Skip to main content

Active Directory Federation Service (ADFS)

What is ADFS?

In simpler words, Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution. ADFS provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication through Active Directory (AD).

To provide flexibility, ADFS gives organizations the ability to control their employees’ accounts while simplifying the user experience: employees only need to remember a single set of credentials to access multiple applications through SSO.

How does ADFS work?

ADFS manages authentication through a proxy service hosted between AD and the target application. It uses a Federated Trust, linking ADFS and the target application to grant access to users. This enables users to log onto the federated application through SSO without needing to authenticate their identity on application directly.

The authentication process follows below steps:

  1. The user navigates to a URL provided by the ADFS service.
  2. The ADFS service then authenticates the user via the organization’s AD service.
  3. Upon authenticating, the ADFS service then provides the user with an authentication claim.
  4. The user’s browser then forwards this claim to the target application, which either grants or denies access based on the Federated Trust service created.

 Setup ADFS

For this blog, I’ll use below server with specified role installed

 

Server

Server Name

Role

Active Directory server

advm01

Active Directory Domain Services

Active Directory Certificate Services

ADFS server

adfsvm01

Active Directory Federation Services

 

I’ll use “techcirrus.com” as domain for this article and self-signed certificate named “adfs.techcirrus.com

For Production environment, it is recommended to use wildcard certificate.


Above diagram helps to understand better about how the ADFS works.

1.     ADFS server will request the certificate from AD server

2.     Once request is granted, site will be redirected to adfs.



Let’s start with ADCS installation

1.  Install Active Directory Certificate Services role on AD server (as shown in below screenshot)

2. Request SSL Certificate from Internal Certificate Authority. This involves 2 sub steps as listed below,

    1. Create certificate from template on ‘Certificate Authority’ server
    2. Issue certificate created from template (for another server to use) on ‘Certificate Authority’ server
    3. Request certificate from ADFS server to ‘Certificate Authority’ server

ADCS role is installed. Next Step, is to configure ADCS


 































  

3.   . Certificate template is created. Now, let’s issue this from ‘Certificate Authority’ so other servers (like ADFS) can enroll it.





4.  . Certificate is issued now. Let’s go to ADFS server i.e., adfsvm01 and request this template to enroll.

 Please note, ADFS VM should be domain-join before proceeding with next steps.

 

5.    . Logon to ADFS server, go to ‘Certificate’ from RUN à MMC

6.   .  Expand Certificates (Local Computer) à Personal à Certificates

7.    . Right click Certificates à All Tasks à Request New Certificate



8.    Certificate Enrollment wizard will open. Proceed Next



9.  . Select the certificates and click ‘Enroll’ button.

10. Click Finish





11. Self-signed certificate is enrolled

12.  Let’s go to adfs server vm i.e., adfsvm01 to install ADFS role on it

13.  Open ‘Server Manager’ on adfsvm01, go to ‘Add Roles and Features’ and click ‘Next’


 

14.  Select ‘Active Directory Federation Services’ checkbox and click ‘Next’


15.  Click ‘Install’ button at ‘Confirmation’ page



16.  Once installation is complete, click on ‘Configure the federation service on this server’

17.  Select ‘Create the first federation server in a federation server farm’ and click ‘Next’

Please note, this is the first ADFS server in the domain that’s why I selected this option. If this is additional ADFS server in your environment, then select the option ‘Add a federation server to a federation server farm



18.  On the next page, connect to ADDS using domain admin credential


19.  Select the SSL certificate from the drop-down menu i.e., adfsvm01.techcirrus.com and add the ‘Federation Service Display Name’, click Next



20.  On ‘Specify Service Account’ page, you can either use ‘Group Managed service account’ or ‘domain user’ account. I’ve used domain user account.




21.  All prerequisites’ checks should pass successfully. Click ‘Configure’ button


22.  Hit ‘Close’ button upon completion


23.  Verify if ADFS console is accessible from Server Manager à ADFS Management




24.  To Configure IDPInitiatedSignon login page, open PowerShell with elevated permission

25.  Run the command Get-AdfsEndpoint | Select Fullurl as shown in screenshot and copy the highlighted line and paste it in a notepad

https://adfsvm01.techcirrus.com/adfs/ls/





26,  Add idpinitiatedsigon.aspx at the end of the line as shown in below screenshot:

 https://adfsvm01.techcirrus.com/adfs/ls/idpinitiatedsigon.aspx 

27.  Copy the link and paste it in browser which will bring the Home page as shown below


28.  Click on ‘Sign in’ button to check if you can sign into the page




This concludes ADFS setup using self-signed certificate. This has been another long post because of stepwise details and multiple screenshots but it’s totally worth the detail and time. I hope this would be useful to read and implement in your environment. Cheers!

 

Comments

Post a Comment

Popular posts from this blog

Securing Azure Virtual Desktop

Introduction Azure Virtual Desktop (AVD) offers a powerful and flexible solution for delivering virtualized desktops and applications. However, like any cloud-based service, AVD requires robust cybersecurity measures to protect sensitive data and ensure business continuity. This post explores key cybersecurity best practices, security features, and strategies for securing your AVD environment. Understanding the Threat Landscape Before diving into specific security measures, it's crucial to understand the potential threats targeting AVD environments. These include: Malware:  Viruses, ransomware, and other malicious software can compromise virtual desktops and steal data. Phishing:  Attackers may use phishing emails or websites to trick users into revealing their credentials. Brute-force attacks:  Attackers may attempt to guess user passwords through automated attacks. Insider threats:  Malicious or negligent employees ca...
Post a Comment
Read more

Workload Protection with Microsoft Defender for Cloud

‘ Microsoft Defender for Cloud’ (previously known as Azure Security Center and Azure Defender) is a tool that strengthen your Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) . It protects your workload running in Azure, hybrid, or any other cloud platforms. In this blogpost, we will mainly focus on Cloud Workload Protection (CWP), which are typically agent-based workload-centric security protection solutions along with below topics. 1.                           Enable ‘ Microsoft Defender for Cloud ’ on your subscriptions 2.                           Enable Enhanced security features 3.                           Workload Protection a.       Dashboard coverage b. ...
Post a Comment
Read more

Azure Virtual Desktop: Empowering Remote Work for Businesses

A Beginner's Guide to Unlocking Productivity   In today’s fast-paced, digital world, remote work has become more than a convenience— it’s a necessity. For businesses, managing a remote workforce effectively can be challenging. Azure Virtual Desktop, a powerful tool from Microsoft designed to streamline remote work and supercharge productivity. But what is Azure Virtual Desktop, and why should businesses care? Let’s break it down.   What is Azure Virtual Desktop?   Azure Virtual Desktop (AVD) is a cloud-based service that allows businesses to set up and manage virtual desktops and applications for their employees. Imagine your desktop, complete with all your files and software, accessible from anywhere in the world as long as you have an internet connection. AVD gives you that capability, securely hosted on Microsoft’s reliable cloud infrastructure.   Benefits of Azure Virtual Desktop   Azure Virtual Desktop offers a range of benefits that make it especially a...
Post a Comment
Read more

Contact Form

Name

Email *

Message *