ADFS Environment Buildup with WCF Utilization – Part 3

Welcome back! This is part 3, and we are going to jump right in by configuring the security certificates on our identity server for the ADFS and IIS roles. If you’ve been following along as I’ve been publishing this multi-part article, I apologize for the delay between part 2 and 3, I had a hardware failure that delayed my writing.


Create a Certificate

If you are following along using a local network and VM machines then creating your own self-signed security certificates is likely going to be sufficient. This is what I will be doing for this tutorial.

However, for a production system you will likely want to use professionally created and signed certificates for your domain and server. Now is the time to get them and install them.

So we start by creating a certificate. Open up Powershell ISE once again and run the following script with your domain information.

New-SelfSignedCertificate -DnsName fs.martialdeveloper.local -CertStoreLocation Cert:\LocalMachine\My

The Thumbprint and the Subject will be displayed for you on the console after creation. Make a note of these two fields for future reference. Shown below.

create new cert


Bind the Certificate

Now we are going to hope over to IIS Manager by opening the server manger window, right clicking on the Tools menu and selecting “Internet Information Services (IIS) Manager” as shown below.

iis manager selection

Once the IIS Manager window comes up, we will navigate to the Default Wed Site, right click, and select the “Edit Bindings” option, as shown below.

IIS edit binding default website

On the window that pops up select “Add”, and configure the new binding for HTTPS and the security certificate you just created, like shown.

https binding


Create the ADFS Service

Now we are going to set up the ADFS service. Go to the Server Manager window, right click Tools, and select “AD FS Management”.

ADFS Manager selection

When the ADFS Management window comes up, click the configuration wizard link.

ADFS config wizard

Click “Next” on the first screen that appears, then select the “Stand-alone federation server” as shown below.

ADFS stand alone

For large production environments you may want to create a federation server farm, but for this tutorial we only need one.

Click next then verify the certificate that is auto populated is the one you created earlier, and then click Next three more times.


Create the Application Server Security Certificate

Now we have to jump back over to our application server and configure it for use.

Lets start by creating a security certificate for it. You have two options, either use the same PowerShell ISE command string as you did on the identity server(with application server specific substitutes), or navigate to the IIS Manager and create the certificate through the IIS GUI.  I’m going to show the IIS Manager approach since the PowerShell command has already been demonstrated.

Open the IIS Manager through the Tools menu of the Server Manager on the Application server.

IIS Manager Open

Now navigate the the local server and click the “Server Certificates” icon at the bottom of the list of options in the center of the GUI.

Server Certificates

Now we are going to create a self signed security certificate by clicking the link on the right side of the Server Certificates panel in the IIS Manager.

Create Self-Signed Cert

Now type in a friendly name for the security certificate. I use a similar name to the one created for the identity server.

Certificate Name

Click next and the certificate will appear in the security certificates list on the previous screen. Next right click on the newly created certificate and select the view option.

View Certificate

On the screen that pops up navigate to the Details tab and click the Copy to File button towards the bottom right.

Export Certificate

Now, on the screen that pops up click Next three times, then give the exported certificate file an easy to use and remember name and export location. Then click next.

Certificate Export Name

Click Next, Finish and Okay to complete the certificate export. You can now close the IIS Manager. Now we are going to copy the newly exported certificate to the identity server. Once this is done, we will use it to configure a relying part with the ADFS server.

In Part 4 we will continue by configuring the Identity server’s DNS roll with resource records to allow IPv4 lookups for our two servers, and then the we will configure the Identity server’s ADFS roll with a relying part pointing to our application server.

If you have any questions or comments about the above article please comment below!



See references from Part 2.


Leave a Reply

Your email address will not be published. Required fields are marked *