ADFS setup can be nothing but a headache to set up when you are new to it. You know it. I know it. We all know it. So this is my step-by-step guide for setting up a basic ADFS configuration. Now, this is going to detail a successful installation without any errors (which does happen once in a blue moon). To see resolutions to the errors that I have encountered in the past, please reference this post. I will try to keep adding things as I come across them, but no guarantees.
As with anything that needs to be configured, setting up your prerequisites is key to your success. Often not setting up your prerequisites properly will become your greatest frustration. For reference see the Microsoft Official Post, but I will also be going through them now. For port requirements, see this post.
1. Download Azure AD Connect and copying that to the internal box you will be installing the ADFS role on to be installed later.
2. Enable TLS 1.2 (Server 2008R2 and later) and configure .Net to use it by adding the following registry values and restarting the machine (I do this on both the ADFS and the WAP box).
Windows Registry Editor Version 5.00
3. Create a Forward Lookup Zone for the domain you are federating in your local DNS. Add an A record (Host) for adfs pointing at your ADFS server. This will have internal requests resolve directly to the ADFS server. In your internal domains forward lookup zone, create an A record for your web application proxy (WAP).
4. Modify the host file on your web application proxy (WAP) to resolve adfs.domain.com to your internal ADFS server. Public DNS should resolve adfs.domain.com to the WAP Public IP.
5. Run the following command on both the ADFS and WAP box to enable Windows Remote Management (WinRM):
6. On the ADFS box, add the WAP box to you WinRM Trusted Host list with the following:
Set-Item WSMan:\localhost\Client\TrustedHosts –Value <WAPServerFQDN> -Force –Concatenate
7. Confirm WinRM is functional by running the following from the ADFS box:
Enter-PSSession -ComputerName <WAPServerFQDN> -Credential Get-Credential
8. Obtain a valid SSL certificate for the ADFS subdomain of your federated domain (ex. adfs.domain.com). See this post about creating a custom csr with an exportable private key from your web application proxy (WAP). Make sure you use the Legacy key template. Export that to a PFX with its private key and copy it to your ADFS server.
9. Add the domain name you plan to federate to your domains UPN Suffixes via Active Directory Domains and Trusts.
10. Download Microsoft Exchange Server (Current version is 2016 found here). Copy that to the Domain Controller that holds the Schema Master role, open a command prompt window in that directory and run the following command:
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
11. Create a Group on the domain you plan to federate to specify which user accounts will be synced. This is optional as you can choose to sync all user accounts if you wish.
12. Create a service account on the domain that you plan to federate and add it to the Domain Admins and Enterprise Admins groups. You can split this into two accounts if you wish.
13. Pro-Tip: Check the time and date on your servers.
1. Run the Azure AD Connect .msi to install it and agree to the license terms when prompted and select next.
2. Select Customize
3. Select the “Use existing service account” option and input the service account credentials you set up during prerequisites and select Install.
4. After a little while you will be brought to a User sign-in window. Select the “Federation with AD FS and select Next.
5. Insert Global Administrator credentials for your Azure AD/Office 365 and select Next.
6. Add the local domain you wish to federate and select Next.
7. Confirm the domain you wish to federate with is verified, that userPrincipalName is selected and select Next. If your domain you wish federate with is not present/says Not Added you need to verify it in your Azure AD/Office 365 tenant.
8. Confirm the options are selected as below and select Next.
9. Select “Synchronize selected” option, add the DN of the your local AD group, confirm it resolves, and select Next.
10. Leave everything unchecked and select Next.
11. Upload your Certificate .pfx, confirm the appropriate Subject Names appear, and select Next.
12. Input the FQDN of your ADFS server, select Add, and select Next.
13. Add the FQDN of your WAP. select Add, and select Next.
14. Input your service account credentials and select Next.
15. If prompted, input your service account credentials again and select Next.
16. Select the appropriate Azure AD domain to federate with and select Next (typically there is only one available).
17. Select te “Start the synchronization process when configuration completes.” option and select Install.
Phew. At this point go grab a cup of coffee, and maybe start praying a little bit. Assuming everything was configured correctly, you will get a success message and be prompted to verify your DNS configuration. Once that all checks out you’re off to the races!