Deploying ADFS on Nutanix – Installing and Configuring – Part 2

Posted on by

Estimated reading time: 4 minutes

Thank you for reading this post, don't forget to subscribe! Happy New Year 2024!

Deploying and configuring Active Directory Federation Services (ADFS) 2012 R2 for Office 365 can be broken down into 4 blog posts:

  1. Install and Configuring ADFS (this post)
  2. Configuring Name Resolution and additional nodes
  3. Install ADFS Proxy (Coming Soon)
  4. Leverage ADFS with Office 365 (Coming Soon)
  5. New automated methods of setting up ADFS with Office 365 (Coming Soon)

Planning And Prerequisites, and Other Fun Details

Prerequisites

Here are is the list of prerequisites from TechNet. But in general, you need to make sure you have a SSL certificate. The certificate must be trusted publicly (chained to a public root certification authority) or explicitly trusted by all computers that require access to the federation service. A wildcard certificate would work or a standard web certificate with the name you desire (i.e. fs.example.com – FS = federation service)
For this lab, you will need a Windows 2012 R2 Server with 4 cores, 4 Gigs of RAM and 100 Gig OS drive.

ADFS Role Planning

The ADFS role should be deployed within the corporate network, and not in the DMZ.  The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, ADFS uses WID as the store for the configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant proxy infrastructure. On Nutanix, make sure the ADFS servers are running on different nodes and/or cluster’s for complete site resilience. Running Active Directory Federation Services on Windows 2012 R2 is fully supported across all hypervisors including Acropolis Hypervisor (AHV).

For more information on different designs, please review the design guidance information on TechNet.

Step by Step Install Guide

ADFS is installed as a role as shown below:ADFS-step1 ADFS-step2 ADFS-step3 ADFS-step4 ADFS-step5

Ok, that’s the easy part, now on to configuration.;)

Step by Step Configuration Guide

Welcome Active Directory Federation Services Configuration Wizard…!!
Before you begin your configuration, you must have the following:

  • An Active Directory domain administrator account.
  • A publicly trusted certificate for SSL server authentication installed in IIS before starting wizard.

AD FS prerequisites

ADFS-config-step1 ADFS-config-step2 ADFS-config-step3 ADFS-config-step4 ADFS-config-step5

This server will be configured as the primary server in a new AD FS farm ‘fs.poc.lan’. The configuration will be stored in Windows Internal Database. Windows Internal Database feature will be installed on this server if it is not already installed. All existing configurations in the database will be deleted. A group Managed Service Account POCadfs$ will be created if it does not already exist and this host will be added as a member. Federation service will be configured to run as POCadfs$.

ADFS-config-step6
If you click on View script, you can see the automated version:

# Windows PowerShell script for AD FS Deployment
Import-Module ADFS
Install-AdfsFarm
-CertificateThumbprint:"3923273B4862WEE0CBAF3WEWE99125EDBWEWEWC0C5"
-FederationServiceDisplayName:"ADFS POC" `
-FederationServiceName:"fs.poc.lan" `
-GroupServiceAccountIdentifier:"POCadfs`$" `
-OverwriteConfiguration:$true
ADFS-config-step7
The root key for the group Managed Service Account was created just before running the wizard.. If you have more than one domain controller in your Active Directory forest, the key may not yet have replicated to all domain controllers and therefore the service may not successfully install or start. To avoid service startup problems, wait 10 hours to ensure the key has replicated to all DCs before completing the Active Directory Federation Services Configuration Wizard, executing Install-AdfsFarm or Add-AdfsFarmNode on any other servers in your network, or restarting any AD FS service.

ADFS-config-step8

Verifying that AD FS is working fine:

Checkout your (IdentityProvider) IdP Sign-on landing page by navigating to https://fs./adfs/ls/IdpInitiatedSignon.aspx

ADFS-test-step1

ADFS-test-step2

And that’s how the is ADFS is initially setup, no matter you are a large or small environment, …Next up….Configuring Name Resolution and additional nodes…

Until next time….Rob

Leave a Reply

Your email address will not be published. Required fields are marked *