I AM the system administrator. Who do I call?
ADFS 2.0 in Forest Trust Environment
I’ve been meaning to get this out there for a while now. I’m not going to go into great detail on ADFS but you can get more background on ADFS and federation in these posts:
Salesforce SSO with ADFS 2.0 – Everything You Need to Know
ADFS 2.0 Choose Your Attributes Wisely
SAML WebSSO Federation Made Easy
My scenario is as follows:
- 2 domains in 2 forests with a one way trust between them.
(For this post I’ll refer to these domains PERIMETER and INTERNAL) - PERIMETER trusts INTERNAL but INTERNAL doesn’t trust PERIMETER
- Both PERIMETER and INTERNAL contain user accounts that need to be authenticated and federated via ADFS
- The ADFS server is joined to the PERIMETER domain
- ADFS and its related IIS services need to run under a service account from the INTERNAL domain
Here are the high level hoops I had to jump through to get this working:
- On a clean Windows 2008 R2 server, obtain and run the ADFS 2.0 setup file AdfsSetup.exe. Select “Federation Server”, This will install everything you need to make ADFS 2.0 work (including pre-requisites). Don’t run through the config wizard – We will do the config from command line later.
- Create a new service account. e.g. INTERNAL\Svc.ADFS. Create a new DNS ‘A’ record and point it to the ADFS server. E.g. federate.internal.com. Set a Kerberos SPN for the DNS record against the service account:
setspn -a HOST/federate.internal.com stjohn\Svc.ADFS
- Load the certificates MMC for local computer account and install a certificate which can be used for the ADFS web site. In the IIS manager configure a new binding on the default website for SSL with the appropriate FQDN and select the cert you just installed.
- Make sure the ADFS server has access to all LDAP servers for all domains. Something to consider if you’ve got a few firewalls here and there.
- Add your service account to the local admins group on the ADFS server and to domain admins group for the domain that the service account belongs to. Don’t panic this will only be temporary! This just allows the service account to create the necessary config for ADFS in the Program Data\ADFS OU. Once created it will have the correct permissions for the service account. I had to do this to get it work, not sure why it’s any different to a normal single forest install.
- Log on to the ADFS server with the service account. Skip this step at your peril!
- Run cmd prompt as admin. cd to:
C:\Program Files\Active Directory Federation Services 2.0\
-
Run the following command to configure and new ADFS 2.0 farm
FSConfig.exe CreateFarm /ServiceAccount "INTERNAL\Svc.ADFS" /ServiceAccountPassword "somebiglongpassword" /AutoCertRolloverEnabled /FederationServiceName "federate.internal.com
-
Remove the service account from local admins and domain admins now.
-
That’s it. Load the ADFS console and configure ADFS as you would in any other scenario
Notes
-
During the install you might get a yellow warning about not being able to set the SPN. That’s cool we already did it above.
- Make sure you can view the federation data for your new server e.g.
https://federate.internal.com/FederationMetadata/2007-06/FederationMetadata.xml - If you get a certificate error from your service provider. E.g. This typical error from SalesForce:Signature or certificate problems
Is the response signed? False
The signature in the assertion is not valid
Is the correct certificate supplied in the keyinfo? False
No valid certificate specified in this response.
Try re-generating your token signing certificate using the following PowerShell commands. Note:This will break any existing trust relationships you have with any service providers. You will have to export the new cert and update your service providers with it.
Add-PSSnapin Microsoft.Adfs.Powershell Set-ADFSProperties -AutoCertificateRollover $true Update-AdfsCertificate -Urgent
This might not be the only way to get this working and I haven’t tested it thoroughly – your mileage may vary! But as always I’m keen to hear how you get on and happy to field questions.
| This entry was posted by RhysGoodwin on October 11, 2011 at 7:52 pm, and is filed under Windows Admin. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 3 weeks ago
Nice blog! I have encountered a problem in an scenario not much different from this one.
AD1.worker.local
One way trust
AD1.student.local
I have an ADFS installed on the student side, and user.student.local can log in to the services without any problems. But user.worker.local can not logon. The fun part is that some traffic is going trough, If I use an incorrect password for user.worker.local it notices that the password is incorrect. But if I use an correct password I get an error.
“The FA encountered an error during an attempt to connect to a LDAP server at worker.local.”
“Event 111, AD FS 2.0
The FA Service encountered an error while processing the WS-Trust request”
Keep up the good work.
about 2 weeks ago
Hi Kjell, When you say “use an incorrect username/password” – are you using forms based authentication or is the browser prompting for a username/password? Have you done the Kerberos config and are there any firewalls between the adfs server and the domain controllers in in the worker domain?
Cheers,
Rhys