Checklist: Setting up a Federation Server (ADFS) for use with Office 365 on Windows Server 2008/R2
May 22, 2015


Hello to everyone !!!

I hope that you all have been keeping busy with I.T. related things. I have been doing quite a bit of Office 365 work with customers recently, and have been spending a lot of that time setting up ADFS solutions for customers onboarding into the O365 cloud. While that is always exciting work, and technically challenging at times, it does not have to be complicated if you take your time and plan out exactly what you need to do in order to be successful.

To that end, the following checklist will prove to be helpful for those of you staring down the face of a ADFS / O365 integration solution. The checklist will walk you through the logical steps associated with the deployment and integration, as well as providing you links to all of the necessary Microsoft TechNet documentation to support that step.

Checklist: Setting Up a Federation Server

This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server 2008/2008R2 for the federation server role in Active Directory Federation Services (AD FS) 2.0.

You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.

Checklist: Setting up a federation server




Before you begin deploying your AD FS 2.0 federation servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS 2.0 deployment topology types and their associated server placement and network layout recommendations. Determine Your AD FS 2.0 Deployment TopologyAD FS 2.0 Deployment Topology Considerations
Review AD FS 2.0 capacity planning guidance to determine the proper number of federation servers you should use in your production environment. Planning for Federation Server Capacity
Review information in the AD FS 2.0 Design Guide about where to place federation servers in your organization Planning Federation Server PlacementWhere to Place a Federation Server
Determine whether a stand-alone federation server or a federation server farm is better for your deployment. When to Create a Federation ServerWhen to Create a Federation Server Farm
Determine whether this new federation server will be created in the account partner organization or in the resource partner organization. Review the Role of the Federation Server in the Account PartnerReview the Role of the Federation Server in the Resource Partner
Review information about how federation servers use service communication certificates and token-signing certificates to securely authenticate client and federation server proxy requests.

Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate the AD FS 2.0 Federation Service to enterprise clients. Therefore, it is recommended that you use a fully qualified domain name (FQDN) such as and only use SSL certificates issued to the FQDN of your Federation Service.
Certificate Requirements for Federation Servers
Review information about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur. Name Resolution Requirements for Federation Servers
Join the computer that will become the federation server to a domain in the account partner forest or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests.

If you want to set up a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests.
Join a Computer to a Domain
Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server. Add a Host (A) Resource Record to Corporate DNS for a Federation Server
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm.

The AD FS 2.0 Management snap-in refers to server authentication certificates for federation servers as service communication certificates.
Export the Private Key Portion of a Server Authentication Certificate
After you obtain a server authentication certificate (or private key) from a certification authority (CA), you must then import the certificate file to the default Web site for each federation server.

Installing this certificate on the default Web site is a requirement before you can use the AD FS 2.0 Federation Server Configuration Wizard.
Import a Server Authentication Certificate to the Default Web Site
(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use Internet Information Services (IIS) 7.0 to create a sample certificate for your federation server.

It is not a security best practice to deploy a federation server in a production environment by using a self-signed server authentication certificate.
IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 and then complete the procedure Import a Server Authentication Certificate to the Default Web Site
If you will be configuring a federation server farm environment in an account partner organization, you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside and configure each federation server in the farm to use this account. By performing this procedure, you will allow clients on the corporate network to authenticate to any of the federation servers in the farm using Windows Integrated Authentication. Manually Configure a Service Account for a Federation Server Farm
Install the AD FS 2.0 software. Install the AD FS 2.0 Software
Configure the AD FS 2.0 software on the computer to act in the federation server role by using the AD FS 2.0 Federation Server Configuration Wizard.Follow this procedure when you want to set up a stand-alone federation server, create the first federation server in a new farm or join a computer to an existing federation server farm.

For the Federated Web Single Sign-On (SSO) design, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization.
Create a Stand-Alone Federation ServerCreate the First Federation Server in a Federation Server FarmAdd a Federation Server to a Federation Server Farm
(Optional) Use the AD FS 2.0 Management snap-in to add and configure the necessary AD FS 2.0 certificates required to deploy your design. For more information about when to add or change certificates using the snap-in, see Certificate Requirements for Federation Servers. Add a Token-Signing CertificateAdd a Token-Decrypting CertificateSet a Service Communications Certificate
If this is the first federation server in your organization, configure the Federation Service so that it conforms to your AD FS 2.0 design. Checklist: Configuring the Account Partner OrganizationChecklist: Configuring the Resource Partner Organization
From a client computer, verify that the federation server is operational. Verify That a Federation Server Is Operational




No comment found.

Leave a new comment


Please enter a keyword.

Recent Posts


Copyright © 2020 New Horizons Worldwid, Inc. All rights reserved.