How to install ADFS on Windows Server 2016

In this blog we will create a self signed certificate for ADFS using Active Directory Certificate Services and we will learn how to install ADFS on Windows Server 2016.

Watch video

Join our YouTube channel and watch videos on Cloud technology. Watch this video and learn how to install ADFS on Windows Server 2016.

How to install ADFS on Windows Server 2016

Prerequisites to install ADFS server

Let’s take a look on prerequisites that needs to met before we install ADFS on Windows Server 2016.

  1. An SSL certificate is required for ADFS. If you are creating a test environment, you can create a self signed certificate from Active Directory Certificate Services.
  2. The machine on which we want to install ADFS, must be a domain-joined machine.
  3. We would require Enterprise Admin credentials.
  4. If you want to add Microsoft 365 as a relying party trust, in that case you need to deploy Azure AD Connect and user accounts should be synchronized to Microsoft 365.

How to create a SSL certificate for ADFS using Active Directory Certificate Services

I already have deployed Active Directory Certificate Services on my Domain Controller. To create self signed certificate, go to Server Manager > Tools, and click Certification Authority.

active directory certification authority

In Certification Authority wizard, expand domain name, right click Certificate Template and click Manage.

certification authority certificate template

Right click Computer and click Duplicate Template.

certificate template console

On General tab, under Template display name type a name for the certificate template like, adf ssl and check Publish certificate in Active Directory.

general certificate template

In Request Handling tab, check option Allow private key to be exported.

request handling tab certificate template

In Security tab, click Add, click Object types, add ADFS computer name and click check names, and allow full control.

In Subject Name tab under Subject Name Format, select Common Name and make sure DNS name is selected. Click Apply.

subject name certificate template

We should now see a certificate template with name adfs ssl as shown below:

certificate teample

Go back to Certificate Authority wizard, right click Certificate Template > New > Certificate Template to issue.

certificate teamplete to issue

You will see ADFS template in the list. Click OK.

adfs template in list

Now this certificate template can be used by the machine on which we will install ADFS. Go to the machine where you want to install ADFS, open RUN and type MMC. Click File > Add/Remove Snap In, click Certificates and click ADD. Select Computer Account > Next > Finish.

Expand Certificates, right click Personal > All Tasks > Request new certificate.

request new certificate

Click Next > Next, select ADFS certificate > Enroll > Finish.

request certificate

Expand Personal, check if you see ADFS certificate under Certificate folder. So this certificate will be used by ADFS as a service communication certificate.

adfs certificate

How to install ADFS server on Windows Server 2016

To install ADFS, go to Server Manager, click Add roles and features. On Before you begin page of wizard, click Next, click Next on Select installation type page, and click Next on Select destination server.

On Select server roles select Active Directory Federation Services and click Next.

install active directory federation services

Click Next on Select features page, click Install on Confirm installation selections. This will start installing Active Directory Federation Services role.

adfs server installation progress

Configure the Federation Service on this Server

Once installation is completed, click Configure the federation service on this server.

configure the federation service

On Welcome screen, select Create the first federation server in a federation server farm and click Next.

welcome screen ADFS wizard

On Connect to Active Directory Domain Services page, select Change and type Active Directory enterprise admin credentials and click Next.

credentials

On Specify Service Properties page, click drop down arrow next to SS Certificate and select the certificate.

specify server properties

Type a name for Federation Service Display Name and click Next.

federation service display name

Note: Federation Service Display Name will be displayed to the users at the sign-in page.

Go to Active Directory Users and Computers and create an account that will be used as Service Account for ADFS server. On Specify Service Account page on ADFS configuration wizard, select Select and type the service account that you just created and click Check Names and click OK. Under Account Password type the password for service account and click Next.

On Specify Configuration Database page, you can either select WID or SQL database to store ADFS configuration. I will select Create a database on this server using Windows Internal Database because I want to use WID. Click Next.

On Review Options page click Next.

On the next page Pre-requisite Checks, wizard will validate if all required pre-requisites are met. If all prerequisites are showing met, click Configure.

On the Results page, you will see This server was successfully configured. Click Close to close the wizard.

And with this we have successfully installed ADFS on Windows Server 2016.

Enable ADFS idpinitiatedsignon page

We have successfully installed ADFS service on Windows Server 2016 and now let’s test if ADFS authentication is working or not. To test ADFS authentication, we will try to access IDP Initiated Sign On page. IDP initiated sign-on page helps you to check if ADFS authentication is working or not.

By default IDPinitiatedsignonpage attribute is disabled. To enable it, go to ADFS server, open Windows PowerShell and run below command:

Set-ADFSproperties -EnableIdpInitiatedSignonPage $True

To verify if EnableIdpInitiatedSignonPage attribute is set to True, run below command:

Get-ADFSproperties | fl EnableIdpInitiatedSignonPage

To test ADFS authentication, copy below URL and paste it in browser:

https://adfs.office365concepts.local/adfs/ls/idpinitiatedsignon.aspx

You should see a page as shown below where you will see Federation Service Display Name and Sign in button.

adfs idp initiated sign on page

Conclusion

In this blog we learnt how to create SSL certificate for ADFS server using Active Directory Certificate Services, we learnt how to install Active Directory Federation Services role on Windows Server 2016, we learn how to configure federation service on the server and how to enable Idp Initiated Signon page for ADFS server to test redirection and authentication.

Found this blog helpful and informative? Please share this blog within your community, join us on our YouTube channel for video on Cloud technology and join our Newsletter for early access to the blogs and updates.

We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types

Happy Learning!!

6 Comments

  1. Hi

    Thank you for this well-drafted and detailed article.
    Could you please also explain how a WAP server is installed, configured, and used in an ADFS environment?

  2. Do you have a writeup explaining the upgrade process of an existing ADFS environment? (ex. from Win Server 2012 to 2019)

  3. Thank you for this great articles and the smooth understanding you offer with it.

    Do you also have something which explains how to migrate ADFS & its WAP from a legacy to higher Windows Servers?

Comments are closed.