFS Service
Now we are going to set up the ADFS service. Go to the Server Manager window, right click Tools, and select “AD FS Management”.
When the ADFS Management window comes up, click the configuration wizard link.
Click “Next” on the first screen that appears, then select the “Stand-alone federation server” as shown below.
For large production environments you may want to create a federation server farm, but for this tutorial we only need one.
Click next then verify the certificate that is auto populated is the one you created earlier, and then click Next three more times.
Create the Application Server Security Certificate
Now we have to jump back over to our application server and configure it for use.
Lets start by creating a security certificate for it. You have two options, either use the same PowerShell ISE command string as you did on the identity server(with application server specific substitutes), or navigate to the IIS Manager and create the certificate through the IIS GUI. I’m going to show the IIS Manager approach since the PowerShell command has already been demonstrated.
Open the IIS Manager through the Tools menu of the Server Manager on the Application server.
Now navigate the the local server and click the “Server Certificates” icon at the bottom of the list of options in the center of the GUI.
Now we are going to create a self signed security certificate by clicking the link on the right side of the Server Certificates panel in the IIS Manager.
Now type in a friendly name for the security certificate. I use a similar name to the one created for the identity server.
Click next and the certificate will appear in the security certificates list on the previous screen. Next right click on the newly created certificate and select the view option.
On the screen that pops up navigate to the Details tab and click the Copy to File button towards the bottom right.
Now, on the screen that pops up click Next three times, then give the exported certificate file an easy to use and remember name and export location. Then click next.
Click Next, Finish and Okay to complete the certificate export. You can now close the IIS Manager. Now we are going to copy the newly exported certificate to the identity server. Once this is done, we will use it to configure a relying part with the ADFS server.
In Part 4 we will continue by configuring the Identity server’s DNS roll with resource records to allow IPv4 lookups for our two servers, and then the we will configure the Identity server’s ADFS roll with a relying part pointing to our application server.
If you have any questions or comments about the above article please comment below!
See references from Part 2.