Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory Federation Services Install

Posted on 2014-07-14
14
Medium Priority
?
472 Views
Last Modified: 2014-07-17
All,

I am currently charged with deploying active directory federation services to our Server 2008 R2 domain.

When I read over the documentation I feel I am left with more questions then answers.  Does anyone have a much more simplified step by step type documentation that explains better how to deploy it.  I am not deploying any trust yet as that comes after FS is stood up.

I have added a couple virtual machines for the FS role (for a RMS cluster) and two DMZ proxy servers as well however the role itself being installed is clearly not enough to make it work.  My focus on this question is just standing it up and that alone. I am looking for something easy to understand, something so easy a caveman can do it? :)

Any help is greatly appreciated. On the horizon it looks like Office 365 is going to be one thing using federation services, I know we have a current need to use AD FS SAML for something called Jive.

Thanks again!
0
Comment
Question by:smyers051972
  • 9
  • 3
  • 2
14 Comments
 
LVL 45

Expert Comment

by:Amit
ID: 40195067
Do you have any HLB?
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40195106
This is my first deployment please elaborate :)
0
 
LVL 45

Expert Comment

by:Amit
ID: 40195132
I am asking about Hardware load balancer. As you implemented 2 Proxy servers. What about ADFS internal server, did you create a farm? or? Standalone?

What about ID provisioning? Are you planning for ADLDS?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 1

Author Comment

by:smyers051972
ID: 40195150
ok so no hardware load balancer, what I didnt get was why two servers each since they are all vm's running under vmware in a cluster already but the boss said to do it that way any ways.

I created two ADFS servers, server1 I added the role and am stuck on the certificate portion currently.  Server2 is just sitting there right now, nothing has been done to it at all yet.

Proxy1 and Proxy2 have also been left un-touched right now.

As for AD LDS, it may be used in SAML for this Jive authentication, they use SAML/AD FS authentication to access their site.  It would essentially use our AD accounts to manage who is authorized to access their site.

Hope that helps you help me :)

Again this is my FIRST deployment.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40195169
When I look at this video I dont have the same certificate either:
http://technet.microsoft.com/en-us/video/setting-up-single-sign-on-with-office-365-using-adfs-2-0.aspx 

This is mind boggling, my focus though is just standing up the SSO services not to pair with anything yet.
0
 
LVL 45

Expert Comment

by:Amit
ID: 40195194
The purpose for 2 ADFS proxy and ADFS server is to have the high availability, which can be achieved using Load balancer.

I suggest you to hire a ADFS consultant as it is a complex task and require bit designing and implementation skills.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40195196
They will not let me do that, so I am seeking assistance something bulleted would help me, just to stand up the AD FS itself and talking to the proxies.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40197577
Ok just as a follow up what I am seeking is only a step by step understanding of AD FS.  I am not able to hire a consultant which is why I am here.

Any help is greatly appreciated, here is the example lay out for our AD FS install:

adfs1.domain.local  (1st Internal ad fs server)
adfs2.domain.local (2nd internal ad fs server for load balancing)

adfsdmzpxy1 (1st dmz proxy server)
adfsdmzpxy2 (2nd dmz proxy server for load balancing)

We do not have a hard ware load balancer, we would use rms clustering (I believe).

Thanks again and I appreciate any help.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40197658
Also this is the document I followed:

http://gaptheguru.wordpress.com/2012/05/23/how-to-setup-active-directory-federation-services/

it seems incomplete. My tests dont seem to be working.
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 40197797
If you setting this up for Office 365, then here's the guide from MS.
http://technet.microsoft.com/en-us/library/jj205462.aspx

Here's a portion of my notes from when I had to do this.
3)  ADFS install
a.      Install AD FS 2.0 (not from Server Manager > Roles, which is AD FS 1.0).  This will also add prerequisites (.Net Framework 3.5 SP1, IIS, Windows Identity Foundation).  Do not run the configuration wizard.
b.      Apply AD FS 2.0 Update Rollup 3.
c.      Install certificate into IIS default site.  Use a .pfx file with private key.  http://technet.microsoft.com/en-us/library/dd807088(v=ws.10).aspx
d.      Run AD FS configuration wizard.  Select option to create a farm.  The name for the federation service will need to have a DNS record created for it in internal records (and the same name used for external records to support the ADFS proxy), so use something that is externally accessible (i.e. a name that is/will be resolvable from the internet).  http://technet.microsoft.com/en-us/library/dd807070(v=ws.10).aspx

h.      Install AD FS 2.0 on proxy machine, performing steps a-d above.  When installing, you choose the role (federation server, or federation server proxy).  Also the configuration wizard is different depending on what role you chose.
To support the proxy in the DMZ, the firewall must allow inbound traffic on TCP port 443 to the proxy, TCP 443 from the proxy to the internal ADFS.  The proxy must also resolve the name of the federation service to the internal ADFS IP – if the DNS servers the proxy uses don’t have this information, use the HOSTS file.
4)      Create DNS record(s) for federation service
a.      In order to support federation server proxy, there must be a record in public DNS for internet clients to resolve.
b.      Internally, the record should resolve to the federation server (or virtual IP for the NLB cluster).

Can't really help you with any of the load-balancing stuff.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40200393
@footech - Thanks to your documentation I got through most of it, question however, I have 2 servers in the farm, how do I set up the virtual IP for the redundant cluster, no HLB involved.  If you know how to lay this out to me let me know, I will be accepting your response above and can open a new question for you to answer this question too fully.

Thanks!
0
 
LVL 41

Expert Comment

by:footech
ID: 40200953
All I can speak to is NLB built-in to Windows, and even there my details are a little fuzzy.  It was pretty straight-forward to create the NLB cluster and it's virtual IP.  In DNS make sure you create/modify the A record (with the same name that you named your federation service during setup) so it points at that virtual IP.  That was all I had to do.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 40202314
ok ill open a case.  I am still having issues with AD FS, which ill open a new issue for the one solution above helped me get it stood up... Thanks so much!!! 2x new issues coming your way keep an eye out :)
0
 
LVL 1

Author Closing Comment

by:smyers051972
ID: 40202317
VERY helpful. Still having ad fs issues but this was to just get it stood up and this did do that job.

Thank you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes Top 9 Exchange troubleshooting utilities that every Exchange Administrator should know. Most of the utilities are available free of cost. List of tools that I am going to explain in this article are:   Microsoft Remote Con…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question