In the previous articles in this series, we walked through creating the traditional identity and access platform, based on Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) in the form of the DC1 virtual machine running as a Domain Controller and Certification Authority.

In this part, we’ll finish up configuring server DC1 and configure the settings for expanding this platform to the public Internet. We’ll configure server ADFS, running (surprise!) Active Directory Federation Services (AD FS).

Step 9: Create the internal DNS records

In Step 5, we configured records in the external DNS zone. Today we’ll create the following records on DC1 next to the records that have been automatically created by joining the servers to the Active Directory domain:

NameTypeDataPurpose Authority Join apps

Create these records by logging on to server DC1 and then, from the Tools menu in Server Manager, select DNS. Create the DNS records in the appropriate zone.

Step 10: Create a group MSA for the ADFS service

With all that name resolution out of the way, we can proceed with configuring the server ADFS.

First, we’ll want to create the account with the credentials the Active Directory Federation Service will run on server ADFS. We could create a service account, based on a normal user account in Active Directory, but we won’t because there’s a better solution: a group Managed Service Account (gMSA).

Benefits of using a gMSA instead of abusing a normal user account include:

  • Passwords for Managed Service Accounts (MSAs) and gMSAs are automatically changed every 30 days, so you don’t have to change them (and accidently break stuff…).
  • In contrast to normal user accounts that are tied to services, passwords for MSAs and gMSAs are not stored as plain text in the registry.
  • MSAs and gMSAs are tied to specific (groups of) machines. This connection is based upon Service Principle Names (SPNs).

To allow for the placement of a secondary AD FS server in our lab environment, we’ll create a gMSA for the AD FS service on host ADFS with these steps:

  1. Log on to server DC1 with domain administrator credentials.
  2. Start PowerShell by clicking the PowerShell icon that is pinned to the Taskbar.
  3. Run the following command to create a Root Key for the Key Distribution Service (KDS):
    add-kdsrootkey -effectivetime (get-date).AddHours(-10)
  4. Next, run the command to create the gMSA:
    New-AdServiceAccount FSgMSA –DNSHostname -ServicePrincipalName http/
  5. Log off.

Step 11: Configure the ADFS server

With the Domain Controller (DC) and Certification Authority (CA) in place, we’ll perform the basic configuration of server ADFS. First, let’s make it part of our domain:

  1. Log on to server ADFS.
  2. Press Win + X or right-click the Start button. In the context menu, select System.
  3. In the main pane, select Change settings in the Computer name, domain and workgroup settings section.
  4. On the System Properties window, click Change…
  5. On the Computer Name/Domain Changes window, select the Domain: radio option. Type the domain name, and then click OK.
  6. Restart server ADFS.

Next, let’s get a certificate from the CA:

  1. Log on to server ADFS with domain credentials.
  2. Click the Start button.
  3. Type mmc.exe and press Enter. This will start an empty Microsoft Management Console window.
  4. On the Console1window, from the File menu, select Add/Remove Snap-in…
    Add or Remove Snap-ins
  5. On the Add or Remove Snap-ins window, select Certificates from the list of available snap-ins and click Add >.
  6. Select Computer account and click Next >.
  7. Select Local Computer and click Finish.
  8. On the Add or Remove Snap-ins window, click OK.
  9. In the left pane, expand Certificates (Local Computer), then Personal, and then Certificates.
  10. In the Action pane (to the right), click More Actions, click All Tasks, and then Request New Certificate….
  11. On the Certificate Enrollment window, click Next twice.
  12. Select Web Server.
  13. Click the link More information is required to enroll for this certificate. Click here to configure settings.
  14. On the Certificate Propertieswindow, perform these actions:
    1. In the Subject name: area, change the Type: to Common Name and then type Click Add >.
    2. In the Alternative name: area, change the Type: to DNS and then type Click Add >.
  15. Click OK when done.
  16. Click Enroll.
  17. Click Finish.
  18. Close the Microsoft Management Console window. You don’t need to save it.

Step 12: Install and configure AD FS

Now, let’s install the Active Directory Federation Services Server Role:

  1. While still logged on as a Domain Administrator, go to Server Manager.
  2. In the grey top pane, click Manage and then select Add Roles and Features from the context menu.
  3. Click Next > on the Before You Begin page of the Add Roles and Features Wizard.
  4. Click Next > on the Select Installation Typepage to accept the Role-based or feature-based installation option.
  5. Click Next > on the Select Destination Server page.
  6. On the Select Server Rolespage, select Active Directory Federation Services. Click Next >.
  7. Click Next > on the Select Features page.
  8. Click Next > on the Active Directory Federation Service (AD FS) page.
  9. Verify the information on the Confirm Installation Selections page. Then, click Install.
  10. After installation, click Close on the Installation Progress page.

To configure the Active Directory Federation Services (AD FS) Server Role on server ADFS, perform these steps:

  1. In Server Manager, click the link to configure Active Directory Federation Services.
  2. Choose Create the first federation server. Click Next >.
  3. Click Next > on the Admin Account page.
  4. Select the certificate for
  5. Choose a meaningful name for the federation service display name. Click Next > when done.
  6. Select Use an existing domain user account. Select the previously created FSgMSA account. Click Next >.
  7. Choose Windows Internal Database. Click Next >.
  8. Choose Configure. Click Next >.
  9. Click Close.

Before we can actually use the Active Directory Federation Services for the purposes of our lab environment, we need to change the authentication policies:

  1. While still logged on as a Domain Administrator, go to Server Manager.
  2. In the grey top pane, click Tools and then select ADFS Management from the context menu.
  3. In the left pane, click Authentication Policies.
  4. From the right pane of the ADFS Management console, select Edit Global Primary Authentication Policy….
    Edit Global Authentication Policy
  5. In the Edit Global Authentication Policy window, in the Intranet section, deselect Windows Authentication. Next, select Forms Authentication. Also, select the Enable device authentication option at the bottom of the window (as seen above).
  6. Click OK.
  7. Close ADFS Management.

All we need to do now is configure Enterprise Device Registration:

  1. Start PowerShell by clicking the PowerShell icon that is pinned to the Taskbar.
  2. Execute the following PowerShell command:
  3. As the ServiceAccountName, use 4SYSOPS\FSmGSA$.
  4. Choose Yes.
  5. Next, execute this PowerShell command:
  6. When this command ends, type the last PowerShell command to finish configuring server ADFS for now:


Today, you’ve performed an Active Directory Federation Services implementation.

Your first? Congratulations.

Subscribe to 4sysops newsletter!

In the next post of this series, I will describe how to install the webserver for the Azure BYOD lab.


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account