Share via

AD FS 2.0: How to Perform an Unattended Installation of an AD FS 2.0 STS or Proxy

  • Article

Summary

 

  • The steps below detail how to perform an unattended installation and initial configuration of an AD FS 2.0 STS or Proxy

 

Unattended Installation of AD FS 2.0 Server

  • Installation of AD FS 2.0 Server from the command line is accomplished using ADFSSetup.exe /quiet
  • I recommend using the "start /w" command in conjunction with ADFSSetup.exe /quiet so that you can monitor when ADFSSetup.exe returns
  • Example: start /w adfssetup.exe /quiet

 

Unattended Installation of AD FS 2.0 Proxy

  • Installation of AD FS 2.0 Proxy from the command line is accomplished using ADFSSetup.exe /proxy /quiet
  • I recommend using the "start /w" command in conjunction with ADFSSetup.exe /proxy /quiet so that you can monitor when ADFSSetup.exe returns
  • Example: start /w adfssetup.exe /proxy /quiet

 

Unattended Initial Configuration of AD FS 2.0 Server

  • Initial configuration of AD FS 2.0 Server from the command line is accomplished using FsConfig.exe located in %programfiles%\Active Directory Federation Services 2.0\
  • Syntax: fsconfig.exe {StandAlone|CreateFarm|CreateSQLFarm|JoinFarm|JoinSQLFarm} [Deployment Specific Parameters]
  • Select a configuration mode
    • StandAlone - This installs a standalone STS. No farm or SQL options available here.
    • CreateFarm - Creates a new federation server farm and uses Windows Internal Database (WID) to store configuration settings
    • CreateSQLFarm - Creates a new federation server farm and uses SQL Server to store configuration settings.
    • JoinFarm - Joins this computer to an existing federation server farm that is using Windows Internal Database (WID)
    • JoinSQLFarm - Joins this computer to an existing federation server farm that is using a remote SQL Server database for configuration settings.
  • Define your deployment specific parameters
    • Use "/help" after the mode parameter to see which deployment specific parameters are available for your chosen mode
    • Example: FsConfig.exe standalone /help

 

Unattended Initial Configuration of AD FS 2.0 Proxy

  • Initial configuration of AD FS 2.0 Proxy from the command line is accomplished using FspConfigWizard.exe located in %programfiles%\Active Directory Federation Services 2.0\
  • Syntax: FspConfigWizard.exe /hostname {hostname_of_STS} /Username {svc_account_or_FS_local_admin_account} /Password /ForwardProxy {DNS_name_and_port_of_HTTP_proxy}
  • Hostname (required) - Specifies the internal Federation Service name
  • Username (required) - Specifies the user context used to establish the proxy trust with the Federation Service
  • Password (required) - Specifies the password for the Username account
  • ForwardProxy (optional) - specifies DNS name and port of an HTTP proxy

 

More Information

 

  • The following information details how to perform unattended installations of other required components which may help you to script the entire installation

 

Installation of IIS 7.0 or IIS 7.5 (unattended)

  • This is not likely to be used since AD FS 2.0 installs IIS automatically for you, but I am including the syntax here in case you want to install specific Web Server Role Features that AD FS 2.0 might leave out
  • From: http://learn.iis.net/page.aspx/29/install-iis-7-on-windows-server-2008-or-windows-server-2008-r2/
  • IIS 7.5:
    • CMD /C START /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
  • IIS 7.0:
    • cmd /c start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

 

Import certificate with private key into the local computer store (unattended)

  • certutil -f -importpfx -p {your_pfx_password} {path_to_your_pfx}

 

Bind your SSL certificate to the Default Web Site (unattended with powershell)

You'll have to either prompt user for $certname and $certpass or hard code them in the script

#install powershell
servermanagercmd.exe -install PowerShell
#add cert
certutil -f -importpfx -p $certpass $certname
#assign .pfx to iis
New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

#Get thumbprint for specific cert

$a=Get-ChildItem cert:\LocalMachine\MY | Where-Object {$_.Subject -match "CN=[$certname]*"} 
get-item cert:\LocalMachine\My\a.thumbprint | New-Item 0.0.0.0!443

Bind your SSL certificate to the Default Web Site (unattended)

  • From: http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-70/

  • Set oIIS = GetObject("winmgmts:root\WebAdministration")

    '''''''''''''''''''''''''''''''''''''''''''''

' CREATE SSL BINDING

'''''''''''''''''''''''''''''''''''''''''''''


oIIS.Get("SSLBinding").Create _           

   "*", 443, "4dc67e0ca1d9ac7dd4efb3daaeb15d708c9184f8", "MY"

'''''''''''''''''''''''''''''''''''''''''''''

' ADD SSL BINDING TO SITE

'''''''''''''''''''''''''''''''''''''''''''''


Set oBinding = oIIS.Get("BindingElement").SpawnInstance_


oBinding.BindingInformation = "*:443:"
oBinding.Protocol = "https"

 

Set oSite = oIIS.Get("Site.Name='Default Web Site'")

arrBindings = oSite.Bindings


ReDim Preserve arrBindings(UBound(arrBindings) + 1)

Set arrBindings(UBound(arrBindings)) = oBinding

oSite.Bindings = arrBindings 


Set oPath = oSite.Put_

 

*Optional - Require SSL on the Default Web Site (unattended)

  • %windir%\system32\inetsrv\appcmd.exe ``set`` config "``Default Web Site``" -commitPath:APPHOST -section:access -sslFlags:Ssl