Home > SharePoint > SharePoint 2010 and AD FS–Part 2

SharePoint 2010 and AD FS–Part 2

In the first part of this series we looked at the problem we were trying to solve by using these products together.  In this part we are going to look at the setup and configuration of the AD FS server.

AD FS Service Account

When you install AD FS 2.0 you have the possibility to choose between a single server AD FS or a AD FS farm (which you can add servers to). It’s a good idea to configure a farm (even if you’re going to use a single server scenario, because it provides flexibility for the future should you need it). The only difference with configuring it as a farm is that for the farm you’ll need an AD service account that has an SPN configured on it, that’s all!

So in this step we’ll create the service account and register the SPN.

  • Open AD user and computers and create a user (in this example AdfsSvc)

There a two possible ways to add the SPN to the user

  • command line : setspn -a host/logon.example.com AdfsSvc
  • GUI : Enable Advanced Features view on AD users and computers. Right-click the Service account. Select the Attribute Editor tab and scroll to servicePrincipalName and select edit. Add the SPN host/logon.example.com

ADFS 2.0 installation

Logon to the server which will function as Federation Server. Download ADFS 2.0 RTW and start the installation by running AdfsSetup.exe. Choose Federation Server.

The installation wizard will also install some additional features (.net Framework, IIS). Once installation is complete the ADFS 2.0 console will open. Do not run the configuration wizard yet.


Besides the certificates needed for SharePoint we’ll need two certificates for ADFS 2.0 web SSO

  1. Service communications certificate.
    • This certificate is used for the logon page provided by ADFS 2.0 (in this example it’s logon.example.com).
    • This certificate should be a public certificate since you’ll be using it for employees accessing the logon page from externally
    • This should be an default SSL certificate
  2. Token signing certificate (optional, as all the traffic is already SSL it isn’t necessary to also encrypt the token.)
    • This certificate is used for signing the tokens which will be provided to SharePoint.
    • This could be a public certificate or a certificate issued by your internal Certificate Authority
    • This could be any kind of certificate. I used an SSL certificate.
    • This should be an 2048-bits certificate. 1024-bits is possible but generates a warning in ADFS 2.0

If you’re configuring a Federated Web SSO you’ll need a third certificate for decrypting (outside the scope of this post)

Since the ADFS 2.0 wizard also installed IIS you can generate certificate request from the IIS console and request your certificates.

!! Note. Always export your certificates with their private keys and save them for future issues.

Once you have your certificates installed (they should show up in IIS) you’re ready to run the ADFS 2.0 configuration wizard.

Configuration wizard ADFS 2.0

Open the ADFS 2.0 management console on the Federation Server (VSrvFs) and click ADFS 2.0 Federation Server Configuration Wizard.  This wizard will pick up the certificate and location from the default IIS website on the server, so if you want to save yourself changing the service certificate later you should go into IIS and update the bindings/certificates on that before running this wizard.

  • Create a new Federation Service
  • New federation server farm
  • Certificate : logon.example.com
  • Service Account : Use the AD service account created above (example\AdfsSvc)

Add Token signing certificate

To add certificates to ADFS 2.0 we need to disable the AD FS automatic certificate rollover feature.

Open a PowerShell prompt on the Federation Server (VSrvFs) and run the following commands

Add-PsSnapin Microsoft.Adfs.Powershell
Set-ADFSProperties -AutoCertificateRollover $false

Next, select ADFS 2.0 management console Service > Certificates > Add Token-Signing Certificate

Select the tokensigning.example.com certificate and mark it as primary.

Private key permissions

The account we specified above needs permissions on the private key of the Token signing certificate otherwise it will not be able to sign anything.  This may have already been done by the AD FS installation but lets check it anyway.

  • Open an Microsoft Management Console (mmc.exe) on the Federation Server (VSrvFs) and add the certificates snap-in (connect to local computer)
  • Browse to personal > certificates. Right-click tokensigning.example.com > All Tasks > Manage Private Keys
  • Give the service account (example\AdfsSvc) read permissions

Forms authentication

At this point you have AD FS ready to have the Relying party configured.  The default behaviour of this AD FS installation, unless you installed an AD FS Proxy, is going to be Windows Authentication rather than forms based which is probably what you are after.  This is because of the order that the authentication protocols are tried by AD FS and for some reasons that I agree with (see http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-local-authentication-type.aspx and http://social.technet.microsoft.com/wiki/contents/articles/1600.aspx).

To change this to use Forms authentication first the options are in the above link they are simply:

  1. In Windows Explorer, browse to C:\inetpub\adfs\ls (assuming that inetpub lives in C:\)
  2. Select web.config and Edit in Notepad
  3. Find (Ctrl+F) <localAuthenticationTypes>
  4. There are four lines below <localAuthenticationTypes>. Each line represents one of the local authentication types listed above.
  5. Cut your preferred local authentication type (the entire line), and Paste it to the top of the list (under <localAuthenticationTypes>)
  6. Save and Close the web.config file

There is no need to restart IIS as .NET will recycle the app pool when the web.config file is updated.

Customise the look

If you want to you can customise the .ASPX pages along side the web.config to give it your own look and feel. However if all you want to do is add a logo check out the appConfig section in the web.config file. It is fully commented and allows the addition of a logo with a simple change to one of the parameters.

Next Steps

So now, if you have been following these posts, you will understand the problem and have AD FS setup.  In the next post we will look at the configuration of the Relying party and the configuration within SharePoint.  I’m going to assume that you already have SharePoint 2010 installed.

Categories: SharePoint Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: