Setting up ADFS Farm with ADFS proxy and F5 Load balancer....
I'm no expert at ADFS and/or Certificates.... so feel free to correct me at various places.
You can use self signed certs for Token signing, however at startup i had to use the same SSL for all.
I started off with a self signed SSL cert to test my setup. then replaced it with 3rd party.
Would recommend checking out SQL database options before installation, to plan. I didn't have a need for SQL database as oppose to WID.
I have followed a articles from Technet and other various blogs, the links to these articles is at the bottom...
ADFS Implementation
& Installation guide
Contents
Name
|
Location
|
IpAddress
|
Subnet Mask
|
Gateway
|
FIRSTINTERNALSERVER
|
SER1
|
10.48.9.123
|
255.255.252.0
|
10.48.9.1
|
SECONDINTERNALSERVER
|
SER2
|
10.48.10.123
|
255.255.252.0
|
10.48.10.1
|
FIRSTPROXYSERVER
|
SER1
|
172.16.200.123
|
255.255.254.0
|
172.16.200.1
|
SECONDPROXYSERVER
|
SER2
|
172.16.201.123
|
255.255.254.0
|
172.16.201.1
|
ADFS VIP INTERNAL
|
LOAD BALANCED
|
10.48.9.233
|
|
|
ADFS VIP DMZ
|
LOAD BALANCED
|
172.16.200.233
|
|
|
Internal
DNS = adfs.fabrikam.com 10.48.9.233
External
DNS = adfs.fabrikam.com 201.204.193.84
Obtained
SSL certificate from from a 3rd party CA for adfs.fabrikam.com
- Create
a dedicated user/service account in the Active Directory forest that
is located in the identity provider organization. This account is
necessary for the Kerberos authentication protocol to work in a farm
scenario and to allow pass-through authentication on each of the
federation servers. Use this account only for the purposes of the
federation server farm.
The account svc_adfs has been created for this purpose
- Edit
the user account properties, and select the Password never expires
check box. This action ensures that this service account's function is not
interrupted as a result of domain password change requirements.
- Because
the application pool identity for the AD FS AppPool is running as a domain
user/service account, you must configure the Service Principal Name (SPN)
for that account in the domain with the Setspn.exe command-line tool.
Setspn.exe is installed by default on computers running Windows Server 2008.
Run the following command on a computer that is joined to the same domain
where the user/service account resides:
- setspn
-a host/
For example, in a scenario in which all federation servers
are clustered under the Domain Name System (DNS) host name fs.fabrikam.com and
the service account name that is assigned to the AD FS AppPool is named
adfs2farm, type the command as follows, and then press ENTER:
setspn -a host/adfs.fabrikam.com
svc_adfs
Download
ADFS 2.0 setup file
·
When you launch the install program, click Next.
·
Accept the license and click Next.
·
On the Server Role screen, choose Federation
Server and click Next.
·
The wizard will automatically install the
required prerequisites. Click Next to begin the installation.
·
When the installation is complete, uncheck
“Start the AD FS 2.0…..”
·
Install
the Godaddy certificate for adfs.fabrikam.com to local computer account.
·
On
IIS make sure the default Website has a 443 binding and set to use the adfs.fabrikam.com
certificate.
Now that we have the certificate installed, we can start the AD FS
configuration. To launch the AD FS configuration wizard, just go into
Administrative Tools and click on AD FS 2.0 Management.
·
When the AD FS Management Console opens, click
the AD FS 2.0 Federation Server Configuration Wizard Link.
·
Select the option to Create a new Federation
Service
·
On the next screen select New federation server
farm.
On the Federation Service name, choose the adfs.fabrikam.com certificate to
use.
You must then specify a Service Account in Active Directory that will be
used by AD FS.
Service account:
Svc_adfs
On the Summary Screen review the changes that will be made and click next to
begin the configuration.
When the installation is complete, click Close.
·
Install
ADFS 2.0 using the setup file.
·
Before
configuring the second node, export the Export the cert from the first ADFS
Server in the Farm. NOTE: This setup is very important, as I was getting
Thumbprint errors for the SSL cert while setting up the second node without
following the steps below…
1. Open the
Certificate MMC console.
·
Log on to the original ADFS server which contains the service
communications certificate with the private key.
·
Open the Start Menu and type “MMC” in the search box and press
enter.
·
When the console opens click “File” and select “Add/Remove Snapin”.
·
Select “Certificates” from available snap ins and click the “Add” button
to move to the “Selected Snapins” window and click “OK”.
·
When the “Certificate Snap-in” windows appears, select the “Computer
Account” radio button and click “Next”.
·
On the “Select Computer” window, select the “Local Computer” radio
button.
·
You will now see that it has been added to the selected snap-ins.
Click “OK”.
2. Now that you have the local certificate MMC open
you can start to Export the cert.
·
Expand “Certificates (Local Computer)” then expand “Personal” and
highlight “Certificates”.
·
Right click the certificate to be exported (in my case
adfs.pipe2text.com), select “All Tasks” then “Export” from the menu.
·
Click “Next” on the “Welcome to the Certificate Export Wizard”
screen.
·
On the “Export Private Key” screen Select “Yes, Export Private Key” and
click “Next”.
·
On the “Export File Format” screen Select the “Personal
Information Exchange = PKCS #12 (.PFX)” radio button and Check off “Include all
certificates in the certification path if possible” and “Export all extended
properties”. Make sure “Delete the private key if export is successful” is deselected.
Click “Next”.
·
On the “Password” screen, enter a password and make note of it (This is
the password you will use when importing the cert to the new server).
·
On the “File to Export” enter a name and location for the file and click
“Next”.
·
On the “Completing the Certificate Wizard” screen review your settings
and Click “Finish”.
·
Retrieve the cert file and copy it to the new ADFS server you will be
adding to your farm.
·
Use
the previously saved certificate
With the Certificate name:
ADFS_FirstInternalServer.pfx
·
Import
the above certificate to Localcomputer\personal\certificates
·
Bind
the Imported Cert to the Default Website
1. Open the IIS Manager and right click the
“Default Website” and select “Edit Bindings”.
2. Under “Type” choose “https” and under “SSL
Certificate” choose the cert that you imported and click “OK”.
3. You will now see “https” and “443″ in the list
of site bindings. Click “Close”.
·
Launch
the ADFS Configuration Wizard
·
On the Welcome
page, verify that Add a federation server to an existing Federation Service
is selected, and then click Next.
·
If the AD
FS database that you selected already exists, the Existing AD FS
Configuration Database Detected page appears. If that occurs, click Delete
database, and then click Next
·
On the Specify the Primary Federation Server
and Service Account page, under Primary federation server name, type
the computer name of the primary federation server in the farm, and then click Browse.
In the Browse dialog box, locate the domain account that is used as the
service account by all other federation servers in the existing federation
server farm, and then click OK. Type the password and confirm it, and
then click Next:
·
On the Ready to Apply Settings page,
review the details. If the settings appear to be correct, click Next to
begin configuring AD FS with these settings.
·
On the Configuration Results page, review
the results. When all the configuration steps are finished, click Close to
exit the wizard.
·
Run
setup for ADFS 2.0 and install ADFS
·
Import
the certificate exported earlier from the Federation server to Localcomputer\personal\certificates
·
Bind
the Imported Cert to the Default Website
1. Open the IIS Manager and right click the
“Default Website” and select “Edit Bindings”.
2. Under “Type” choose “https” and under “SSL
Certificate” choose the cert that you imported and click “OK”.
3. You will now see “https” and “443″ in the list
of site bindings. Click “Close”.
·
Run
the ADFS Configuration Wizard.
·
On the Welcome page,
click Next.
·
On the Specify Federation Service
Name page, under Federation Service name,
type “adfs.fabrikam.com”
·
Uncheck Use an HTTP proxy
server when sending requests to this Federation Service check
box, under HTTP proxy server address type
the address of the proxy server, click Test Connection
to verify connectivity, and then click Next.
·
When you are prompted, enter ‘fabrikam\svc_adfs’
and password.
·
On the Ready to Apply Settings
page, review the details. If the settings appear to be correct, click Next to begin configuring this
computer with these proxy settings.
·
On the Configuration Results
page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
The WID
database on the primary server is read/write and the WID database on the
secondary server(s) are read-only. Changes made to the configuration are made
only on the primary Federation Server and those changes are replicated (5
minutes interval by default) to the secondary servers via WID database
synchronization.
In the
event that the primary Federation Server becomes unavailable and will not be
brought back online, the administrator needs to promote one of the secondary
Federation Servers to primary for the farm.
·
Command
to run on the secondary server which you want to make primary:
Add-PsSnapin
Microsoft.Adfs.PowerShell
Set-AdfsSyncProperties
-Role PrimaryComputer
Now that
you have set a new Primary Federation Server, you need to configure the other
Secondary Federation Servers to sync with the new Primary Federation Server
·
Command
to run on the other farm member servers:
Add-PsSnapin
Microsoft.Adfs.Powershell
Set-AdfsSyncProperties
-Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation
Server}
In the
event you get an error message when try to start the ADFS service, like
"Windows could
not start the AD FS 2.0 Windows Service service on Local Computer - Error
1053"
Try the fix below:
1.
Navigate to C:\Program Files\Active Directory Federation Services 2.0
2. Find and open Microsoft.IdentityServer.Servicehost.exe.config file
3. Modify it as follows:
under tag, add this line:
So it would look like this:
References:
When to Create a Federation Server Farm:
http://technet.microsoft.com/en-us/library/dd807062(v=ws.10).aspx
How to change ADFS Service communication certificate after initial installation:
http://social.msdn.microsoft.com/Forums/vstudio/en-US/acad4d8a-898a-4113-b608-bf322f45282e/how-to-change-adfs-service-communication-certificate-after-initial-installation
AD FS 2.0: How to Set the Primary Federation Server in a WID Farm (move ADFS role to another server) - Fatshark's Personal Blog
http://www.edunnewijk.nl/fatshark/index.php?/archives/465-AD-FS-2.0-How-to-Set-the-Primary-Federation-Server-in-a-WID-Farm-move-ADFS-role-to-another-server.html
Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database
http://pipe2text.com/?page_id=395
Verifying ADFS Computer Settings and Connectivity:
http://technet.microsoft.com/en-us/library/cc778709(v=ws.10).aspx