Scribd
Upload
280 views9 pages

Install ADFS on Windows Server 2016

This document provides instructions for installing ADFS on Windows Server 2016. It describes obtaining an ADFS certificate, installing the ADFS role using the Add Roles and Features Wizard in Server Manager, and configuring ADFS including specifying the certificate, service account, and database. It also provides a PowerShell script example for installing an ADFS farm and adding additional nodes.

Uploaded by

Luke Lu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
280 views9 pages

Install ADFS on Windows Server 2016

This document provides instructions for installing ADFS on Windows Server 2016. It describes obtaining an ADFS certificate, installing the ADFS role using the Add Roles and Features Wizard in Server Manager, and configuring ADFS including specifying the certificate, service account, and database. It also provides a PowerShell script example for installing an ADFS farm and adding additional nodes.

Uploaded by

Luke Lu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

How to install ADFS on Windows server 2016

In this guide we will go through ADFS installation on windows server 2016.

Before we install ADFS we have to obtain ADFS certificate. You can use certificate mmc to create
new certificate request. You have to put all SAN entries which you are going to use in certificate and
ADFS. Once you have certificate, import that ADFS server and make sure you have private key for
that certificate. After certificate import follow below steps to install ADFS role on windows server
2016.

Windows Server 2012 domain controllers (DC) and later versions require a root key to begin
generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of
creation, to allow all domain controllers to converge their Active Directory replication before
allowing the creation of a gMSA. The 10 hours is a safety measure to prevent password generation
from occurring before all the domain controllers in the environment can answer the gMSA requests.
If you try to use a gMSA too soon, the key might not have been replicated to all the Windows Server
2012 domain controllers and therefore password retrieval might fail when the gMSA host attempts
to retrieve the password. gMSA password retrieval failures can also occur when using domain
controllers with limited replication schedules or if there is a replication issue.

The Add-KdsRootKey cmdlet generates a new root key for the Microsoft Group Key Distribution
Service (KdsSvc) within Active Directory (AD). The Microsoft Group KdsSvc generates new group keys
from the new root key.

If you don’t want run below:-

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Install ADFS role:-

Login on Windows server 2016 and open server manager. Under server manager click on add roles
and feature. Under Server roles select ADFS role. Click on next and don’t select anything on features
page. Click next and Close it.
Configuring ADFS: -

After installation click on Configure the federation service on this server. If you are installing first
ADFS server then select first option.

If you are installing additional ADFS server then select second option.

In second page you have to provide domain administrator account.

On third page select certificate which you imported and make sure that ADFS service name is
correctly showing based on certificate SAN name.

Put ADFS display name (Usually it will be your company name which will show on ADFS login page to
end users).

On next page choose a group managed account for ADFS.

On next page select database store where you want to store ADFS configuration database. It can be
WID or SQL. I choose WID in this case.

On next page click on configure and configuration will began. It will take some time in completion.
If you see a warning for set spn for the specified service account then run below to set spn .

Here server name will be your adfs farm name.


setspn -a host/<server name> <service account>

For e.g

setspn -a host/adfs.testlab.com gmsa_adfs


Using powershell to install ADFS:-

# Windows PowerShell script for AD FS Deployment

Import-Module ADFS

Install-AdfsFarm `

-CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" `

-FederationServiceDisplayName:"Testlab ADFS" `

-FederationServiceName:"ADFS.testlab.local" `

-GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$"

Using powershell to addd additional ADFS farm node:-

# Windows PowerShell script for AD FS Deployment

Import-Module ADFS

Add-AdfsFarmNode `

-CertificateThumbprint:"3C27DD6A78E2A0DC5F4366FBD0DAF8327036ED68" `

-GroupServiceAccountIdentifier:"TESTLAB\gmsa_adfs`$" `

-PrimaryComputerName:"adfs1.testlab.local"

You might also like