Before I get into it, I wanted to give a little back ground about what this series of articles is, and what caused them to be written.
A while back I had a project come up that needed to use some WCF services for data sharing across multiple device types, and multiple domains. Given that there were going to be potentially dozens of different corporate domains needing to access these services I thought ADFS or Active Directory Federation Services would be an ideal fit.
Ultimately we used far fewer of the ADFS features than originally thought but regardless, I struggled so much to understand the whole end to end process of building the servers and hosting up from scratch to deploy my services to, that I decided that I needed to document that learning experience in case any developer in the future who, like me, has to build a custom environment from the ground up needs some guidance.
For this tutorial you will need to have at least two Server 2012 machines to work with. You can accomplish this a number of ways, Hyper-V VMs, VMware VMs, two separate physical boxes, Amazon EC2 Instances, etc.. For this tutorial I will be using a single Server 2012 machine running VMs on Hyper-V, but the steps in this guide can be applied to a number of different computing environments. However, I would suggest using VMs on a private network if you are doing this strictly as a learning exercise. In later steps we will have to promote the Identity server to a Domain Controller.
In this tutorial I will be providing a concrete example of creating and configuring a custom application domain and implementing an ADFS server to handle token distribution.
I’m not entirely sure how many parts this series of articles will contain as there is a substantial amount of work and understanding involved here.
Before We Begin
Before we can get started, we need to have our first two machines up and running. Creating the VMs that you will be using or building the physical boxes is an exercise for the reader since there are so many ways of going about this.
Okay, so go ahead, get your machines set up, I’ll wait… done yet? No… Now? Okay good! Let’s move on!
Our first several tasks are going to involve configuring the Identity server for all the various tasks it will be performing in the near future. The Application server has much less configuration required but we will get to that later.
We are going to start by installing the IIS Role on the identity server. Log into your identity machine, the Server Manager panel should launch automatically. On the Server Manager panel click Manage->Add Roles and Features.
When the Roles and Features wizard comes up, you can click “Next” through the first three screens until you come to the roles selection screen shown below.
Check the “Web Server (IIS)” box. There will be an automatic pop up asking to install the IIS management tools with the IIS role. Click the “Add Features” button shown below.
Then click “Next”. You will now be presented with the “Features Selection” screen. Strictly speaking, nothing should be absolutely necessary on this page but I like to add a few things as a personal preference, mostly for backwards compatibility. The three additional options I select are shown below.
The HTTP Activation feature will require additional dependencies. Once your features are selected, click “Next” twice.
Now you’re presented with the Role Services selection window. A lot of the choices here are going to be based on your needs, but I have a set of capabilities that I like or need in most IIS installations that I will show below in the next three images.
Most of the selections I make here are not strictly necessary but the two categories you need to think about the most are the Security and Logging options. Additional Security services will allow you the freedom of choosing to authenticate your WCF services/users in more ways, and the additional logging options are extremely handy when you’re getting a very generic authentication failure error message and can’t figure out why.
Now click “Next” and on the following page make sure to select the automatic restart check box as shown below.
Then click “Install”. A progress bar screen will be displayed, and the server will automatically restart during the installation process if necessary.
In Part 2 we will continue configuring the Identity server with the additional roles and services that it needs to act as an identity server, starting with ADDS(Active Directory Domain Services).
Now that you have been through the process of adding a Role, the next section will not have as much detail about how to do this, unless an important configuration needs to be pointed out during the role installation.