In this, the first article in a two-part series, I’m going to show you how to set up Windows Server 2012 R2 Active Directory Federation Services (AD FS) for the purposes of allowing devices to use Workplace Join. In the second part, we’ll prepare a Windows 8.x client for Workplace Join and register the device with our Active Directory domain.
To set up the lab, you’ll need two servers: one Active Directory domain controller (DC) and an AD FS server. Both must be running Windows Server 2012 R2. Additionally, you’ll need a device running Windows 8.1 that is not joined to the AD domain.
Configure a Certification Authority
In this example, I’m going to set up a certification authority (CA) on my domain controller. Log on to the DC with domain administrator permissions. If you would prefer to complete the following steps using PowerShell, skip to the separate instructions below.
- Open Server Manager from the icon on the desktop taskbar or from the Start screen.
- In Server Manager, click Manage and select Add Roles and Features from the menu.
- In the Add Roles and Features wizard, click Server Selection, and make sure the current server is listed.
- In the left pane of the wizard, click Server Roles.
- Check Active Directory Certificate Services under Roles on the right.
- In the pop-up window, click Add Features.
- In the Add Roles and Features wizard, click Role Services on the left.
- Check Certification Authority under Role services, and click Next.
- Click Install to finish the process.
- Click Close when the installation has completed successfully.
Once the CA components are installed, we need to do some post-configuration work.
- In Server Manager, click the yellow “attention” icon to start the certificate services post-deployment configuration.
- In the AD CS Configuration dialog, check that your current domain admin user account is listed in the Credentials box.
- In the left pane, click Role Services, check Certification Authority and click Next.
- On the Setup Type screen, check Enterprise CA and click Next.
- Under Specify the type of CA, make sure that Root CA is selected and click Next.
- On the Private Key screen, check Create a new private key and click Next.
- We are going to accept all the default settings for the private key and certification database, so on the left, click Confirmation, and then click Configure in the bottom right of the wizard.
- Click Close when the configuration has completed successfully.
Install a Certification Authority with PowerShell
To complete all of the above steps using PowerShell, run the following two commands from an elevated PowerShell console:
add-windowsfeature adcs-cert-authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa
Setup an SSL Certificate Template for AD FS
Before we can request a certificate for ADFS, we need to set up an appropriate template in our certification authority. Log in to your CA server with administrative permissions:
- In Server Manager, click Tools and select Certification Authority from the menu.
- In the Certification Authority MMC, expand your CA in the left pane, right click Certificate Templates and select Manage from the menu.
- In the Certificate Templates console, scroll down to the Web Server template in the central pane, right click it and select Duplicate Template from the menu.
- In the Properties dialog, switch to the General tab.
- In the Template display name box, type SSL Certificates.
- Now switch to the Security tab and click Authenticated Users under Group or user names.
- Under Permissions for Authenticated Users, check Enroll in the Allow column and click OK.
- Close the Certificate Templates console.
- In the Certification Authority MMC, right click Certificate Templates in the left pane and select New > Certificate Template to Issue from the menu.
- In the Enable Certificate Templates dialog, select SSL Certificates in the list and click OK.
- Click Certificate Templates in the left pane of the Certification Authority MMC, and you should see SSL Certificates appear in the left with an Intended Purpose of Server Authentication.
Request a Certificate for AD FS
Now that we have an appropriate certificate template, we can request a certificate for the AD FS server.
- Log in to your ADFS server as a domain administrator.
- Go to the Start screen, type mmc and press Enter to open an MMC console on the desktop.
- In the MMC console, go to the File menu and select Add/Remove Snap-in…
- In the Add or Remove Snap-ins dialog, select Certificates under Available snap-ins and press Add.
- In the Certificates snap-in dialog, select Computer account and click Next.
- On the Select Computer screen, select Local computer and click Finish.
- Click OK in the Add or Remove Snap-ins dialog.
- In the left pane of the MMC console, expand Certificates (Local Computer), right-click Personal and select All Tasks > Request New Certificate from the menu.
- In the Certificate Enrollment dialog, click Next on the Before You Begin screen.
- On the Select Certificate Enrollment Policy screen, select Active Directory Enrollment Policy and click Next.
- On the Request Certificates screen, click More information is required to enroll for this certificate below SSL Certificates.
- In the Certificate Properties dialog on the Subject tab, set the Subject name Type to Common name. In the Value box, type the Fully Qualified Domain Name (FQDN) name of your ADFS server and click Add. In my lab, the FQDN of my ADFS server is adfs.ad.contoso.com.
- Under Alternative name, set the Type box to DNS. In the Value box, type the FQDN name of your ADFS server and click Add.
- Repeat the last step to set an additional Alternative name DNS value, but this time set the value to enterpriseregistration.ad.contoso.com, replacing ad.contoso.com with your domain name.
- Now click OK in the Certificate Properties dialog.
- Back in the Certificate Enrollment dialog on the Request Certificates screen, check SSL Certificates and click Enroll.
- Once the enrolment has succeeded, click Finish.
- In the MMC, click Certificates under Personal in the left pane and you should see the certificate has been issued on the right by your domain’s certification authority.
- Close the MMC.
Install Active Directory Federation Services
Now that the SSL certificate is in place on the server, we need to install the AD FS bits and perform some basic configuration.
- Log in to your AD FS server with a domain administrator account.
- Open a PowerShell console using the icon on the desktop taskbar or from the Start screen.
- In the PowerShell console, type Add-WindowsFeature adfs-federation –IncludeManagementTools and press Enter.
- Once AD FS has installed, you can ignore the warning message and close the PowerShell console.
- Open Server Manager using the icon on the desktop taskbar or from the Start screen.
- Click the yellow alert icon in the top right of Server Manager and then click Configure the federation service on this server link in the pop-out.
- On the Welcome screen of the configuration wizard, make sure that Create the first federation server in a federation server farm is selected and click Next.
- On the Connect to AD DS screen, make sure that an account with domain administrator permissions is selected and click Next.
- On the Specify Service Properties screen, select the certificate you previously installed on the server from the menu to the right of SSL Certificate.
- Select adfs.ad.contoso.com for the Federation Service Name.
- In the Federation Service Display Name box, type Contoso Corporation and then click Next.
- On the Specify Service Account screen, check Create a Group Managed Service Account, type fsgma in the box and click Next.
- On the Specify Configuration Database screen, leave the default selection to Create a database on this server using Windows Internal Database and click Next.
- Click Next on the Review Options screen.
- Click Configure on the Pre-requisite Checks screen.
- Close the wizard once configuration has completed.
In the second part of this series, I’ll show you how to enable device registration in Active Directory and how to set up a Windows 8.x client for Workplace Join.