ADFS 2.0 in Forest Trust Environment

I’ve been meaning to get this out there for a while now.  I’m not going to go into great detail on ADFS but you can get more background on ADFS and federation in these posts:

Salesforce SSO with ADFS 2.0 – Everything You Need to Know

ADFS 2.0 Choose Your Attributes Wisely

SAML WebSSO Federation Made Easy

 

My scenario is as follows:

  • 2 domains in 2 forests with a one way trust between them.
    (For this post I’ll refer to these domains PERIMETER and INTERNAL)
  • PERIMETER trusts INTERNAL but INTERNAL doesn’t trust PERIMETER
  • Both PERIMETER and INTERNAL contain user accounts that need to be authenticated and federated via ADFS
  • The ADFS server is joined to the PERIMETER domain
  • ADFS and its related IIS services need to run under a service account from the INTERNAL domain

Here are the high level hoops I had to jump through to get this working:

  1. On a clean Windows 2008 R2 server, obtain and run the ADFS 2.0 setup file AdfsSetup.exe. Select “Federation Server”,  This will install everything you need to make ADFS 2.0 work (including pre-requisites).  Don’t run through the config wizard – We will do the config from command line later.
  2. Create a new service account. e.g. INTERNAL\Svc.ADFS.  Create a new DNS ‘A’ record and point it to the ADFS server. E.g. federate.internal.com. Set a Kerberos SPN for the DNS record against the service account:
     setspn -a HOST/federate.internal.com stjohn\Svc.ADFS
  3. Load the certificates MMC for local computer account and install a certificate which can be used for the ADFS web site. In the IIS manager configure a new binding on the default website for SSL with the appropriate FQDN and select the cert you just installed.
  4. Make sure the ADFS server has access to all LDAP servers for all domains. Something to consider if you’ve got a few firewalls here and there.
  5. Add your service account to the local admins group on the ADFS server and to domain admins group for the domain that the service account belongs to. Don’t panic this will only be temporary! This just allows the service account to create the necessary config for ADFS in the Program Data\ADFS OU. Once created it will have the correct permissions for the service account. I had to do this to get it work, not sure why it’s any different to a normal single forest install.
  6. Log on to the ADFS server with the service account. Skip this step at your peril!
  7. Run cmd prompt as admin. cd to:
    C:\Program Files\Active Directory Federation Services 2.0\
  8. Run the following command to configure and new ADFS 2.0 farm

    FSConfig.exe CreateFarm /ServiceAccount "INTERNAL\Svc.ADFS" /ServiceAccountPassword "somebiglongpassword" /AutoCertRolloverEnabled /FederationServiceName "federate.internal.com


  9. Remove the service account from local admins and domain admins now.
  10. That’s it. Load the ADFS console and configure ADFS as you would in any other scenario

Notes

  • During the install you might get a yellow warning about not being able to set the SPN. That’s cool we already did it above.
  • Make sure you can view the federation data for your new server e.g.
    https://federate.internal.com/FederationMetadata/2007-06/FederationMetadata.xml
  • If you get a certificate error from your service provider. E.g. This typical error from SalesForce:Signature or certificate problems
    Is the response signed? False
    The signature in the assertion is not valid
    Is the correct certificate supplied in the keyinfo? False
    No valid certificate specified in this response.

    T
    ry re-generating your token signing certificate using the following PowerShell commands. Note:This will break any existing trust relationships you have with any service providers. You will have to export the new cert and update your service providers with it.
Add-PSSnapin Microsoft.Adfs.Powershell
Set-ADFSProperties -AutoCertificateRollover $true
Update-AdfsCertificate -Urgent

 

This might not be the only way to get this working and I haven’t tested it thoroughly – your mileage may vary! But as always I’m keen to hear how you get on and happy to field questions.

 

, , ,

10 Responses to ADFS 2.0 in Forest Trust Environment

  1. Jared June 2, 2016 at 10:01 am #

    Thanks, Rhys. Our ADFS/Salesforce SSO setup stopped working 2 weeks shy of the certificate expiration this morning. Thanks to you and your info regarding the powershell commands to regenerate the cert, we are back in business.

  2. expired domain miner August 1, 2015 at 6:15 am #

    Blow Your Competition Through The Water With These Search Engine Optimization Tricks

    A site you construct might look really fancy
    and pack in a lot of features, but ask yourself an honest question here: What good are all those whistles and bells doing if nobody’s even seeing your site?

    This is the issue you’re going to have unless you address the issue of SEO,
    so bone up on your skills.

    Enhance your site traffic and the income from your
    website by guaranteeing it has no damaged links or pages.
    Broken links prevent customers from navigating your
    website. Broken pages are worse, because then the material is just missing.

    Damaged content can’t be indexed by online search engine either, which is also poor marketing.

    Even saved images and video files on your server can provide an opportunity
    to increase in the rankings, so make certain that you’re constantly conserving files with keywords.

    For instance: If you have an image on your website dealing with weight reduction, like a before-and-after photo, make sure you consist of an appropriate
    keyword in the title when you conserve the image.

    Avoid making use of keywords that are of no
    significance to your site or product. Web crawler bots may error your site
    as spam and blacklist your website from the search results when you
    do. On the other hand, be sure to include all pertinent keywords on your
    web page as this is the page you must want your
    consumers to see initially.

    Be certain about your expressions and keywords and keep it easy.
    You will have spread yourself too thin if you
    try to capture every keyword in your specific niche. Target a choose couple of and utilize them artistically and typically
    while still keeping a natural flow to your page. By doing this you can push to the
    top of the list much simpler.

    Reliable SEO tactics will not require a high level of ability and even a whole
    lot of effort. What is very important is that you take
    the right technique. As you find out about SEO, you will certainly find that a
    few small tweaks can relate to big outcomes.
    Get begun on your optimization by utilizing what you’ve found out right here.

    For more reference: visit us at SEOBloggerninja

  3. PK May 30, 2014 at 3:06 pm #

    I am currently configuring ADFS for my company here.
    This is the scenario. I have one ADFS server which is connected to AD (say Server A)
    There is another AD (say Server B ) which also has some users
    I want ADFS to be able to authenticate users from both Server A and Server B
    We have control over both AD and ADFS
    So I set up a trust relationship, conditional forwarders, etc., but ADFS it not even talking to the other AD in Server B, when I try to login using a user credential in Server B.
    It says ‘Invalid user name or password’ for users in Server B
    However for users in Server A, it is working fine though
    Could you please help me out here? Not sure what I am missing…
    Wed, 4:52 PM

  4. Brad April 17, 2013 at 8:13 pm #

    So, have tried to complete this today, was having trouble getting past the creation of the GUID OU in AD…

    The reason it is important to do this was not immediately clear:
    6.Log on to the ADFS server with the service account. Skip this step at your peril!

    Until I read this blog: http://blog.msresource.net/2012/10/12/ad-fs-329-the-certificate-that-is-identified-by-thumbprint-thumbprint-could-not-be-decrypted-using-the-keys-for-x-509-certificate-private-key-sharing/ and it all became clear.
    The account you install the ADFS Farm with needs to have Domain Admin rights on the AD Domain where the service account is based… and the service account needs to have full rights on the ADFS OU (so it can add certificates to the farm GUID OU, which is created underneath Program Data –> Microsoft –> ADFS). They don’t have to be the same account though… oh and if you want to use the GUI to create the farm, choose “Create a New Farm” in the deployment wizard so you can enter a custom domain account as the service account (Create Standalone farm forces Network Service account to be used).

    • RhysGoodwin April 21, 2013 at 11:04 am #

      Hi Brad, sorry for the late reply. How have you got on? All working now? It’s rather fiddly, I think I scrapped my entire ADFS virtual machine at least a couple and stated over until I got it right.

  5. Brad April 16, 2013 at 7:25 pm #

    Yeah, actually thinking about this… the SPN needs to be created on the Internal domain and the DNS entry needs to be created on the external domain, right?

    From a system perspective, what you are trying to do is set up a way for your service account to pass through a request to validate a specific user on the internal domain (thus the SPN), but from the context of the external domain (so the URL needs to be whatever you are planning to make the ADFS site URL). HOST means it’ll be running as an application service / thread, not as a HTTP service… so it’ll try to do it as the account registered under the service “AD FS 2.0 Windows Service”, not as the account running the App Pool in IIS.

    Is this the way you saw it working as well Rhys?

  6. Brad April 16, 2013 at 7:06 pm #

    Hi – just a quick couple of questions…

    ADFS is run under an account from INTERNAL because it needs to be able to “talk” to the internal AD Server (and will use the service account to do so) – is that why you install as the INTERNAL service account? Is it possible to change the service account to an internal hosted one after installation? Also I guess this means that there can only be one One-Way trust per ADFS server…

    The DNS “A” Record is created in the EXTERNAL domain and is only used to describe the service (and for access via https when published), is this correct? If so, then would the DNS entry be something like federate.EXTERNAL.com? Actually, come to think of it, it doesn’t really matter does it, as long as the DNS entry and the SPN match…

    Is this SPN command
    setspn -a HOST/federate.internal.com stjohn\Svc.ADFS
    supposed to read
    setspn -a HOST/federate.EXTERNAL.com INTERNAL\Svc.ADFS

    In your notes, you say “Check you can see this URL”:
    https://federate.internal.com/FederationMetadata/2007-06/FederationMetadata.xml
    Should this be
    https://federate.external.com/FederationMetadata/2007-06/FederationMetadata.xml? Or is it just a case of making sure they all match (DNS, SPN, URL)?

    Thanks – I have been unable to find this information anywhere else…

  7. Kjell January 31, 2012 at 10:41 pm #

    Nice blog! I have encountered a problem in an scenario not much different from this one.

    AD1.worker.local
    One way trust
    AD1.student.local

    I have an ADFS installed on the student side, and user.student.local can log in to the services without any problems. But user.worker.local can not logon. The fun part is that some traffic is going trough, If I use an incorrect password for user.worker.local it notices that the password is incorrect. But if I use an correct password I get an error.

    “The FA encountered an error during an attempt to connect to a LDAP server at worker.local.”

    “Event 111, AD FS 2.0
    The FA Service encountered an error while processing the WS-Trust request”

    Keep up the good work.

    • RhysGoodwin February 3, 2012 at 11:23 pm #

      Hi Kjell, When you say “use an incorrect username/password” – are you using forms based authentication or is the browser prompting for a username/password? Have you done the Kerberos config and are there any firewalls between the adfs server and the domain controllers in in the worker domain?

      Cheers,
      Rhys

Trackbacks/Pingbacks

  1. CRM 2011: ADFS certificate expiration – Yellow Warning Triangle in ADFS Management Console - Daily Support Adventures with Microsoft Dynamics CRM - Cognettacloud.com - CRM Technical Blogs - Microsoft Dynamics Community - May 24, 2012

    […] https://blog.rhysgoodwin.com/windows-admin/adfs-2-0-in-a-forest-trust-environment/ […]

Leave a Reply