I’ve been meaning to get this out there for a while now. I’m not going to go into great detail on ADFS but you can get more background on ADFS and federation in these posts:
My scenario is as follows:
- 2 domains in 2 forests with a one way trust between them.
(For this post I’ll refer to these domains PERIMETER and INTERNAL)
- PERIMETER trusts INTERNAL but INTERNAL doesn’t trust PERIMETER
- Both PERIMETER and INTERNAL contain user accounts that need to be authenticated and federated via ADFS
- The ADFS server is joined to the PERIMETER domain
- ADFS and its related IIS services need to run under a service account from the INTERNAL domain
Here are the high level hoops I had to jump through to get this working:
- On a clean Windows 2008 R2 server, obtain and run the ADFS 2.0 setup file AdfsSetup.exe. Select “Federation Server”, This will install everything you need to make ADFS 2.0 work (including pre-requisites). Don’t run through the config wizard – We will do the config from command line later.
- Create a new service account. e.g. INTERNAL\Svc.ADFS. Create a new DNS ‘A’ record and point it to the ADFS server. E.g. federate.internal.com. Set a Kerberos SPN for the DNS record against the service account:
setspn -a HOST/federate.internal.com stjohn\Svc.ADFS
- Load the certificates MMC for local computer account and install a certificate which can be used for the ADFS web site. In the IIS manager configure a new binding on the default website for SSL with the appropriate FQDN and select the cert you just installed.
- Make sure the ADFS server has access to all LDAP servers for all domains. Something to consider if you’ve got a few firewalls here and there.
- Add your service account to the local admins group on the ADFS server and to domain admins group for the domain that the service account belongs to. Don’t panic this will only be temporary! This just allows the service account to create the necessary config for ADFS in the Program Data\ADFS OU. Once created it will have the correct permissions for the service account. I had to do this to get it work, not sure why it’s any different to a normal single forest install.
- Log on to the ADFS server with the service account. Skip this step at your peril!
- Run cmd prompt as admin. cd to:
C:\Program Files\Active Directory Federation Services 2.0\
- Run the following command to configure and new ADFS 2.0 farm
FSConfig.exe CreateFarm /ServiceAccount "INTERNAL\Svc.ADFS" /ServiceAccountPassword "somebiglongpassword" /AutoCertRolloverEnabled /FederationServiceName "federate.internal.com
- Remove the service account from local admins and domain admins now.
- That’s it. Load the ADFS console and configure ADFS as you would in any other scenario
During the install you might get a yellow warning about not being able to set the SPN. That’s cool we already did it above.
Make sure you can view the federation data for your new server e.g. https://federate.internal.com/FederationMetadata/2007-06/FederationMetadata.xml
If you get a certificate error from your service provider. E.g. This typical error from SalesForce:
Signature or certificate problems
Is the response signed? False
The signature in the assertion is not valid
Is the correct certificate supplied in the keyinfo? False
No valid certificate specified in this response.* try re-generating your token signing certificate using the following PowerShell commands. Note: This will break any existing trust relationships you have with any service providers. You will have to export the new cert and update your service providers with it.
Add-PSSnapin Microsoft.Adfs.Powershell Set-ADFSProperties -AutoCertificateRollover $true Update-AdfsCertificate -Urgent
This might not be the only way to get this working and I haven’t tested it thoroughly – your mileage may vary! But as always I’m keen to hear how you get on and happy to field questions.