Windows Server 2016 installation and configuration ADFS 4.0

Source: Internet
Author: User

Windows Server 2016 installation and configuration ADFS 4.0

ADFS (Active Directory Federation services), which is a federation service for active directories. ADFS extends the Active Directory to the Internet. To understand this, you can consider how the general Active Directory facility works. When the user authenticates through Active Directory, the domain controller checks the user's certificate. Once proven to be a legitimate user, users are free to access any authorized resources of the Windows network without having to re-authenticate each time they access a different server. Specifically, there is not much to introduce. Today we mainly introduce the installation of Windows Server 2016 under the configuration ADFS 4.0.

We should note that the configuration of each version has different configuration methods, especially starting from 4.0.

The ADFS version of Windows Server 2008 is ADFS 2.5

Windows Server 2012R2 version of ADFS 3.0

Windows Server 2016 version of ADFS 4.0

Environment Introduction:

Hostname:dc

ip:192.168.5.10

ROLE:DC, DNS, CA

Hostname:adfs

ip:192.168.6.26

Role:adfs

We first prepared the DC, where our DC has been installed, so specifically skipped

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqlPh-T5sAAD7AbX2PUs730.png "width=" 644 "height=" 391 "/>

Then we need to install the CA on the DC

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqlSy-mHIAAHvjejoNvw643.png "width=" 644 "height=" 457 "/>

Check CA's Related services

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/A8/wKioL1kBqlaCsetnAAFzbeD1HLM422.png "width=" 644 "height=" 457 "/>

Installation Complete

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/A8/wKioL1kBqlfQFDuBAAHDuq3KjiQ860.png "width=" 644 "height=" 457 "/>

Next we configure Certificate Services

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqliQcZHRAAD7ASHyYRk118.png "width=" 584 "height=" 372 "/>

Configure according to the wizard

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqlnDYl9MAAFAn-Ts8U4465.png "width=" 644 "height=" 472 "/>

Tick the services you need to configure

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A8/wKioL1kBqlmz0KS2AAEgqHvw8RA274.png "width=" 644 "height=" 466 "/>

We choose the enterprise root

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqlrgnmyHAAF3Fo1SgxM155.png "width=" 644 "height=" 475 "/>

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/A8/wKioL1kBqlywJbtoAAGIIKACS4w279.png "width=" 644 "height=" 474 "/>

Create a new private key

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/AA/wKiom1kBql3DtgshAAHH5gVUj2M886.png "width=" 644 "height=" 474 "/>

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBql6SN0Q1AAE5lFQ1wXo951.png "width=" 644 "height=" 475 "/>

Specify the CA name

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBql-yZ_fAAAFRazNKco0030.png "width=" 644 "height=" 476 "/>

Confirm Configuration information

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A8/wKioL1kBqmDih8fLAAGY6UPC_o4708.png "width=" 644 "height=" 470 "/>

Configuration complete

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/AA/wKiom1kBqmHSY5hbAAEYF6sJTWA248.png "width=" 644 "height=" 471 "/>

We verify that the CA

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/A8/wKioL1kBqmKSIt5WAAE-Fs64G00250.png "width=" 644 "height=" 372 "/>

When the above environment is ready, you can configure the ADFS server. Before the configuration we need to give the computer or the specified user or computer authorization certificate issued

We open the certificate issuance schema on the CA server, we open the administrative Tools, double-click to open the certification authority

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/92/aa/wkiom1kbqmorcsyyaai26wmqino432.png "width=" 644 "height=" 424 "/>

Right-click Certificate Templates-Manage

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqmXAXlVaAAG1Ov3yUF4895.png "width=" 644 "height=" 368 "/>

In the certificate template---Web server---Right-click Properties-

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqmXzYxgiAAEkjmqwA_8207.png "width=" 644 "height=" 325 "/>

Increase the-ADFS computer's hostname in security options

hostname$ like adfs$.

From here, you can see that those users have permission to apply for a certificate. Default is Domain Admins, Enterprise Admins

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/A9/wKioL1kBqmigrFa-AADh6zh-DNA227.png "width=" 439 "height=" 484 "/>

Next we install the ADFS service, and before we install ADFS, we need to create an ADFS account and a certificate.

We created the service account Adfs_svc

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqmmBz41ZAAEURxcvrzc840.png "width=" 644 "height=" 338 "/>

After the account is ready, then apply for a certificate, in fact, there are two common methods, the first is the certificate request through IIS, the second application through the MMC console, the IIS application method is skipped here, the main use of MMC today for certificate applications. This method is relatively simple.

We run MMC on the ADFS server, open Certificate management

Right-click-Personal-All Tasks---request a new certificate

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqmriD6v9AAFBeaVWOIk076.png "width=" 644 "height=" "/>"

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqmuT-sfuAAE4FZVP3EA078.png "width=" 644 "height=" 384 "/>

Default

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/92/a9/wkiol1kbqmzt6qztaae1nd2wbpo645.png "width=" 644 "height=" 393 "/>

We can see the Web server, register the certificate through the wizard after the single

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/A9/wKioL1kBqm2imoqUAAEjZ-TC3Kg771.png "width=" 644 "height=" 352 "/>

The main thing is that the computer name and the ADFS certificate name cannot be the same

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/AA/wKiom1kBqm6ysz4IAAIIQ-qX0A0265.png "width=" 642 "height=" 484 "/>

Tick the Web server to register

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/A9/wKioL1kBqnGQdf63AAF6bn81t4w689.png "width=" 644 "height=" 359 "/>

Registration complete

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/A9/wKioL1kBqnKSp-P_AAEEhkA0OTU479.png "width=" 644 "height=" 354 "/>

So the certificate will be completed.

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqnPgoD-wAAFJ9fLaAUc556.png "width=" 644 "height=" 348 "/>

Then we start installing the ADFS service.

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqnTRnSIfAAHrBJb5qnk905.png "width=" 644 "height=" 457 "/>

Installation Complete

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqnXTOGHhAAFGUlV5P9w612.png "width=" 644 "height=" 456 "/>

The installation is complete and the configuration is started.

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqnbC_c3gAAFuSz4FYPo574.png "width=" 644 "height=" 444 "/>

Our current user is a domain administrator

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/A9/wKioL1kBqneDPCArAAE15lQyxiU871.png "width=" 644 "height=" 471 "/>

We select the certificate you just requested and then define the display name

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqnjzfKnbAAFmhMdAqms357.png "width=" 644 "height=" 476 "/>

Specify the service account that we created at the beginning

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqnySuJROAAFMbsMccdg766.png "width=" 644 "height=" 479 "/>

We use a database inside windows to create data on this server

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqoGhzhSNAAFLwKMXYD8014.png "width=" 644 "height=" 470 "/>

Confirmation information

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/92/aa/wkiom1kbqolts78taaf-b4isjhe708.png "width=" 644 "height=" 466 "/>

Installation conditions

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/AA/wKiom1kBqoOxeVD0AAFmevzIsPw983.png "width=" 632 "height=" 484 "/>

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/92/aa/wkiom1kbqtrgrakpaahwfx-bspa957.png "width=" 644 "height=" 469 "/>

We have found an error, and if you install and configure ADFS under Windows Server 2012R2, the above error will not occur.

After viewing the data for Windows Server 2016, ADFS 4.0 needs to add a Certauth beginning user when configuring the certificate,

For example certauth.adfs.contoso.com, another idp-initiated sign on address is off by default and requires the PowerShell command to be opened manually

First, we need to execute the command under PowerShell 4.0.

Set-adfsproperties-enableidpinitiatedsignonpage: $true

Set-adfsproperties-enablerelaystateforidpinitiatedsignon: $true

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqtvjeroDAACTTH3AsDM346.png "height="/>

After execution, we re-apply for a certificate

650) this.width=650; "title=" clipboard "style=" Border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clipboard" src= "Http://s3.51cto.com/wyfs02/M02/92/AA/wKiom1kBqtzQjicmAAHGa4I-mBo300.png" height= "465"/>

After adding the certificate, we add a parse record in DNS

650) this.width=650; "title=" image "style=" border-right-width:0px;background-image:none;border-bottom-width:0px; padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/92/AA/wKiom1kBqt2y4noZAADxHVE_1sA883.png "width=" 644 "height=" 237 "/>

Then we test the access

Https://adfs-srv.ixmsoft.com/adfs/ls/idpinitiatedsignon.aspx

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/A9/wKioL1kBqt7AnDqGAAFJmUqmcK0523.png "height="/>

We landed successfully.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/92/AA/wKiom1kBqt-je0kwAAEhC1naXwY723.png "height=" 315 "/>

Refer to the following Microsoft documentation for details

https://social.technet.microsoft.com/wiki/contents/articles/34162. Ad-fs-4-0-discover-setup-and-publish-application-part1.aspx

This article from "Gao Wenrong" blog, declined reprint!

Windows Server 2016 installation and configuration ADFS 4.0

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.