AD FS service in Windows 2012 R2 provides simplified, secured claims based identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
ADFS has undergone many changes in Windows 2012 R2, new improvements in ADFS are:
Prerequisites – Before you install the ADFS service, make sure the following prerequisites are met:
You need a third party certificate for ADFS service which is trusted by clients. Following subject names are required in certificate:
Subject Name (CN): adfs1.contoso.com ( or whatever is the name for ADFS service )
Subject Alternative Name (DNS): adfs1.contoso.com
Subject Alternative Name (DNS): enterpriseregistration.contoso.com (for device registration service which is used by clients to connect to device registration service)
This certificate should be installed on federation server as well as on Web Application Proxy server
ADFS Service account
Create a group managed service account (GMSA) that is used for ADFS service account while installing ADFS. FSGMSA group managed account is used in this demo.
DNS service records
Create A record for ADFS service that point to ADFS farm or standalone ADFS server
Create an alias for device registration service i.e. Enterpriseregistration.contoso.com that points to ADFS server
Configure name resolution between the ADFS federation and Web Application Proxy
Installing ADFS federation server:
Click Next > Next > Next > Install to install the ADFS role.
Initialize the ADDeviceRegistration service on ADFS server
Enabled the ADFS Device Registration service
Enable device authentication in ADFS management console:
Try the following methods to test the functionality of ADFS service:
https://adfs1.contoso.com/federationmetadata/2007-06/federationmetadata.xml- this should return the metadata xml file
- This should return the ADFS login page
In Next section we will look at the Web Application Proxy which has replaced the ADFS Proxy service role in Windows 2012 R2.
This is just a test comment.