The following is a work in progress… Everything done so far works, but this is not yet a complete end-to-end deployment guide…
ADFS 2: new… improved?
There were lots of setup and configuration guides for ADFS 1.0, even though the product was nauseatingly difficult to understand. Along comes ADFS 2… new, more powerful, better, more standards compliant… documentation reads like scrawl on a napkin.
Some setup quirks:
- Don’t forget that no current version of Windows Server includes ADFS 2.0… not even Server 2008 R2. If you want to install ADFS 2.0 you must download it from MS and install. DO NOT add the out-of-box ADFS role on Server 2008 R2. It will confuse you, because it does not disclose which version of ADFS that it is.
- Since we are planning a farm, generate a farm SSL certificate on one of the ADFS servers, then export the certificate in PFX format (that is, with the private key), and restore the cert to the second ADFS server.
- It is considered desirable to put the ADFS database on a reliable external database server, but documentation on this options is limited to command line help. Here is what I did:
- On one of the ADFS servers, run:
Fsconfig.exe GenerateSQLScripts /ServiceAccount [account] /ScriptDestinationFolder [destination folder]
- Install the appropriate version of the SQL Native Client on the ADFS servers.
- On the SQL server, run the two scripts that were generated by the above command. This will create two databases… AdfsConfiguration and AdfsArtifactStore, and set permissions for the service account specified.
- Make sure that any firewalls on the SQL server will allow the ADFS servers to connect to it.
- Since we use SQL mirroring, set up mirrors for these databases. Add the service account to the list of accepted logins on the mirror server, since this will not be done automatically.
- Generate certificates that will be used for the ADFS web site, token signing, and token decryption. Put the certificates in the Windows certificate store of the local computer.
- Preconfigure binding of the SSL certificate to the default IIS web site.
- Configure the first server in the farm using the following syntax:
Fsconfig.exe CreateSQLFarm /ServiceAccount [Service Account] /ServiceAccountPassword [password] /SQLConnectionString "Initial Catalog=AdfsConfiguration; Data Source=spellbound; failover partner=rearwindow; integrated security=SSPI; Network Library=DBMSSOCN" /FederationServiceName login2.uvm.edu /CleanConfig /CertThumbprint "[thumbprint]" /SigningCertThumbprint "[thumbprint]" /DecryptCertThumbprint "[thumbprint]" Note that the thumbprint can be obtained by viewing the properties of the certificate in Windows explorer.
- Note that the ADFS “Artifact Store” database should get configured automatically, but you can ceck on this by doing the following:
- Launch PowerShell with admin privs
- Run the command “Add-PSSnapin microsoft.adfs.powershell”
- Run “get-adfsproperties | select artifactdbconnection”
- Use “set-adfsproperties -artifactdbconnection” to change the string if necessary.
- See this resource for more details:
- On one of the ADFS servers, run:
Of course, an ADFS server with no Federation partners does not do us much good. Unfortunately, I don’t have any other ADFS servers that I want to integrate with, either. What interests me more are Shibboleth services (such as our own “login.uvm.edu”), and federation with other “InCommon” partners. I also am interested in “user centric” identity providers such as OpenID and “Windows Live ID”. Here are some links to get us started down this path. Unfortunately, I cannot find anything that details exactly what we want:
- Create an STS to allow Federation with OpenID:
- Shibboleth notes on Interoperability with Microsoft ADFS2:
- ADFS2 as an IdP for a Shibboleth SP… not really what I want here, but potentially good information is contained within:
- And an update… MS Official Guidance on ADFS2/Shibboleth2 interop: