Step 4: Configure a Federation Server
Updated: June 24, 2013
Applies To: Windows Server 2012 R2
After you install the Active Directory Federation Services (AD FS) role service on your computer, you are ready to configure this computer to become a federation server. You can do one of the following:
Configure the first federation server in a new federation server farm
Add a federation server to an existing federation server farm
Configure the first federation server in a new federation server farm
To configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard
Note
Make sure you have domain administrator permissions or have domain administrator credentials available before you perform this procedure.
On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
The Active Directory Federation Service Configuration Wizard is launched.
On the Welcome page, select Create the first federation server in a federation server farm and click Next.
On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.
On the Specify Service Properties page, do the following and then click Next:
Import the .pfx file containing the SSL certificate and key that you have obtained earlier. In Step 2: Enroll an SSL Certificate for AD FS you have obtained this certificate and copied it onto the computer that you want to configure as a federation server. To import the .pfx file via the wizard, click Import and browse to the file’s location. Specify the password for the .pfx file when prompted.
Provide a name for your federation service. For example, fs.contoso.com. This name must match one of the subject or subject alternative names in the certificate.
Provide a display name for your federation service. For example, Contoso Corporation. This name will be shown to users at the AD FS sign-in page.
On the Specify Service Account page, specify a service account. You can either create or use an existing group Managed Service Account (gMSA) or use an existing domain user account. If you select the option to create a new gMSA, specify a name for the new account. If you select the option to use an existing gMSA or domain account, click the Select... button to select an account.
Note
The benefit of using a gMSA is its auto-negotiated password update feature.
Warning
If you want to use a gMSA, you must have at least one domain controller in your environment that is running Windows Server 2012 operating system.
If the gMSA option is disabled and you see an error message similar to Group Managed Service Accounts are not available because the KDS Root Key has not been set, you can enable gMSA in your domain by executing the following Windows PowerShell command on a Windows Server 2012 or later domain controller in your Active Directory domain:Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
.Then return to the wizard and click the Previous button followed by the Next button to re-enter the Specify Service Account page. The gMSA should now be enabled, and you can select it and enter a desired gMSA account name.On the Specify Configuration Database page, specify an AD FS configuration database and then click Next. You can either create a database on this computer using Windows Internal Database (WID) or you can specify the location and the instance name of the SQL server.
Warning
In Windows Server® 2012 R2, there is a workaround for specifying the SQL server default instance. The workaround is to not use the user interface. Instead, use the steps in To configure the first federation server in a new federation server farm via Windows PowerShell.
For more information, see The Role of the AD FS Configuration Database.
On the Review Options page, verify your configuration selections and click Next.
On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.
On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.
To configure the first federation server in a new federation server farm via Windows PowerShell
You can create a new federation server farm using either a new or existing gMSA or an existing domain user account.
If you want to create a new federation server using a new gMSA account, do the following:
Important
You must have domain administrator permissions to create the first federation server in a new federation server farm.
On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.On your domain controller, open the Windows PowerShell command window and run the following command to verify whether the KDS Root Key has been created in your domain:
Get-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
. If it has not been created (the output displays no information), run the following command to create the key:Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
.On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command:
Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_Name>$
Warning
The ‘$’ at the end of the command above is required.
You can obtain the value for
<certificate_thumbprint>
by runningdir Cert:\LocalMachine\My
and selecting the thumbprint of your SSL certificate. The value of<federation_service_name>
is the name of your federation service, for example, fs.contoso.com.Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational.
You can use the following command to create the first federation server in a new farm using SQL server:Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name?\<SQL_instance_ name>;Integrated Security=True"
where <SQL_Host_Name> is the name of the server on which SQL server is running, and<SQL_instance_name> is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".
If you want to create a new federation server using an existing domain user account, do the following:
On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.On the computer that you want to configure as a federation server, open the Windows PowerShell command window and run the following command:
$fscred = get-credential
. Enter the domain user account credentials that you want to use for the federation service account in the format domain\username.In the same Windows PowerShell command window, run the following command:
Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscred
You can obtain the value for <certificate_thumbprint> by running
dir Cert:\LocalMachine\My
and selecting the thumbprint of your SSL certificate. The value of <federation_service_name> is the name of your federation service, for example, fs.contoso.com.Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational.
You can use the following command to create the first federation server in a new farm using SQL server:Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".
Add a federation server to an existing federation server farm
Important
Make sure you have completed Step 3: Install the AD FS Role Service, before you start any of the procedures in this section.
To add a federation server to an existing federation server farm via the Active Directory Federation Service Configuration Wizard
On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.
The Active Directory Federation Service Configuration Wizard is launched.
On the Welcome page, select Add a federation server to a federation server farm and click Next.
On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.
On the Specify Farm page, provide the name of the primary federation server in a farm using WID or specify the database host name and the database instance name of an existing federation server farm using SQL.
Warning
In Windows Server® 2012 R2, there is a workaround for specifying the SQL server default instance. The workaround is to not use the user interface. Instead, use the steps in To configure the first federation server in a new federation server farm via Windows PowerShell.
On the Specify SSL Certificate page, import the .pfx file containing the SSL certificate and key that you have obtained earlier. This is the required service authentication certificate. In Step 2: Enroll an SSL Certificate for AD FS you have obtained this certificate and copied it onto the computer that you want to configure as a federation server. To import the .pfx file via the wizard, click Import and browse to the file’s location. Specify the password for the .pfx file when prompted.
On the Specify Service Account page, specify the same service account that you configured when you crated the first federation server in the farm. You can use an existing group Managed Service Account or an existing domain user account.
Important
The account you specify must be the same account as the one that was used on the primary federation server in this farm.
On the Review Options page, verify your configuration selections and click Next.
On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.
On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.
To add a federation server to an existing federation server farm via Windows PowerShell
You can add a federation server to an existing farm using either an existing gMSA or an existing domain user account.
If you want to join a federation server to a farm using an existing gMSA account, do the following:
On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command:
Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>
<domain>\<GMSA_name>
is your AD domain and the name of your GMSA account in that domain.<first_federation_server_hostname>
is the hostname of the primary federation server in this existing farm.You can obtain the value for
<certificate_thumbprint>
by runningdir Cert:\LocalMachine\My
in the above step.Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational.
You can use the following command to create the first federation server in a new farm using SQL server:Add-AdfsFarmNode -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".
If you want to join a federation server to a farm using an existing domain user account, do the following:
On the computer that you want to configure as a federation server, open the Windows PowerShell command window and run the following command:
$fscred = get-credential
. Enter the domain user account credentials that you want to use for the federation service account in the format domain\username.On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window:
dir Cert:\LocalMachine\My
. The certificate is listed by its thumbprint in the Local Computer\My Store.In the same Windows PowerShell command window, run the following command:
Add-AdfsFarmNode -ServiceAccountCredential $fscred -PrimaryComputerName <first_federation_server_hostname> -CertificateThumbprint <certificate_thumbprint>
Note
If this is NOT the first time you run this command, add
–OverwriteConfiguration
.Note
The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational. You can use the following command to create the first federation server in a new farm using SQL server:
Add-AdfsFarmNode -ServiceAccountCredential $fscred -SQLConnectionString "Data Source=<SQL_Host_Name><SQL_instance_ name>;Integrated Security=True"
where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".