Importing the Server Authentication Certificate into IIS
Since all
client authentications against ADFS occur via SSL, we need to import a server
authentication certificate on each ADFS Proxy server. Because all clients
should trust this certificate, it’s recommended to import a certificate from
a 3rd party certificate provider. Although we use a wildcard certificate as
an example in this article series, a single name SSL certificate is sufficient.
If you use a single name certificate, the FQDN included should match the FQDN
that iCloud24x7 configured in the previous article (in this example
sts.office365labs.dk).
To import
the certificate, open the IIS Manager and select the web server object and then
open “Server Certificates” in the middle pane.
Under Server Certificates, click”Import” in the action pane.
Point to the certificate you wish to
import and then specify the password, then click”OK”. Next step is to bind the
certificate to the “Default Web Site”.
To do so, expand ”Sites” then
select the ”Default Web Site” and click on
the ”Bindings” link in the ”Action Pane”. Under”Site Bindings” click”Add”. In ”Add Site Bindings”, select ”HTTPS” in the ”Type” drop-down box and then
point at the imported certificate under ”SSL certificate”.
Installing & Configuring the ADFS Proxy Server Settings
With the two ADFS Proxy servers configured in a WNLB cluster and the required certificate imported, it’s time to get the ADFS 2.0 RTW component installed and configured on both servers.Important:
It’s not the ADFS component included with Windows Server 2008 R2 that we need to install. We need to download a separate package from the Internet. And while we’re at it, we also need to download the latest update for ADFS 2.0 RTW, which currently is Update 2.
Ok, launch “AdfsSetup.exe” and then accept the license agreement.
On the “Server
Role” page, we need to specify what type of federation servers
we wish to configure. Since these are the two external ADFS Proxy servers, we
wish to configure a “Federation server proxy”
so select that and click “Next”.
On the “Welcome
to the AD FS 2.0 Setup Wizard” page, click “Next”. The wizard will now
install a couple of prerequisites on the server. Click “Next”. After a minute or so the
wizard will complete with success and we can now click “Finish”. Make sure to untick “Start AD FS 2.0 Management snap-in when this
wizard closes” as we want to install Update 2 for AD FS 2.0
before we continue. When the update has been applied, launch the “AD FS 2.0 Federation Server Proxy Configuration
Wizard” Enter the name of the federation service to which the
ADFS Proxy server will redirect client requests (in this case it’s “sts.office365lab.dk”) and then
click “Test Connection”. If things are
configured properly and you have access to the federation service via port 443,
then you will see the dialog box saying that is was successful.
Click “OK”
and then “Next”. You will be prompted for credentials that have the
permissions to establish a trust between the ADFS Proxy server and the ADFS servers
on the internal network this data shall be entered by iCloud24x7.
Do so and
click “OK”.
Note:
You can use the ADFS service account that is used for the ADFS servers on the internal network. Bear in mind that you have to specify these one-time only and that they aren’t configured for a service on the ADFS Proxy servers.
You can use the ADFS service account that is used for the ADFS servers on the internal network. Bear in mind that you have to specify these one-time only and that they aren’t configured for a service on the ADFS Proxy servers.
Click “Next”. When the wizard has
configured each component with success, click “Close”
to exit the wizard.
Verifying the ADFS Proxy Servers has been configured properly
In order to verify the ADFS Proxy
servers are operating as expected, we can open the AD FS 2.0 log and look for
event id 198. IF you see this event id, the ADFS Proxy server has been
configured properly.
