How to install ADFS on Windows Server 2016
In this blog we will create a self signed certificate for ADFS using Active Directory Certificate Services and we will learn how to install ADFS on Windows Server 2016.
Table of Contents
Watch video
Join our YouTube channel and watch videos on Cloud technology. Watch this video and learn how to install ADFS on Windows Server 2016.
How to install ADFS on Windows Server 2016
Prerequisites to install ADFS server
Let’s take a look on prerequisites that needs to met before we install ADFS on Windows Server 2016.
- An SSL certificate is required for ADFS. If you are creating a test environment, you can create a self signed certificate from Active Directory Certificate Services.
- The machine on which we want to install ADFS, must be a domain-joined machine.
- We would require Enterprise Admin credentials.
- If you want to add Microsoft 365 as a relying party trust, in that case you need to deploy Azure AD Connect and user accounts should be synchronized to Microsoft 365.
How to create a SSL certificate for ADFS using Active Directory Certificate Services
I already have deployed Active Directory Certificate Services on my Domain Controller. To create self signed certificate, go to Server Manager > Tools, and click Certification Authority.
In Certification Authority wizard, expand domain name, right click Certificate Template and click Manage.
Right click Computer and click Duplicate Template.
On General tab, under Template display name type a name for the certificate template like, adf ssl and check Publish certificate in Active Directory.
In Request Handling tab, check option Allow private key to be exported.
In Security tab, click Add, click Object types, add ADFS computer name and click check names, and allow full control.
In Subject Name tab under Subject Name Format, select Common Name and make sure DNS name is selected. Click Apply.
We should now see a certificate template with name adfs ssl as shown below:
Go back to Certificate Authority wizard, right click Certificate Template > New > Certificate Template to issue.
You will see ADFS template in the list. Click OK.
Now this certificate template can be used by the machine on which we will install ADFS. Go to the machine where you want to install ADFS, open RUN and type MMC. Click File > Add/Remove Snap In, click Certificates and click ADD. Select Computer Account > Next > Finish.
Expand Certificates, right click Personal > All Tasks > Request new certificate.
Click Next > Next, select ADFS certificate > Enroll > Finish.
Expand Personal, check if you see ADFS certificate under Certificate folder. So this certificate will be used by ADFS as a service communication certificate.
How to install ADFS server on Windows Server 2016
To install ADFS, go to Server Manager, click Add roles and features. On Before you begin page of wizard, click Next, click Next on Select installation type page, and click Next on Select destination server.
On Select server roles select Active Directory Federation Services and click Next.
Click Next on Select features page, click Install on Confirm installation selections. This will start installing Active Directory Federation Services role.
Configure the Federation Service on this Server
Once installation is completed, click Configure the federation service on this server.
On Welcome screen, select Create the first federation server in a federation server farm and click Next.
On Connect to Active Directory Domain Services page, select Change and type Active Directory enterprise admin credentials and click Next.
On Specify Service Properties page, click drop down arrow next to SS Certificate and select the certificate.
Type a name for Federation Service Display Name and click Next.
Note: Federation Service Display Name will be displayed to the users at the sign-in page.
Go to Active Directory Users and Computers and create an account that will be used as Service Account for ADFS server. On Specify Service Account page on ADFS configuration wizard, select Select and type the service account that you just created and click Check Names and click OK. Under Account Password type the password for service account and click Next.
On Specify Configuration Database page, you can either select WID or SQL database to store ADFS configuration. I will select Create a database on this server using Windows Internal Database because I want to use WID. Click Next.
On Review Options page click Next.
On the next page Pre-requisite Checks, wizard will validate if all required pre-requisites are met. If all prerequisites are showing met, click Configure.
On the Results page, you will see This server was successfully configured. Click Close to close the wizard.
And with this we have successfully installed ADFS on Windows Server 2016.
Enable ADFS idpinitiatedsignon page
We have successfully installed ADFS service on Windows Server 2016 and now let’s test if ADFS authentication is working or not. To test ADFS authentication, we will try to access IDP Initiated Sign On page. IDP initiated sign-on page helps you to check if ADFS authentication is working or not.
By default IDPinitiatedsignonpage attribute is disabled. To enable it, go to ADFS server, open Windows PowerShell and run below command:
Set-ADFSproperties -EnableIdpInitiatedSignonPage $True
To verify if EnableIdpInitiatedSignonPage attribute is set to True, run below command:
Get-ADFSproperties | fl EnableIdpInitiatedSignonPage
To test ADFS authentication, copy below URL and paste it in browser:
https://adfs.office365concepts.local/adfs/ls/idpinitiatedsignon.aspx
You should see a page as shown below where you will see Federation Service Display Name and Sign in button.
Conclusion
In this blog we learnt how to create SSL certificate for ADFS server using Active Directory Certificate Services, we learnt how to install Active Directory Federation Services role on Windows Server 2016, we learn how to configure federation service on the server and how to enable Idp Initiated Signon page for ADFS server to test redirection and authentication.
Found this blog helpful and informative? Please share this blog within your community, join us on our YouTube channel for video on Cloud technology and join our Newsletter for early access to the blogs and updates.
Related articles
We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
Happy Learning!!
Hi
Thank you for this well-drafted and detailed article.
Could you please also explain how a WAP server is installed, configured, and used in an ADFS environment?
Hi Vitus,
Thank you for taking time to read the article. Sure I will post a detailed article very soon on WAP installation and configuration. Thank you.
Hi Vitus,
Please refer to https://office365concepts.com/how-to-install-adfs-proxy-server/.
Regards
Do you have a writeup explaining the upgrade process of an existing ADFS environment? (ex. from Win Server 2012 to 2019)
Hi, As of now I do not have a blog explaining the process ADFS upgrade, but let me see what best I can share with you.
Thank you.
Thank you for this great articles and the smooth understanding you offer with it.
Do you also have something which explains how to migrate ADFS & its WAP from a legacy to higher Windows Servers?