Installing AD FS High Cost Training

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to IT free trainings next video in the Federation Services course in this video I will look at installing and configuring Active Directory Federation services in the resource partner organization in the previous videos I installed and configured Active Directory Federation services in the account partner organization in the domain IT free training in this video I will install and perform the basic configuration of Active Directory Federation service for use in the resource organization for the domain highcosttraining in this video I will install a certificate authority and Active Directory Federation services on the same server to make things simple in the real world you may not have a certificate infrastructure configured which you could use with Active Directory Federation services if you do not consider having a look at our videos on how to deploy certificates in your organization this video only looks at a quick way to get Active Directory Federation service in a testing or lab environment without further ado I will now change to my Windows Server 2012 r2 computer to have a look at how to install and configure Active Directory Federation services first of all I need to install the Active Directory Federation services and certificate authority roles to do this I will open server manager and once server manager is open select the option add roles and features for the first few screens of the add roles and features wizard I will accept the default since I am adding the roles to the local server once I am on the select roles screen I will select the role Active Directory certificate services once selected I will press the add features button when prompted to add the additional features the role requires once the features have been added I next need to select the role Active Directory Federation services once selected I will move on to the feature selection screen in this case I do not need to add any additional feature so I will press Next and move on the next screen is the welcome screen for certificates services which tells you some more information about the role once I move on to the next screen I need to select which components I want to install in this case I only need basic certificate services so I will leave only the default option of certification Authority selected and move on the next screen is the welcome screen for Federation services so I will press next which will take me to the confirm installation selection screen where I can press install to install the two roles the install does take a minute or two to complete so I will pause the video and return shortly once the install is complete I next need to configure the two roles once I exit out of the add roles and features wizard I will select the exclamation mark and then select configure Active Directory certificate services on the destination server to perform the post configuration for the role the first screen will ask for a username and password to use with the post configuration wizard the user currently logged in will automatically be added which has enough access so I will leave it on this option and move on on the next screen I need to choose which components of certificate services I want to configure this is quite simple as I only installed the component certification authority so I will select that component and move on on the next screen I will select standalone CA if you are using a third-party CA the process will be the same for requesting the certificate in this case installing the CA on the same server is just an easy way to obtain the required certificate for the install on the next screen I will select root CA once again this will work well for a test environment but in a production environment you would most likely have the root CA on a different server for security reasons alone on the next few screens I will accept all the default options until I get to the last screen and then press configure to configure the role configuration only takes a couple of seconds once complete I will close out of here and right click on the start icon to obtain the quick launch menu from here I will enter in MMC MMC is Microsoft management console which gives the administrator a customizable interface to which they can add the admin tools they want to use in this case there is no shortcut in Administrative Tools to access the local certificates on the computer so I need to access it through MMC from MMC select the file option and then select the option add remove snap in this will show all the snap ins available on this computer from which I will select certificates and then press the button at once I press add I need to select which certificates I want to show in the interface in this case I want the certificates the server will use so I will select the option computer account and press next on the next screen I can choose a remote computer to view certificates on if I wanted to but in this case I will leave it on the default option of local computer and finish the wizard if I expand down to certificates under personal I can see there is already one certificate here this certificate is created by default by Windows and cannot be used with Active Directory Federation services so I need to create another one to create the request I will right click on certificates select all tasks advanced operations and then select the option create custom requests this will launch the certificate enrollment wizard which allows a request to be created for a new certificate that I can use with my certificate authority once I go past the welcome screen on the next screen I need to select which enrollment policy I want to use enrollment is the process of obtaining a certificate automatically in this case I will transfer the request file manually to the CA so I will select the option proceed without enrollment policy and move on to the next screen on the next screen I need to select a for this example I will select the option no template legacy key Active Directory Federation services requires the private key in the certificate in order to operate and this option allows the private key to be exported without any issues the request format I will leave on the default option the next screen will show some information about the certificate that I'm about to request but I want to make some changes before I complete the wizard to do this I will select the down arrow next to details and then press the properties button the properties will open to the general tab on the general tab I will enter in a friendly name and a description neither of these affect the operation of the certificate however they do make it easier for other administrators to determine what the certificates are being used for if I select the subject tab there are some options that need to be configured here to identify which server this certificate will be used with if these options are not set correctly the certificate will not work with Active Directory Federation services under subject name I will select common name from the drop-down box next I will enter in the fold a qualified domain name for the server once entered I will press the Add button for this certificate I will also enter in an alternative name I can do this by selecting DNS from the pulldown menu and then entering the fully qualified domain name of the server once entered I will press the Add button to add it the next option that I will configure is on the extensions tab on the extensions tab I will expand the section extended key usage under this section I will add the options server authentication and client authentication now that these two options have been added I will select the next tab private key under the section key options I will expand it and firstly change the key size to 2048 this is the minimum size for Active Directory Federation services recommended by Microsoft bigger keys offer better security but also may have compatibility problems so 2048 is a good size to choose next I need to make sure that the option make private key exportable is ticked if this option is not ticked Active Directory Federation services will not be able to use the certificate once the certificate request or certificate is created this option cannot be changed later on these are all the options that need to be configured so I will press ok and then move on to the next screen of the wizard on this screen I need to enter in the filename to save the certificate request to in this case I will save the file to the desktop once the file name is entered and I can press finish to create the certificate request file which will be saved to the desktop the next step is to create the certificate that will be used with Active Directory Federation services to do this I will close MMC and then select certification authority from under the Tools menu once certification Authority has loaded I will right click the server at the top select all tasks and then select submit new request it is just a matter of browsing to the desktop and selecting the certificate request file that I saved earlier in a production environment this step would be performed by emailing the file to another administrator to create the certificate or possibly upload into a certificate authority you've seen a webpage in this case once the file has been loaded if I now select the container pending requests I can see the certificate request to issue the certificate all I need to do is right click the request and under all tasks select issue once the certificate has been issued I can see this new certificate under issued certificates if I double left-click the certificate to open the certificate I can see the information about it even though the certificate is being stored in the certificate authority on this server I need to copy it to the local certificate store so this Federation services can access it to do this I will select the details tab and then press the button at the bottom copy the file to launch the certificate export wizard once I am past the welcome screen on the next screen I need to select which format to export the certificate in in this case the default option will work fine so I will leave it on this option and move on on the next screen I need to select a file name so I will browse to the desktop and save the certificate file there once the file name has been entered in it is just a matter of completing the wizard and the certificate will be exported to the desktop now that the certificate has been exported I can close all these windows a server manager to see the certificate on the desktop if I now double click on the certificate this will open the certificate but more importantly I can press the button install certificate to start the certificate import wizard from the import wizard I first need to make sure the option for store location is set to local machine once I press next the wizard will next ask where I want to store the certificate Windows will look at the attributes of the certificate and attempt to locate the best place to store it in this case I know the attributes were configured correctly and thus Windows will store the certificate in the correct place so I will press next and press finish to complete the wizard if you find the certificate is not stored in the correct location you may need to manually tell Windows where to store the certificate now that the certificate has been imported to the local store I can close these windows and go back to server manager the next step that needs to be completed is to configure Active Directory Federation services to do this I will select the exclamation mark and select the option configure the Federation service on this server welcome screen I will leave it on the default option of create the first Federation server in a Federation server farm since this is the first Active Directory Federation server that will be configured on this network on the next screen I need to configure which user will be used for the configuration wizard the user that I am currently logged in with has enough access so I will leave it on the default and move on on this screen I need to select which certificate to use notice that when I select the pull down arrow the wizard has found the certificate that I created earlier I will also enter a display name for this server once done I will move on to the next screen of the wizard on the next screen of the wizard I need to select or create a managed service account to run Active Directory Federation services with notice that at the top I have a warning message and when I press show more I get a dialog box stating that a PowerShell command needs to be run before a managed service account can be created in order to run this PowerShell command I need to run the command on a server that has Active Directory admin tools installed which this server does not for this reason I will go back to server manager right click all servers and select add servers from add servers I will press find now locate a domain controller and then add it once the domain controller has been added if I now right click on the domain controller I can select the option for PowerShell and a PowerShell window will open that is running on that server once running I will enter in the command that server manager asked me to run the command on it takes a second or two to run once the command is completed I will now exit out of powershell and go back to the post configuration wizard for Active Directory Federation services the PowerShell command has been run but I need to press back and press next again to refresh the wizard notice that I can now select the option create a group managed service account and enter in a service account name and once entered move on to the next screen on the next screen I need to select which database to use there is no sequel server on this network so I will select the default option of using the windows internal database and move on the next screen will allow me to review the options that I have selected in the wizard once I press next on the next screen of the wizard I will do a quick prerequisites check notice that there is a warning message stating that the root key for the managed service account has just been created by default this key will not be usable for 10 hours this is the root key I just entered a moment ago using PowerShell the reason behind this is that it gives Active Directory time to replicate the key to other domain controllers what this essentially means is that the service that runs Active Directory Federation services may not work correctly for 10 hours to finish the configuration of Active Directory Federation services I can now press the button configure Active Directory Federation services will now be configured which takes a few minutes so I will pause the video and return shortly the configuration of Active Directory Federation services is now complete if I close the wizard and go back to server manager then select the Tools menu and select ad FS management this will open the Active Directory Federation management tool notice that the tool is fully functional meaning Active Directory Federation Services is now ready to go but that configuration I will leave to our upcoming videos well I hope you liked this video and I hope to see you in our other videos from this course and other courses thanks for watching and see you next time

Info

Channel: itfreetraining

Views: 16,433

Rating: 4.9545455 out of 5

Keywords: Active Directory Federation Services, ITFreeTraining

Id: uQPolzguADg

Channel Id: undefined

Length: 17min 25sec (1045 seconds)

Published: Tue Jul 22 2014