- \n
- To install version 2.0, it first needs to be downloaded and installed. Click this link to download the installation file https:\/\/www.microsoft.com\/en-au\/download\/details.aspx?id=10909<\/a><\/li>\n
- Choose the type of installation file based on your OS (I am running Server 2008 R2 so I will choose RTW\\W2K8R2\\amd64\\AdfsSetup.exe). Save the installation file to your Desktop<\/li>\n
- Run the exe<\/strong> located on your desktop<\/li>\n
- On the Welcome screen, click Next<\/strong><\/li>\n
- Accept the License Agreement.<\/li>\n
- I will be setting this ADFS server as a Federation server so I will leave the default of\u00a0Federation Server<\/strong> selected and I will click Next<\/strong>. Note: you would select Federation server proxy if you were running your ADFS server in something like a DMZ.<\/li>\n
- Click Next<\/strong> on the prerequisite software screen. The install wizard will install these automatically if they are not already present on the system. If there are no errors, the software will be installed and the ADFS 2.0 management window will open
\n
\n<\/li>\n<\/ol>\nThe next task is to create a certificate template to use with our SSL certificate<\/h3>\n
- \n
- The first thing you need to do is open the Server Manager (Start > Administrative Tools > Server Manager)<\/li>\n
- Select Roles<\/strong><\/li>\n
- Click Add Roles<\/strong><\/li>\n
- Click Next<\/strong> to get past the Welcome Screen<\/li>\n
- Check off Active Directory Certificate Services<\/strong> and click Next<\/strong>
\n![\"Select](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Select-Roles.png\")
<\/a><\/li>\n- Click Next<\/strong> to get past the Welcome Screen<\/li>\n
- Click Next<\/strong> on the Role Services <\/strong>page<\/li>\n
- Leave the default of Enterprise<\/strong> selected and click Next<\/strong>. Note: if Enterprise is not an option, you must log out of the server and log back in using an account that is a member of the Domain Administrators group.<\/li>\n
- On the next page you need to decide between choosing a Root CA or a Subordinate CA. Select Root CA if you are OK with using a self-signed certificate for your ADFS instance. Select Subordinate CA if you would like to purchase a certificate from a 3rd<\/sup> party certificate authority. I will be using a self-signed certificate so I will select Root CA<\/strong> and click Next<\/strong>.<\/li>\n
- Click Next<\/strong> on the Private Key<\/strong> page to create a new private key.<\/li>\n
- Choose the type of cryptography you would like to use on the next page. I will leave the default of SHA1 with a 2048 bit key character length, but you can choose whatever you want. Then click Next<\/strong><\/li>\n
- Click Next <\/strong>on the CA Name <\/strong>page<\/li>\n
- Choose how long you want the certificate to be valid. I will leave the default of 5 years set. Click Next<\/strong><\/li>\n
- Click Next <\/strong>on the Certificate Database <\/strong>page<\/li>\n
- Click Install<\/strong> to finish and then close the wizard when complete<\/li>\n
- Next open up the Certificate Authority (Start > Administrative Tools > Certificate Authority)<\/li>\n
- Expand your server on the left column, right click Certificate Templates<\/strong> and click Manage<\/strong>
\n![\"manage\"](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/manage.png\")
<\/a><\/li>\n- Scroll down to the end of the list, right click Web Server<\/strong> and click Duplicate Template<\/strong>
\n![\"Duplicate](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Duplicate-Template.png\")
<\/a><\/li>\n- Select Windows Server 2008 Enterprise <\/strong>and click OK<\/strong>. Note: you would select Windows Server 2003 only if you had 2003 servers on your network that needed to access the ADFS services.<\/li>\n
- Give the template a name (ex: ADFS SSL Certificate)<\/li>\n
- Next click on the Subject Name <\/strong>tab at the top.<\/li>\n
- Click the Build from this Active Directory information<\/strong> radio button, select Common Name<\/strong> from the subject name format dropdown, uncheck User principal name (UPN)<\/strong> and check DNS\u00a0name<\/strong>
\n![\"Template](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Template-Properties.png\")
<\/a><\/li>\n- In order for the ADFS server to obtain a certificate, it needs to have the correct permission set up to do so. To do this, select the Security<\/strong> tab at the top.<\/li>\n
- To add the required permissions, click the Add<\/strong><\/li>\n
- Click the Object Types\u2026 <\/strong>button, check Computers<\/strong> on the newly opened window and click OK<\/strong>.
\n![\"Object](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Object-Types.png\")
<\/a><\/li>\n- Enter the name of the server that you previously installed ADFS on and click OK<\/strong>. The server will be added to the permission list.<\/li>\n
- Next we need to set Enroll the allow permission for this particular server. Check Enroll<\/strong> and click OK<\/strong>
\n![\"Template](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Template-Properties-Security.png\")
<\/a><\/li>\n- Now we need to make this certificate template is available to be used to issue certificates. To do this, open up the Certificate Authority window again (Start > Administrative Tools > Certificate Authority)<\/li>\n
- Right\u00a0click the Certificate Templates<\/strong> icon in the left column, hover over New<\/strong> and click Certificate Template to Issue\u00a0<\/strong>
\n![\"Certificate](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Certificate-Template-to-Issue.png\")
<\/a><\/li>\n- Select the name of the template you made previously (in my example I made it ADFS SSL Certificate) and click OK<\/strong>.
\n
\n<\/li>\n<\/ol>\nThe next task is to create a SSL certificate on the server that is compatible with ADFS<\/h3>\n
- \n
- Open up a management console window on your server (Start, type in mmc.exe and hit enter)<\/li>\n
- Click file and click Add or Remove Snap-ins<\/li>\n
- Highlight Certificates<\/strong> and click Add
![\"Certificates\"](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Certificates.png\")
<\/a><\/strong><\/li>\n- Select Computer Account<\/strong> and click Next<\/strong> and then click Finish<\/strong><\/li>\n
- Now that the options are configured, click OK<\/strong><\/li>\n
- On the Console window, click View<\/strong> and then select Options
\n![\"Options\"](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Options.png\")
<\/a><\/strong><\/li>\n- Select Certificate purpose<\/strong> and then click This will allow us to view the computer\u2019s certificate by their purpose.<\/li>\n
- In the Intended Purposes<\/strong> view, right click Server Authentication<\/strong>, hover over All Tasks<\/strong> and click Request New Certificate
\n![\"Request](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Request-New-Certificate.png\")
<\/a><\/strong><\/li>\n- Click Next<\/strong> on the welcome screen.<\/li>\n
- Click Next<\/strong> on the Select Certificate Enrollment Policy<\/strong><\/li>\n
- Select the template you created before (ex: ADFS SSL Certificate) by checking it and clicking Enroll.
\n![\"Enroll\"](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Enroll.png\")
<\/a><\/strong><\/li>\n- Click Finish<\/strong> and close all of the open windows.<\/li>\n<\/ol>\n<\/ol>\n
\n<\/p>\n
The next task will be to configure ADFS<\/h3>\n
- Select Computer Account<\/strong> and click Next<\/strong> and then click Finish<\/strong><\/li>\n
- \n
- Click Add Roles<\/strong><\/li>\n
![\"Wizard\"](\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2016\/03\/Wizard.png\")
<\/a><\/li>\n