Configure AD FS

 

Applies To: Windows Azure Pack

As the first step of enabling Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack for Windows Server, you must configure AD FS as explained in the following steps.

To configure AD FS

1. If you use an existing AD FS, do the following:

   1. In AD FS, use the following address to add the management portal for administrators and management portal for tenants as relying parties:

      <Portal URI>/federationMetadata/2007-06/Federationmetadata.xml

      Replace <Portal URI> with the addresses of the management portal for administrators and the management portal for tenants.

      For example, https://www.contosotenant.com/federationMetadata/2007-06/Federationmetadata.xml

   2. Apply the following transformation rules to the management portal for tenants:

      • Transform AD Groups to 'Groups' Claims

      • Transform email address to UPN Claims

   3. Skip the remaining steps and go to Configure the management portals to trust AD FS.

2. If you are setting up a new AD FS, on the machine that you want to use for AD FS, enable the AD FS role.

3. Log on to the machine as the domain administrator. You have two options to configure AD FS: Run the Install-AdfsFarm cmdlet or run a script.

   • Run the Install-AdfsFarm cmdlet to configure AD FS.

     Install-AdfsFarm –CertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SQLConnectionString <String>
     

     You must provide the following information to run the Install-AdfsFarm cmdlet.

     Cmdlet parameter	Information needed
     –CertificateThumbprint	Secure Socket Layer (SSL) Certificate thumbprint. The certificate should be installed in the <local_machine>\My store.
     -FederationServiceName	Fully qualified domain name (FQDN) of the AD FS service.
     -ServiceAccountCredential	The domain service account to run AD FS.
     -SQLConnectionString	SQL connection string to an instance of a Microsoft SQL Server to host the AD FS databases.

   • Or, run the following script to configure AD FS.

     Note

     You must install makecert.exe before running this script. Alternatively, you can use IIS to create a self-signed certificate and pass the thumbprint in this script.

     # Set these values:
     $domainName = 'contoso.com'
     $adfsPrefix = 'AzurePack-adfs'
     $username = 'username' 
     $password = 'password'
     $dnsName = ($adfsPrefix + "." + $domainName)
     
     # Generate Self Signed Certificate
     Import-Module -Name 'PKI','WebAdministration'
     # You must install makecert.exe before running this script. Alternatively use the IIS UI to create a self-signed certificate and pass the thumbprint in this script
     
     $item = Get-Item -Path 'IIS:\SslBindings\0.0.0.0!443' -ErrorAction SilentlyContinue
     if (!$item)
     {
     MakeCert.exe -n "CN=$dnsName" -r -pe -sky exchange -ss My -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1
     cert = ,(Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object { $_.Subject -eq "CN=$dnsName" })[0]
     }
     $thumbprint = $cert.Thumbprint
     $securePassword = ConvertTo-SecureString -String $password -Force -AsPlainText
     $adfsServiceCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($domainname + '\' + $username), $securePassword
     
     # If you want to install AD FS with a database, provide this data. Otherwise it will install with the Windows Internal Database (which should be enabled 
     # prior to configuring AD fS)
     $dbServer = 'AzurePack-SQl'
     $dbUsername = 'sa'
     $dbPassword = '<SQL_password>'
     $adfsSqlConnectionString = [string]::Format('Data Source={0};Initial Catalog=master;User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword)
     
     # Configure AD FS
     Install-AdfsFarm `
         -CertificateThumbprint $thumbprint `
         -FederationServiceName $dnsName `
         -ServiceAccountCredential $adfsServiceCredential `
         -SQLConnectionString $adfsSqlConnectionString `
         -OverwriteConfiguration
     

   Tip

   If you get error messages about duplicate Service Principal Names (SPN), use the Setspn tool to remove and then re-add the SPN as follows:

   1. From a command prompt on the AD FS machine, run the Setspn tool to remove the duplicate SPN:

      setspn -u -d http/$dnsname $username

   2. From a command prompt on the AD FS machine, run the Setspn tool to add a new SPN:

      setspn -u -s http/$dnsname $username

   For more information on SPN, visit the MSDN page about Service Principal Names.

Next steps

• Configure the management portals to trust AD FS