Install and Setup ADFS 2.0 on a Windows Server

ADFS, Blog, Information Technology, Microsoft, Servers, Software, Windows

Note: This guide assumes you have a Windows server, it is joined to a domain and you have an account that is part of the domain admins group.


 

First we need to install ADFS 2.0

  1. To install version 2.0, it first needs to be downloaded and installed. Click this link to download the installation file https://www.microsoft.com/en-au/download/details.aspx?id=10909
  2. Choose the type of installation file based on your OS (I am running Server 2008 R2 so I will choose RTW\W2K8R2\amd64\AdfsSetup.exe). Save the installation file to your Desktop
  3. Run the exe located on your desktop
  4. On the Welcome screen, click Next
  5. Accept the License Agreement.
  6. I will be setting this ADFS server as a Federation server so I will leave the default of Federation Server selected and I will click Next. Note: you would select Federation server proxy if you were running your ADFS server in something like a DMZ.
  7. Click Next on the prerequisite software screen. The install wizard will install these automatically if they are not already present on the system. If there are no errors, the software will be installed and the ADFS 2.0 management window will open

The next task is to create a certificate template to use with our SSL certificate

  1. The first thing you need to do is open the Server Manager (Start > Administrative Tools > Server Manager)
  2. Select Roles
  3. Click Add Roles
  4. Click Next to get past the Welcome Screen
  5. Check off Active Directory Certificate Services and click Next
    Select Roles
  6. Click Next to get past the Welcome Screen
  7. Click Next on the Role Services page
  8. Leave the default of Enterprise selected and click Next. Note: if Enterprise is not an option, you must log out of the server and log back in using an account that is a member of the Domain Administrators group.
  9. On the next page you need to decide between choosing a Root CA or a Subordinate CA. Select Root CA if you are OK with using a self-signed certificate for your ADFS instance. Select Subordinate CA if you would like to purchase a certificate from a 3rd party certificate authority. I will be using a self-signed certificate so I will select Root CA and click Next.
  10. Click Next on the Private Key page to create a new private key.
  11. Choose the type of cryptography you would like to use on the next page. I will leave the default of SHA1 with a 2048 bit key character length, but you can choose whatever you want. Then click Next
  12. Click Next on the CA Name page
  13. Choose how long you want the certificate to be valid. I will leave the default of 5 years set. Click Next
  14. Click Next on the Certificate Database page
  15. Click Install to finish and then close the wizard when complete
  16. Next open up the Certificate Authority (Start > Administrative Tools > Certificate Authority)
  17. Expand your server on the left column, right click Certificate Templates and click Manage
    manage
  18. Scroll down to the end of the list, right click Web Server and click Duplicate Template
    Duplicate Template
  19. Select Windows Server 2008 Enterprise and click OK. Note: you would select Windows Server 2003 only if you had 2003 servers on your network that needed to access the ADFS services.
  20. Give the template a name (ex: ADFS SSL Certificate)
  21. Next click on the Subject Name tab at the top.
  22. Click the Build from this Active Directory information radio button, select Common Name from the subject name format dropdown, uncheck User principal name (UPN) and check DNS name
    Template Properties
  23. In order for the ADFS server to obtain a certificate, it needs to have the correct permission set up to do so. To do this, select the Security tab at the top.
  24. To add the required permissions, click the Add
  25. Click the Object Types… button, check Computers on the newly opened window and click OK.
    Object Types
  26. Enter the name of the server that you previously installed ADFS on and click OK. The server will be added to the permission list.
  27. Next we need to set Enroll the allow permission for this particular server. Check Enroll and click OK
    Template Properties - Security
  28. Now we need to make this certificate template is available to be used to issue certificates. To do this, open up the Certificate Authority window again (Start > Administrative Tools > Certificate Authority)
  29. Right click the Certificate Templates icon in the left column, hover over New and click Certificate Template to Issue 
    Certificate Template to Issue
  30. Select the name of the template you made previously (in my example I made it ADFS SSL Certificate) and click OK.

The next task is to create a SSL certificate on the server that is compatible with ADFS

    1. Open up a management console window on your server (Start, type in mmc.exe and hit enter)
    2. Click file and click Add or Remove Snap-ins
    3. Highlight Certificates and click AddCertificates
    4. Select Computer Account and click Next and then click Finish
    5. Now that the options are configured, click OK
    6. On the Console window, click View and then select Options
      Options
    7. Select Certificate purpose and then click This will allow us to view the computer’s certificate by their purpose.
    8. In the Intended Purposes view, right click Server Authentication, hover over All Tasks and click Request New Certificate
      Request New Certificate
    9. Click Next on the welcome screen.
    10. Click Next on the Select Certificate Enrollment Policy
    11. Select the template you created before (ex: ADFS SSL Certificate) by checking it and clicking Enroll.
      Enroll
    12. Click Finish and close all of the open windows.

 

The next task will be to configure ADFS

  1. Open up ADFS management (Start > Administrative tools > AD FS 2.0 Management)
  2. On the ADFS 2.0 management window, click ADFS 2.0 Federation Server Configuration WizardWizard
  3. Leave the default of Create a new Federation Service selected and click Next
  4. On the Select Deployment Type page, select Stand-alone federation server and click Next
  5. Make sure your SSL certificate is selected on the Federation Service Name page and click Next
  6. Click Next on the summary screen and wait for the wizard to complete.
  7. One the wizard is finished, click Close. Now ADFS is installed and ready to be used.

 

Godaddy Wildcard Certificates on Barracuda Load Balancer

Blog, Information Technology, Load Balancing, Networking, Uncategorized

I decided to write a blog post about how to add a wildcard certificate to a Barracuda load balancer because there is zero documentation online on how to do this. Hopefully by doing this I will save some poor network admin hours of google searching or having to talk to Barracuda tech support. In this blog post, I am assuming you have already purchased a wildcard certificate from godaddy.

The first thing you need to do is log on to your barracuda. Navigate to Basic>Certificates and click “Create Certificate.” This will generate your CSR which you need to upload to godaddy.

 

 

 

 

 

 

 

 

 

Fill out all of the fields and click “Generate Certificate” (Make sure the Key Size is 2048 and also make sure the CSR doesn’t expire before the certificate does.)

Once you have generated the CSR, click the CSR link under download for the Certificate that you’ve just created. This will download the certificate you your computer.


Open the downloaded file in a text editor and copy the text to your clipboard. It should look something like this

—–BEGIN CERTIFICATE REQUEST—–
MIICuDCCAaACAQAwczELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREw
DwYDVQQHEwhOZXcgWW9yazEUMBIGA1UEChMLQ29tcGFueSBJbmMxETAPBgNVBAsT
CEludGVybmFsMRUwEwYDVQQDFAwqLmRvbWFpbi5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDlXrne9266tP0B1fK8XCMl/UYmMy/peJNnlOvlQHXT
2uqtp6vKwfri2uv256S1X+9KhVlbr9F3N8O6FVeF9cK861J7timGMAx+em5rJXNj
abMPLPp9BGUGGT8UcepZmYWHZ0MmGPT9K/LheRM4L+yY9dOLYI4PA68cvxDVayhu
GARRKV3fA3MN/XfLIubKg2I78WDqZbxWnDvQJqNK6ffqgOVcpSJ3a6Azjoxcx9/1
29adDPogdTOiinU27hDk9UC/5K14orLX7AUxp23dCnLiQK04IUUclMLP1mpuoAqL
tKwnWhjkqVU2V7P4KXW8v/H7A6NzvoxpKQfiOB7F5kMpAgMBAAGgADANBgkqhkiG
9w0BAQUFAAOCAQEAL2vge9MnmU9GlSVd0yQ3iPQeQpJi3bxsWokDnBWvNG8XmaVz
BqZWxIXdtCwDNbsFPN0s5bUNJqbL82wtKQhlrVsdV8KAp7gbnKMmZgFEJfzRR12Y
U2gdMtatTcfdn3ZZGMTXXgDpMxTXET+1kQIMYiEcYFYELTSJ1CXTEWQYseyGK0lY
EN1a+foGpzRY5wmtUox6auhpRpH9RZr1ArzU4gHtdkySZdfnlqAx6pE526g5tKnZ
FtllbyDxRbJkHGPdmAkg4smz/0QrHQVhIEAvZG+0nn4umgqO9szwYV3Oq0YVzah1
xZtiw8wWpYTsDS2vBulJSPkEhr44iIjLbuuENQ==
—–END CERTIFICATE REQUEST—–

Log into the godaddy account. Once you are logged in, click the black “My Account” button, expand “SSL Certificates” and click “Launch.”

A new tab will open with a list of all of the certificates. Choose the right certificate and click the link.

Click “Re-Key” and paste in the CSR code generated from before.  After you have pasted the key, click the black “Re-Key” button and the window will disappear. On the certificate page, choose “Other” and click “Download.”

Extract the zip file to a folder.

Go back to the barracuda and download the generated certificate (Basic > Certificates>Certificate)

 

 

 

 

 

 

 

 

On the save token page, enter a secure password, click Save and store it somewhere on your computer. You will need to know this password for later.

We need to convert this new .pfx file to a .pem format. If you already have OpenSSL on your machine, you may skip this step.

Go to http://slproweb.com/products/Win32OpenSSL.html and download the latest Win32 OpenSSL Light. Install it on your machine and add the directory to your Environment Variable Path. (Click “Start” > right click “My Computer” and click “Properties”> Click “Advanced System Settings” > click “Environment Variables” > Under “System Variables” scroll down to “Path” and double-click > Go to the end of the “Variable value” and add the path of your open SSL installation ex: C:\OpenSSL-Win32\bin and hit OK, OK, OK. )

 

 

 

 

 

We need to convert the PFX to a PEM in order for the barracuda to read the file. Open you command prompt, change directories to the location of the .pfx file and run this command.

openssl pkcs12 -in certificate_name.pfx -out certificate.cer –nodes

Where certificate_name is the name of the .pfx file you downloaded from the barracuda.

Enter the password you used to download the file and hit enter. There will now be a file called “certificate.cer” in the directory with the PFX file.

 

 

 

 

 

 

 

 

 

Open certificate.cer with a text editor. Look for the line that says “—–BEGIN PRIVATE KEY—–” copy all the way to the line that says “—–End Private Key—–“. Open a new notepad and paste the contents that you just copied. You should have something that looks like this…

—–BEGIN PRIVATE KEY—–
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRWuiWImQQKICAggA
MBQGCCqGSIb3DQMHBAgP9qwRlyiPrgSCBMgUheb2VGsXjJMeJmfk2z5/QCKJPkER
uL1Sh8zxZ4Qi4UqVM3anfcfg203L9TB6FBfZfGZc7z1EUhy5/yqOvl9hBy5KBL9i
KScTilvO5E7tXXa+BkXLKFHf6Xk1qX3YhgkSYjmITHfSrPPNBIj9CjLiF2l1m2zi
gcAc9Abk0Ohe0iBAiBeRAog6d1UDw6OvA2xR6v97OmcA9QK66WavS7u5l+StJP8H
+2l7IL3RX1knG9AyrF8sGJp4RsOR5TKdg20svNfJBSAKwWEHskVlQHxteg4hbx9N
vSn0w4cQnL+25BbwTIiPZqI2F9N0q6A1ZQPgM5rh0mFJvXMQfFyWlqBoQ9yKvEZq
WOldpiwdsLdWuRr53u/RukVzIlAvNUElFFQJGIgpz3A8YQOGqUrIGSLXcAKlBnMj
jJp4Gj1LVBoSW3Wokf2qfH3ntIGeDzuFnqCpKJv6w7IL3G+YoYHp6l3uTFwjdhZk
1mFqaZ5r2ERCfeY10KLNNxr1/L++nSYj/A/DRIPqrzszcmowwytNn28c75QORrNU
ojXJ3tGoplajpKYBdoa14OzychqQsi/yCG6v9oKiBvXE0iAp0eXDbOxVQFtHSLKn
6QYKtOYNnS7GzJHr5nMMuDDetcdXNr5DL5pJDp9Pu4wHD6ifP+Ba7VQaP7w+IZML
V2izeqzjY52KsK88OhBB4q5I9/mwAz1JNQtxVYyKlbLto5p4fkJBDSAU6xQ/gHMj
JrJfq7wKHaIEyMf94O4xthroErzPPDbrAUURH8JF+2tkckI8xwISYb3TFK8EZGKa
X88RQOTbwi8u5q1MuksxH1DW6/bCgiu5WCQbDpKr2ldfwVLjyUknaGkPAav7pOoY
LcZrM8XtklKw7jaHXTapVhM4MXaAixo+mp7PIg+gjnpSGTHfp75JxkdLFfcPrrep
+x7SL6MQDT5AMztxWeinuR3EX4K7Cu6b2yqwHgZUjWyYWncpv47M1I2LUywRkbLP
JO0QTrJz8lDJMMJJ2V0jBWJYxeERncgha07xQ9LoSTnC3t9iO5/BL2BMn6Scuofz
QVWUqJ535lDI5fjyHXnziQg9bKErMaBnzgfD6/t2gwnX5cMaOZNUdV0LxgaBV/y8
gO6GDK4hHYZ8kjmUPzPydhYD83KX21ljB17kgx7Ql4lHtzeDHMXXrVKNNYGoORAp
USz3aKiffm1pgUsY+fd3vm4tOndzpE4DnxuggMF7/LlL2QB4GU5fpHi4Ou3ajUH4
ATEip+ZAGcee4MloAONs22kTwteSUQ+XVFt7GSXDLhzEfqIW+cM5SaHJ8WbD72Kb
rLnJUQ5JBb0nbUyGvuvR5R6Zf+qywUDEuW3nMccCYpt3Ajy9esZYFI3/hWp/EnG8
A9HoYJkVISW3+UDvarihYN8Xnmled7WctgSD8t5PRN8lq4MDjxO6cAg/hK8XnT0g
qUgVBBq38PsI4s+8fIEgeILliqDuZKrHPvArisaBWje1dn/bAxXJF0URIcekgDbu
UoYWOOOTcHAKASusl0xZ3EFlxI0gnK3qWqj98CZJw5n6vmKjw4clRUvtW3cCZ74j
FJROSPwxfZ7r6DYum/KcmFI4RaV+DfkIUz4xIQwRpbyC4pzjtdDGP4eI3sIv7tWp
mV0=
—–END PRIVATE KEY—–

Save the file as private.txt.

Open a new notepad, paste the same content you did for private.txt except this time we are going to add to the end of the file the text from our crt file we downloaded from godaddy. In my case it was domain.net.crt. The new text file should look something like this…

—–BEGIN RSA PRIVATE KEY—–
(the private key, several lines of indecipherable text with no spaces)
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
(the signed certificate, several lines of indecipherable text with no spaces)
—–END CERTIFICATE—–

Save the file as your domain underscore TLD dot pem. So for me it would be domain_net.pem.

Now open up the barracuda web interface and go to the certificates page (Basic > Certificates) and upload the certificate to the load balancer.

Certificate Name: Give it a name
Certificate Key: Private.txt
Signed Certificate: PEM file with both the RSA Private Key + Domain Certificate
Intermediate Certificate (click the + button to show): Godaddy Bundle included in downloaded ZIP file from godaddy (gd_bundle.crt)

That’s it! Now go to your services page and apply the certificate to a service that uses SSL like HTTPS. You can then check you did everything correctly by going to http://www.sslshopper.com/ssl-checker.html