Step 2: Configure the federation server (adfs) by using Device Registration Service

To set up another virtual machine, install Windows Server 2012 R2 and connect it to the domain
yyyyyyyyy.com. Set up the computer after you have joined it to the domain, and then proceed to
install and configure the AD FS role.
Install a server SSL certificate

You must install a server Secure Socket Layer (SSL) certificate on the adfs server in the local
computer store. The certificate MUST have the following attributes:

Subject Name (CN): adfs.yyyyyyyyy.com

Subject Alternative Name (DNS): adfs.yyyyyyyyy.com

Subject Alternative Name (DNS): enterpriseregistration.yyyyyyyyy.com

For more information about setting up SSL certificates, see Configure SSL/TLS on a Web site in
the domain with an Enterprise CA.
.

Install the AD FS server role

To install the Federation Service role service

Log on to the server by using the domain administrator account administrator@yyyyyyyyy.com.

Start Server Manager. To start Server Manager, click Server Manager on the Windows Start screen,
or click Server Manager on the Windows taskbar on the Windows desktop. On the Quick Start tab
of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can
click Add Roles and Features on the Manage menu.

On the Before you begin page, click Next.

On the Select installation type page, click Role-based or feature-based installation, and then click
Next.

On the Select destination server page, click Select a server from the server pool, verify that the
target computer is selected, and then click Next.

On the Select server roles page, click Active Directory Federation Services, and then click Next.

On the Select features page, click Next.

On the Active Directory Federation Service (AD FS) page, click Next.

After you verify the information on the Confirm installation selections page, select the Restart the
destination server automatically if required check box, and then click Install.

On the Installation progress page, verify that everything installed correctly, and then click Close.
Configure the federation server

The next step is to configure the federation server.

To configure the federation server

On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the
federation service on the server.

The Active Directory Federation Service Configuration Wizard opens.

On the Welcome page, select Create the first federation server in a federation server farm, and then
click Next.

On the Connect to AD DS page, specify an account with domain administrator rights for the
yyyyyyyyy.com Active Directory domain that this computer is joined to, and then click Next.

On the Specify Service Properties page, do the following, and then click Next:

Import the SSL certificate that you have obtained earlier. This certificate is the required service
authentication certificate. Browse to the location of your SSL certificate.

To provide a name for your federation service, type adfs.yyyyyyyyy.com. This value is the same
value that you provided when you enrolled an SSL certificate in Active Directory Certificate
Services (AD CS).

To provide a display name for your federation service, type Hnit-Baltic.

On the Specify Service Account page, select Use an existing domain user account or group
Managed Service Account, and then specify the GMSA account fsgmsa that you created when you
created the domain controller.

On the Specify Configuration Database page, select Create a database on this server using Windows
Internal Database, and then click Next.

On the Review Options page, verify your configuration selections, and then click Next.

On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed,
and then click Configure.

On the Results page, review the results, check whether the configuration has completed
successfully, and then click Next steps required for completing your federation service deployment.

Configure Device Registration Service

The next step is to configure Device Registration Service on the adfs server. For a video, see Active
Directory Federation Services How-To Video Series: Enabling the Device Registration Service.

To configure Device Registration Service for Windows Server 2012 RTM

Important

The following step applies to the Windows Server 2012 R2 RTM build.
Open a Windows PowerShell command window and type:

Initialize-ADDeviceRegistration
When you are prompted for a service account, type contoso\fsgmsa$.

Now run the Windows PowerShell cmdlet.

Enable-AdfsDeviceRegistration
On the adfs server, in the AD FS Management console, navigate to Authentication Policies. Select
Edit Global Primary Authentication. Select the check box next to Enable Device Authentication,
and then click OK.

Add Host (A) and Alias (CNAME) Resource Records to DNS

On DC1, you must ensure that the following Domain Name System (DNS) records are created for
Device Registration Service.

Entry Type Address

adfs Host (A) IP address of the AD FS server
enterpriseregistration Alias (CNAME) adfs.yyyyyyyyy.com
You can use the following procedure to add a host (A) resource record to corporate DNS name
servers for the federation server and Device Registration Service.

Membership in the Administrators group or an equivalent is the minimum requirement to complete

this procedure. Review details about using the appropriate accounts and group memberships in the
HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=83477" Local and Domain Default Groups
(http://go.microsoft.com/fwlink/p/?LinkId=83477).

To add a host (A) and alias (CNAME) resource records to DNS for your federation server

On DC1, from Server Manager, on the Tools menu, click DNS to open the DNS snap-in.

In the console tree, expand DC1, expand Forward Lookup Zones, right-click yyyyyyyyy.com, and
then click New Host (A or AAAA).

In Name, type the name you want to use for your AD FS farm. For this walkthrough, type adfs.

In IP address, type the IP address of the adfs server. Click Add Host.

Right-click yyyyyyyyy.com, and then click New Alias (CNAME).

In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.

In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs.yyyyyyyyy.com, and
then click OK.

Important
In a real-world deployment, if your company has multiple user principal name (UPN) suffixes, you
must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Antra Dalis

To complete the walkthroughs that were referenced earlier in this topic, you must have a sample
application that is secured by your federation server (adfs).

You can download Windows Identity Foundation SDK

(http://www.microsoft.com/download/details.aspx?id=4451, which includes a sample claims-based
application.

You must complete the following steps to set up a web server with this sample claims-based
application.

Note

These steps have been tested on a web server that runs the Windows Server 2012 R2 operating
system.
Install the Web Server Role and Windows Identity Foundation

Install Windows Identity Foundation SDK

Configure the simple claims app in IIS

Create a relying party trust on your federation server

Install the Web Server role and Windows Identity Foundation

Note

You must have access to the Windows Server 2012 R2 installation media.
Log on to WebServ1 by using administrator@yyyyyyyyy.com and the password pass@word1.

From Server Manager, on the Quick Start tab of the Welcome tile on the Dashboard page, click Add
roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.

On the Before you begin page, click Next.

On the Select installation type page, click Role-based or feature-based installation, and then click
Next.

On the Select destination server page, click Select a server from the server pool, verify that the
target computer is selected, and then click Next.

On the Select server roles page, select the check box next to Web Server (IIS), click Add Features,
and then click Next.

On the Select features page, select Windows Identity Foundation 3.5, and then click Next.
On the Web Server Role (IIS) page, click Next.

On the Select role services page, select and expand Application Development. Select ASP.NET 3.5,
click Add Features, and then click Next.

On the Confirm installation selections page, click Specify an alternate source path. Enter the path to
the Sxs directory that is located in the Windows Server 2012 R2 installation media. For example
D:\Sources\Sxs. Click OK, and then click Install.

Install Windows Identity Foundation SDK

Run WindowsIdentityFoundation-SDK-3.5.msi to install Windows Identity Foundation SDK 3.5

(http://www.microsoft.lt/download/details.aspx?id=4451). Choose all of the default options.
Configure the simple claims app in IIS

Install a valid SSL certificate in the computer certificate store. The certificate should contain the
name of your web server, webserv1.yyyyyyyyy.com.

Copy the contents of C:\Program Files (x86)\Windows Identity Foundation

SDK\v3.5\Samples\Quick Start\Web Application\PassiveRedirectBasedClaimsAwareWebApp to
C:\Inetpub\Claimapp.

Edit the Default.aspx.cs file so that no claim filtering takes place. This step is performed to ensure
that the sample application displays all the claims that are issued by the federation server. Do the
following:

Open Default.aspx.cs in a text editor.

Search the file for the second instance of ExpectedClaims.

Comment out the entire IF statement and its braces. Indicate comments by typing "//" (without the
quotes) at the beginning of a line.

Your FOREACH statement should now look like this code example.

Foreach (claim claim in claimsIdentity.Claims)

{
//Before showing the claims validate that this is an expected claim
//If it is not in the expected claims list then don't show it
//if (ExpectedClaims.Contains( claim.ClaimType ) )
// {
writeClaim( claim, table );
//}
}
Save and close Default.aspx.cs.

Open web.config in a text editor.

Remove the entire <microsoft.identityModel> section. Remove everything starting from including
<microsoft.identityModel> and up to and including </microsoft.identityModel>.

Save and close web.config.

Configure IIS Manager

Open Internet Information Services (IIS) Manager.

Go to Application Pools, right-click DefaultAppPool to select Advanced Settings. Set Load User
Profile to True, and then click OK.

Right-click DefaultAppPool to select Basic Settings. Change the .NET CLR Version to .NET CLR
Version v2.0.50727.

Right-click Default Web Site to select Edit Bindings.

Add an HTTPS binding to port 443 with the SSL certificate that you have installed.

Right-click Default Web Site to select Add Application.

Set the alias to claimapp and the physical path to c:\inetpub\claimapp.

To configure claimapp to work with your federation server, do the following:

Run FedUtil.exe, which is located in C:\Program Files (x86)\Windows Identity Foundation

SDK\v3.5.

Set the application configuration location to C:\inetput\claimapp\web.config and set the application
URI to the URL for your site, https://webserv1.yyyyyyyyy.com /claimapp/. Click Next.

Select Use an existing STS and browse to your AD FS server's metadata URL
https://adfs.yyyyyyyyy.com/federationmetadata/2007-06/federationmetadata.xml. Click Next.

Select Disable certificate chain validation, and then click Next.

Select No encryption, and then click Next. On the Offered claims page, click Next.

Select the check box next to Schedule a task to perform daily WS-Federation metadata updates.
Click Finish.

Your sample application is now configured. If you test the application URL
https://webserv1.yyyyyyyyy.com/claimapp, it should redirect you to your federation server. The
federation server should display an error page because you have not yet configured the relying party
trust. In other words, you have not secured this test application by AD FS.

You must now secure your sample application that runs on your web server with AD FS. You can
do this by adding a relying party trust on your federation server (adfs). For a video, see Active
Directory Federation Services How-To Video Series: Add a Relying Party Trust.
Create a relying party trust on your federation server

On you federation server (adfs), in the AD FS Management console, navigate to Relying Party
Trusts, and then click Add Relying Party Trust.

On the Select Data Source page, select Import data about the relying party published online or on a
local network, enter the metadata URL for claimapp, and then click Next. Running FedUtil.exe
created a metadata .xml file. It is located at
https://webserv1.yyyyyyyyy.com/claimapp/federationmetadata/2007-06/federationmetadata.xml.

On the Specify Display Name page, specify the display name for your relying party trust, claimapp,
and then click Next.

On the Configure Multi-factor Authentication Now? page, select I do not want to specify multi-
factor authentication setting for this relying party trust at this time, and then click Next.

On the Choose Issuance Authorization Rules page, select Permit all users to access this relying
party, and then click Next.

On the Ready to Add Trust page, click Next.

On the Edit Claim Rules dialog box, click Add Rule.

On the Choose Rule Type page, select Send Claims Using a Custom Rule, and then click Next.

On the Configure Claim Rule page, in the Claim rule name box, type All Claims. In the Custom
rule box, type the following claim rule.

c:[ ]
=> issue(claim = c);
Click Finish, and then click OK.