Wednesday, September 18, 2013

Setting up ADFS Farm with ADFS proxy and F5 Load balancer....


 I'm no expert at ADFS and/or Certificates.... so feel free to correct me at various places.

You can use self signed certs for Token signing, however at startup i had to use the same SSL for all.
I started off with a self signed SSL cert to test my setup. then replaced it with 3rd party.

Would recommend checking out SQL database options before installation, to plan. I didn't have a need for SQL database as oppose to WID.

I have followed a articles from Technet and other various blogs, the links to these articles is at the bottom... 










ADFS Implementation & Installation guide
Contents


ADFS SERVERS:

Name
Location
IpAddress
Subnet Mask
Gateway
FIRSTINTERNALSERVER
SER1
10.48.9.123
255.255.252.0
10.48.9.1
SECONDINTERNALSERVER
SER2
10.48.10.123
255.255.252.0
10.48.10.1
FIRSTPROXYSERVER
SER1
172.16.200.123
255.255.254.0
172.16.200.1
SECONDPROXYSERVER
SER2
172.16.201.123
255.255.254.0
172.16.201.1
ADFS VIP INTERNAL
LOAD BALANCED
10.48.9.233


ADFS VIP DMZ
LOAD BALANCED
172.16.200.233




DNS CONFIGURATION:

Internal DNS =   adfs.fabrikam.com 10.48.9.233
External DNS =  adfs.fabrikam.com  201.204.193.84

SSL CERTIFICATE:

Obtained SSL certificate from from a 3rd party CA for adfs.fabrikam.com  

Service Account Setup for ADFS:

  1. Create a dedicated user/service account in the Active Directory forest that is located in the identity provider organization. This account is necessary for the Kerberos authentication protocol to work in a farm scenario and to allow pass-through authentication on each of the federation servers. Use this account only for the purposes of the federation server farm.
The account svc_adfs has been created for this purpose
  1. Edit the user account properties, and select the Password never expires check box. This action ensures that this service account's function is not interrupted as a result of domain password change requirements.




  1. Because the application pool identity for the AD FS AppPool is running as a domain user/service account, you must configure the Service Principal Name (SPN) for that account in the domain with the Setspn.exe command-line tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the following command on a computer that is joined to the same domain where the user/service account resides:
  2. setspn -a host/

For example, in a scenario in which all federation servers are clustered under the Domain Name System (DNS) host name fs.fabrikam.com and the service account name that is assigned to the AD FS AppPool is named adfs2farm, type the command as follows, and then press ENTER:
setspn -a host/adfs.fabrikam.com svc_adfs

Installing Federation Server Farm:


Download ADFS 2.0 setup file


First server in the ADFS Farm:

·         When you launch the install program, click Next.



·         Accept the license and click Next.


·         On the Server Role screen, choose Federation Server and click Next.


·         The wizard will automatically install the required prerequisites.  Click Next to begin the installation.


·         When the installation is complete,  uncheck “Start the AD FS 2.0…..”


·         Install the Godaddy certificate for adfs.fabrikam.com to local computer account.
·         On IIS make sure the default Website has a 443 binding and set to use the adfs.fabrikam.com certificate.

Configuring AD FS

Now that we have the certificate installed, we can start the AD FS configuration. To launch the AD FS configuration wizard, just go into Administrative Tools and click on AD FS 2.0 Management.



·         When the AD FS Management Console opens, click the AD FS 2.0 Federation Server Configuration Wizard Link.



·         Select the option to Create a new Federation Service




·         On the next screen select New federation server farm. 




On the Federation Service name, choose the adfs.fabrikam.com certificate to use.




You must then specify a Service Account in Active Directory that will be used by AD FS.
Service account: Svc_adfs




On the Summary Screen review the changes that will be made and click next to begin the configuration.




When the installation is complete, click Close.






Second server in the ADFS Farm:

·         Install ADFS 2.0 using the setup file.
·         Before configuring the second node, export the Export the cert from the first ADFS Server in the Farm. NOTE: This setup is very important, as I was getting Thumbprint errors for the SSL cert while setting up the second node without following the steps below…
1. Open the Certificate MMC console.
·         Log on to the original ADFS server which contains the service communications certificate with the private key.
·         Open the Start Menu and type “MMC” in the search box and press enter.
·         When the console opens click “File” and select “Add/Remove Snapin”.
·         Select “Certificates” from available snap ins and click the “Add” button to move to the “Selected Snapins” window and click “OK”.
·         When the “Certificate Snap-in” windows appears, select the “Computer Account” radio button and click “Next”.
·         On the “Select Computer” window, select the “Local Computer” radio button.
·         You will now see that it has been added to the selected snap-ins.  Click “OK”.
2. Now that you have the local certificate MMC open you can start to Export the cert.
·         Expand “Certificates (Local Computer)” then expand “Personal” and highlight “Certificates”.
·         Right click the certificate to be exported (in my case adfs.pipe2text.com), select “All Tasks” then “Export” from the menu.
·         Click “Next” on the “Welcome to the Certificate Export Wizard” screen.
·         On the “Export Private Key” screen Select “Yes, Export Private Key” and click “Next”.
·          On the “Export File Format” screen Select the “Personal Information Exchange = PKCS #12 (.PFX)” radio button and Check off “Include all certificates in the certification path if possible” and “Export all extended properties”. Make sure “Delete the private key if export is successful” is deselected. Click “Next”.
·         On the “Password” screen, enter a password and make note of it (This is the password you will use when importing the cert to the new server).
·         On the “File to Export” enter a name and location for the file and click “Next”.
·         On the “Completing the Certificate Wizard” screen review your settings and Click “Finish”.
·         Retrieve the cert file and copy it to the new ADFS server you will be adding to your farm.

·         Use the previously saved certificate
With the Certificate name:
ADFS_FirstInternalServer.pfx
·         Import the above certificate to Localcomputer\personal\certificates
·         Bind the Imported Cert to the Default Website
1. Open the IIS Manager and right click the “Default Website” and select “Edit Bindings”.
2. Under “Type” choose “https” and under “SSL Certificate” choose the cert that you imported and click “OK”.
3. You will now see “https” and “443″ in the list of site bindings. Click “Close”.

·         Launch the ADFS Configuration Wizard
·         On the Welcome page, verify that Add a federation server to an existing Federation Service is selected, and then click Next.
·         If the AD FS database that you selected already exists, the Existing AD FS Configuration Database Detected page appears. If that occurs, click Delete database, and then click Next
·         On the Specify the Primary Federation Server and Service Account page, under Primary federation server name, type the computer name of the primary federation server in the farm, and then click Browse. In the Browse dialog box, locate the domain account that is used as the service account by all other federation servers in the existing federation server farm, and then click OK. Type the password and confirm it, and then click Next:
·         On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring AD FS with these settings.
·         On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.

Installing ADFS Proxy Server:


·         Run setup for ADFS 2.0 and install ADFS
·         Import the certificate exported earlier from the Federation server to Localcomputer\personal\certificates
·         Bind the Imported Cert to the Default Website
1. Open the IIS Manager and right click the “Default Website” and select “Edit Bindings”.
2. Under “Type” choose “https” and under “SSL Certificate” choose the cert that you imported and click “OK”.
3. You will now see “https” and “443″ in the list of site bindings. Click “Close”.
·         Run the ADFS Configuration Wizard.
·         On the Welcome page, click Next.
·         On the Specify Federation Service Name page, under Federation Service name, type “adfs.fabrikam.com”
·         Uncheck Use an HTTP proxy server when sending requests to this Federation Service check box, under HTTP proxy server address type the address of the proxy server, click Test Connection to verify connectivity, and then click Next.
·         When you are prompted, enter ‘fabrikam\svc_adfs’ and password.
·         On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring this computer with these proxy settings.
·         On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.

Failover for ADFS:


The WID database on the primary server is read/write and the WID database on the secondary server(s) are read-only. Changes made to the configuration are made only on the primary Federation Server and those changes are replicated (5 minutes interval by default) to the secondary servers via WID database synchronization.

In the event that the primary Federation Server becomes unavailable and will not be brought back online, the administrator needs to promote one of the secondary Federation Servers to primary for the farm.

·         Command to run on the secondary server which you want to make primary:
Add-PsSnapin Microsoft.Adfs.PowerShell
Set-AdfsSyncProperties -Role PrimaryComputer

Now that you have set a new Primary Federation Server, you need to configure the other Secondary Federation Servers to sync with the new Primary Federation Server

·         Command to run on the other farm member servers:
Add-PsSnapin Microsoft.Adfs.Powershell
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation Server}



Error Fixes:


In the event you get an error message when try to start the ADFS service, like
"Windows could not start the AD FS 2.0 Windows Service service on Local Computer - Error 1053"

Try the fix below:
1. Navigate to C:\Program Files\Active Directory Federation Services 2.0
2. Find and open Microsoft.IdentityServer.Servicehost.exe.config file
3. Modify it as follows:
under tag, add this line:


So it would look like this:



 References:

When to Create a Federation Server Farm:
http://technet.microsoft.com/en-us/library/dd807062(v=ws.10).aspx

How to change ADFS Service communication certificate after initial installation:

http://social.msdn.microsoft.com/Forums/vstudio/en-US/acad4d8a-898a-4113-b608-bf322f45282e/how-to-change-adfs-service-communication-certificate-after-initial-installation

AD FS 2.0: How to Set the Primary Federation Server in a WID Farm (move ADFS role to another server) - Fatshark's Personal Blog

http://www.edunnewijk.nl/fatshark/index.php?/archives/465-AD-FS-2.0-How-to-Set-the-Primary-Federation-Server-in-a-WID-Farm-move-ADFS-role-to-another-server.html
Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database

 http://pipe2text.com/?page_id=395


 Verifying ADFS Computer Settings and Connectivity:
http://technet.microsoft.com/en-us/library/cc778709(v=ws.10).aspx

1 comment:

  1. Infycle Technology is one of the top Software Training Institute in Chennai Providing technical courses like Oracle, Java, Data Science, Big data, AWS, Python, etc., with the excellence of training and friendly trainers for freshers, experience, and Tech professionals of any field. Best place to do AWS. After completion of the course, students will be guided to crack their interview in top MNC’s. for further enquiry and free demo, of course, dial 7504633633.

    ReplyDelete