Share via


Configure the first federation server in the federation server farm in Windows Server 2012

Applies To: Azure, Office 365, Power BI, Windows Intune

After you install the Active Directory Federation Service (AD FS) role service on your computer running Windows Server 2012 R2, you are ready to configure this computer to become a federation server.

You can complete the following procedures to configure this computer as the first federation server in your federation server farm.

Configure the first federation server in a new federation server farm

To configure the first federation server in a new federation server farm using the Active Directory Federation Service Configuration Wizard

Note

Make sure you have domain administrator permissions or have domain administrator credentials available before you perform this procedure.

  1. On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server.

    The Active Directory Federation Service Configuration Wizard is launched.

  2. On the Welcome page, select Create the first federation server in a federation server farm and click Next.

  3. On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.

  4. On the Specify Service Properties page, do the following and then click Next:

    • Import the .pfx file containing the SSL certificate and key that you have obtained earlier. As stated in the ‘Certificate Requirements’ section in Review the requirements for deploying AD FS must obtain this certificate and copy it onto the computer that you want to configure as a federation server. To import the .pfx file via the wizard, click Import and browse to the file’s location. Specify the password for the .pfx file when prompted.

    • Provide a name for your federation service. For example, fs.contoso.com. This name must match one of the subject or subject alternative names in the certificate.

    • Provide a display name for your federation service. For example, Contoso Corporation. This name will be shown to users at the AD FS sign-in page.

  5. On the Specify Service Account page, specify a service account. You can either create or use an existing group Managed Service Account (gMSA) or use an existing domain user account. If you select the option to create a new gMSA, specify a name for the new account. If you select the option to use an existing gMSA or domain account, click the Select... button to select an account.

    Note

    The benefit of using a gMSA is its auto-negotiated password update feature.

    Warning

    If you want to use a gMSA, you must have at least one domain controller in your environment that is running Windows Server 2012 operating system.

    If the gMSA option is disabled and you see an error message similar to Group Managed Service Accounts are not available because the KDS Root Key has not been set, you can enable gMSA in your domain by executing the following Windows PowerShell command on a Windows Server 2012 or later domain controller in your Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10).Then return to the wizard and click the Previous button followed by the Next button to re-enter the Specify Service Account page. The gMSA should now be enabled, and you can select it and enter a desired gMSA account name.

  6. On the Specify Configuration Database page, specify an AD FS configuration database and then click Next. You can either create a database on this computer using Windows Internal Database (WID) or you can specify the location and the instance name of the SQL server.

    For more information, see The Role of the AD FS Configuration Database.

  7. On the Review Options page, verify your configuration selections and click Next.

  8. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.

  9. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment. For more information, see Next steps for completing your AD FS installation. Click Close to exit the wizard.

To configure the first federation server in a new federation server farm via Windows PowerShell

You can create a new federation server farm using either a new or existing gMSA or an existing domain user account.

  • If you want to create a new federation server using a new gMSA account, do the following:

    Important

    You must have domain administrator permissions to create the first federation server in a new federation server farm.

    1. On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window: dir Cert:\LocalMachine\My. The certificate is listed by its thumbprint in the Local Computer\My Store.

    2. On your domain controller, open the Windows PowerShell command window and run the following command to verify whether the KDS Root Key has been created in your domain: Get-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10). If it has not been created (the output displays no information), run the following command to create the key:Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10).

    3. On the computer that you want to configure as a federation server, open the Windows PowerShell command window, and run the following command:

      Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_Name>$
      

      Warning

      The ‘$’ at the end of the command above is required.

      You can obtain the value for <certificate_thumbprint> by running dir Cert:\LocalMachine\My and selecting the thumbprint of your SSL certificate. The value of <federation_service_name> is the name of your federation service, for example, fs.contoso.com.

      Note

      If this is NOT the first time you run this command, add –OverwriteConfiguration.

      Note

      The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational.

      You can use the following command to create the first federation server in a new farm using SQL server: Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -GroupServiceAccountIdentifier <domain>\<GMSA_name>$ -SQLConnectionString "Data Source=<SQL_Host_Name?\<SQL_instance_ name>;Integrated Security=True" where <SQL_Host_Name> is the name of the server on which SQL server is running, and<SQL_instance_name> is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

  • If you want to create a new federation server using an existing domain user account, do the following:

    1. On the computer that you want to configure as a federation server, make sure that the required SSL certificate has been imported into the Local Computer\My Store. You can verify whether the SSL certificate has been imported by running the following command in the Windows PowerShell command window: dir Cert:\LocalMachine\My. The certificate is listed by its thumbprint in the Local Computer\My Store.

    2. On the computer that you want to configure as a federation server, open the Windows PowerShell command window and run the following command: $fscred = get-credential. Enter the domain user account credentials that you want to use for the federation service account in the format domain\username.

    3. In the same Windows PowerShell command window, run the following command:

      Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscred
      

      You can obtain the value for <certificate_thumbprint> by running dir Cert:\LocalMachine\My and selecting the thumbprint of your SSL certificate. The value of <federation_service_name> is the name of your federation service, for example, fs.contoso.com.

      Note

      If this is NOT the first time you run this command, add –OverwriteConfiguration.

      Note

      The command above creates a WID farm. If you want to create a SQL server farm, you must have the SQL server already installed and operational.

      You can use the following command to create the first federation server in a new farm using SQL server: Install-AdfsFarm -CertificateThumbprint <certificate_thumbprint> -FederationServiceName <federation_service_name> -ServiceAccountCredential $fscredential -SQLConnectionString "Data Source=<SQL_Host_Name>\<SQL_instance_ name>;Integrated Security=True" where SQL_Host_Name is the name of the server on which SQL server is running, andSQL_instance_name is the name of the SQL instance. If you are using the default SQL Server instance, use a SQLConnectionString value of "Data Source=<SQL_Host_Name>;Integrated Security=True".

Next step

Now that you have configured the first federation server in your federation server farm, navigate back to Checklist: Deploy your federation server farm on legacy versions of Windows Server and complete the rest of the steps.

See Also

Concepts

Checklist: Deploy your federation server farm on Windows Server 2012 R2
Checklist: Use AD FS to implement and manage single sign-on