SharePoint 2013 and ADFS 2.0 Step By Step Part 1

One of my more recent headaches has been to set up an ADFS environment on some Lab Servers to try to replicate an issue that one of our customers had on their environment.  My knowledge of ADFS is average at best before this venture and trying to find good articles out there that helped was not as easy as I thought it would be.  I could find several that accommodated a “Test environment” install, but what if you need to do this in production?

I hope to address some of these issues in this series of posts.  There are a few resources that I used to help out here:

Firstly, Steve Peschka’s guide.  Try as I might, I simply could not get things working with this guide alone, but does provide some good explanations about the steps involved:

http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

A useful article that filled in some of the gaps I found here:

http://dynamics-crm2011.blogspot.co.uk/2011/11/sharepoint-2010-and-adfs-20-complete.html

This guide is intended to be a complete step by step to help me get this right in future.

The Lab Environment

In my Lab environment I have the following Set up:

  • Domain:  SharePoint.Local
  • All servers are joined to the SharePoint.local domain.
  • AD1 – Domain Controller for SharePoint.local
  • SP1 – SharePoint 2013 Server
  • SQL1 – SQL Server
  • ADFS1 – ADFS Server, joined to the SharePoint.local domain

Here is a visual layout of the goal here:

0_diagram

This is basically what we are looking to configure. We have a SharePoint 2010/2013 farm in the SharePoint.local domain. We also have an AD Domain Controller and an ADFS 2.0 server, also joined to the SharePoint.local domain.

Here is the claims process that we are looking to achieve here:

  1. Client browses to https://portal.contoso.com
  2. SharePoint receives the request and redirects the client to https://logon.contoso.com/adfs/ls
  3. ADFS receives the request and provides a login form for the user to enter their credentials.
  4. It then checks these credentials against the LDAP provider – in this case AD.
  5. AD authenticates the user.
  6. ADFS sends the claim (in our example the emailaddress,role and upn) to the client, who is then redirected back to SharePoint in step 7. SharePoint uses this claim to authenticate the user as it trusts the provider of the claim.

Some requirements:

Certificates.

Besides the typical SSL certificate needed for the SharePoint Web Application, we’ll need 2 certificates for ADFS web SSO

1. Service communications certificate

a. Used for the logon page provided by ADFS 2.0 (in this example it’s logon.contoso.com).

b. This should be a public certificate since you’ll be using it for employees accessing the logon page externally

c. This should be an SSL certificate

2. Token Signing Certificate

a. This certificate is used for signing the tokens which will be provided to SharePoint. (in this example I used a self signed certificate called tokensigning.constoso.com)

b. This could be a public certificate or a certificate issued by your Internal CA

c. This can be any kind of certificate. I used an SSL certificate.

d. This should be a 2048-bits certificate. 1024-bits is fine but will generate a warning in ADFS 2.0

3. Since the ADFS 2.0 wizard also installed IIS you can generate certificate request from the IIS console and request your certificates (if you are testing in a Lab).

Note: During testing I did not manage to get this to work with Self Signed certificates so ensure you use a CA if you are testing in a lab for ALL the certificates.

DNS also needs to be configured so the client can locate the ADFS server at logon.contoso.com

Installation Steps

This article presumes that you already have a fully functional AD, SQL and SharePoint 2010/2013 farm up and running, using the default Windows NTLM or Kerberos as the authentication method.

So the first thing we need is to have an ADFS server joined to our Domain then we can start the ADFS 2.0 installation.

ADFS Installation

1. Download the installer from http://www.microsoft.com/en-gb/download/details.aspx?id=10909

2. Run AdfsSetup.exe to begin the wizard.

3. At the Server Role screen choose Federation Server

4. Next your way through the rest of the installation.

5. Once this has completed Select Finish to Start the AD FS 2.0 Management snap-in, but do not run the Configuration wizard yet

Service Accounts

When you install ADFS 2.0 you have the possibility to choose between a single server ADFS or a ADFS farm (can add servers to). It’s a good idea to configure a farm (even if you’re going to use a single server scenario, because it provides flexibility for the future). The difference with this configuration is that for the farm config you’ll need an AD service account that has an SPN configured on it. So in this step we’ll create the service account and register the SPN.

Open AD user and computers and create a user (in this example Adfs_svc)

To add the SPN to the user:

command line :

setspn -a host/logon.contoso.com Adfs_svc

ADFS 2.0 Configuration Wizard

Open the ADFS 2.0 management console on the Federation Server (VSrvFs) and click ADFS 2.0 Federation Server Configuration Wizard.

  1. Create a new Federation Service
  2. New federation server farm
  3. Certificate : logon.contoso.com
  4. Service Account : Use the AD service account created in step 3 (contoso\AdfsSvc)
  5. Complete the wizard
  6. As a test you should now be able to browse to the FederationMetadata.xml file at the following URL:

https://<<SERVERNAME>>/FederationMetadata/2007-06/federationmetadata.xml

1_FedMetaXml

Add Token Signing Certificate

To add certificates to ADFS 2.0 we need to disable the AD FS automatic certificate rollover feature.
Open powershell on the Federation Server (VSrvFs) and run the following command:

Add-PsSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $false

Next, select ADFS 2.0 management console Service > Certificates > Add Token-Signing Certificate
Select the tokensigning.constoso.com certificate and mark it as primary.

Check the Certificates

A large number of problems that occur with ADFS configurations can be related to invalid Certificates. Ensure that the Certificates console is clean and that all the Certificates are valid, as well as the Root and any Intermediate Certificates. Here is what my Certificates part of the ADFS 2 console looks like:

2_ADFSCerts

Private Key Permissions

The account we specified in step 3 needs permissions on the private key of the Token signing certificate.

1. Open an mmc on the ADFS Server and add the certificates snap-in (connect to local computer)

2. Browse to personal > certificates. Rightclick tokensigning.contoso.com > All Tasks > Manage Private Keys

3. Give the service account (sharepoint\Adfs_Svc) read permissions

Trusted Relying Partner

In this step we’ll specify the claims we will sent to SharePoint. For SharePoint there is one unique claim identifing the user. You can send additional claims, but the unique identifier is required.

You have a choice of the unique identifier. In this example we will use the email address, but you can also use the WindowsAccountName, Common Name etc.

Open the ADFS 2.0 management console on the ADFS Server

portal.contoso.com
Select Trust Relationships. Rightclick Relying Party Trusts and select Add Relying Party Trust.
Use the following settings in the wizard :

  • Select Data Source : Enter data about the relying party manually
  • Specify Display Name : portal.contoso.com
  • Choose Profile : AD FS 2.0 profile
  • Configure certificate : next (do not select a certificate)
  • Configure URL : Enable support for the WS-Federation Passive protocol
  • Relying party WS-Federation Passive protocol URL : https://portal.contoso.com/_trust/
  • Relying party trust identifiers :
    • https://portal.contoso.com
    • urn:sharepoint:portal
  • Choose Issuance Authorization Rules : Permit all users to access this relying party
  • Review settings
  • Check : Open the edit Claims Rules Dialog for this relying party trust when the wizard closes

Next start the Edit Claims Rules Dialog. Select the tab Issuance Transform Rules and choose Add Rule
Use the following settings in the Add Transform Claims Rule wizard :

  • Select Rule Template : Send LDAP Attributes as Claims
  • Configure Rule :
    • Claim Rule Name : LDAP Claims
    • Attribute Store : Active Directory
    • Ldap Attribute : SAM-Account-Name | Outgoing Claim Type : WindowsAccountName

LDAP Attribute

Outgoing Claim Type

Email-Addresses

E-Mail Address

Token-Groups – Unqualified names

Role

User-Principle-Name

UPN

 

3_AdfsClaimRules

Export Token signing certificate

In the next steps we’ll need the token signing certificate to create a SpTrustedIdentityTokenIssuer in SharePoint.

Open IIS 7 manager on the Federation Server. Select the servername in the console and double-click the certificates feature. You should see the two certificates you configured earlier. Double-click the tokensigning.contoso.com certificate and select the details tab. Select copy to file.

· No do not export the private key

· DER encoded binary X.509 (.CER)

· save the file as c:\TokenSign.cer

SPTrustedIdentityTokenIssuer

Logon to the server running the Central Administration

Copy the tokensign.cer you exported in the previous step to c:\ (of the current server)

Open the SharePoint 2010 Management Shell (powershell) and run the following powershell script

Trusting the Certificate Chain

We need to ensure that SharePoint STS trusts the root of this CA (if it’s issued by an internal CA) so we’ll need to add the certificate. We will also add the Token Signing Certificate so that SharePoint also trusts that.

  • Open the central administration website > Security > Manage Trust > Add
  • Give the Trust a name (contoso RootCA) and add the Root certificate from the c:\
  • Add another trust for the Token Signing Certificate
Configure the web application Authentication provider

You have options here:

  1. You can use a hybrid authentication of both Windows and ADFS
  2. You can extend the Web app to a new zone which uses the ADFS provider.

In this example I am going to extend the Web app to a new zone. This is the more common method used, but both work fine.

  • Central Admin -> Application Management -> Manage Web Applications.
  • Extend the Web Application.
  • Ensure you select the option to Use SSL for this site.
  • Select the Auth Provider (in my case Intranet zone)
  • Check the Trusted Identity Provider option (in my case ADFS20)
  • Hit Save (if you are using SP2013 I find this takes some time)
Site Collection Administrators

In order to test this we will add the claims user to the Site Collection admins. Make sure you use a claim here. When you open the people picker and want to specify (for example) the domain administrator and you type administrator you get two results. Select the administrator provided by ADFS20.

In my case I am using test1@sharepoint.local so ensure you enter the full email address of the user into the people picker dialog in Central Admin, add Site collection administrators as follows:

4_PeoplePicker

Click on the filter for Email Address and select this test1 user – if you select the other one you will not be able to authenticate with ADFS as this represents a different user (although they are the same user in AD)

5_peoplepicker2

Change the ADFS login page

The ADFS default is to present a Windows popup box when the user is redirected there. This expects a login in the form of domain\user. As the user email address does not follow this pattern typically we want ADFS to present the user with a form – otherwise you may find that the user will not be able to login successfully.

  1. On the ADFS server:
  2. Open IIS Manager
  3. Expand the Default Site – adfs – ls
  4. Right-Click the site and Explore to get to the web.config folder.

Here we want to put the forms login above the Integrated login. Swap the lines so that the localauthentication section looks like this:

Testing

So we are ready to test. Ensure that both the portal.contoso.com and the logon.contoso.com domains are resolvable from your location.

To avoid certificate warnings I also installed the internal CA root certificate into my workstation.

Here is what you should see when you browse to https://portal.contoso.com

From here you will be redirected to https://logon.contoso.com/adfs/ls

6_adfslogin

The full URL is as follows:

https://logon.contoso.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aporal&wctx=https%3a%2f%2fportal.contoso.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F

Ensure you use the full email address in the login area.

If successful you will gain access to the site. Notice the username on the top right is the identity claim:

7_loggedin

What’s in the claim

I have added the ClaimsViewerWebPart which shows up the details of the claim (available from:

http://www.sharepointblog.co.uk/2012/06/the-claims-viewer-web-part/ )

Here we can see the claims configured for SharePoint to use:

8_ClaimsView

The 2nd,3rd and 4th line show the 3 claims we configured – the email address, role (which contains the AD groups the user is a member of), and the UPN.

In the following screenshot we can see that the claim was issued by the TrustedProvider:ADFS20

9_claimsview2

The next guide will contain the set up to federate with another organisations ADFS service and configuring an ADFS2 Proxy server… coming soon.

 
Comments

Great post! It clarified a lot of things, thanks! Looking forward for the second part 🙂
Cheets

Vers good ans clear article! Tanks a Lot.

Thank you, I havge recently been looking for information approximately this
subject for ages and yours is the best I have discovered till now.
However, what about the bottom line? Are you sure abot the source?

I read this article fully regarding the resemblance
of newest and preceding technologies, it’s awesome article.

I loved as much as you’ll receive carried out right here.
The sketch is tasteful, your authored subject matter stylish.
nonetheless, you command get got an edginess over that you
wish be delivering the following. unwell unquestionably come further formerly again as exactly the same nearly very often inside case
you shield this increase.

How to configure the approval of that name in the upper right corner classic for Sharepoint 2013?

Great post. I never found how to add a user (adfs authentication) to sharepoint security group, members for example.
Everyone writing how to check with site collection admin but they forget that people picker in 2013 is not the same as in 2010

Sergey,
Great point, I'm running into the same issue. It looks like in SharePoint 2013 the a site collection can not provisioned access to security groups. I do not see the option when I go to grant permissions. Have you been able to find a solution for this?

Hi Neil,
I followed your blog but, still I didn't get success.I need your help, My environment is as follows(all the servers are Windows server 2012).
1. ADDC and Certificate authority
2. SharePoint Machine and
3. SQL Server
4. ADFS server
I have added ADFS as a feature. my first doubt is about "setspn -a host/logon.contoso.com Adfs_svc". I added it from GUI like host/logon.<local domain name>.com is it rihgt? but I gets the error as follows
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> System.ServiceModel.FaultException: MSIS3127: The specified request failed.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
— End of inner exception stack trace —
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

System.ServiceModel.FaultException: MSIS3127: The specified request failed.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

I tried to resolve this issue using this link "http://social.msdn.microsoft.com/Forums/vstudio/en-US/b6ab634b-71b8-46eb-9a49-d33113678aba/adfs-20-and-the-msis7004-exception&quot; Here some one mentioned " Also, assuming you are using the Windows Internal Database – make sure its being run by the same account as the ADFS service account. " so I tried to change the account but I was not able to change due to logon name.

I have two certificate 1) signing certificate is Self-signed certificate and 2) token encryption certificate is issued by internal CA.

My urn name is "urn:full fqdn name:logon". please tell me if I am doing any thing wrong or please try to figure out my problem

thanks in advance.

thanks
Ravi.

Hi Neil,
Can we configure on premise ADFS with SharePoint Online?

Hi Ravi,

If you found the answer please let me know as well.

Many thanks
Shohreh

I am using same ADFS provider for my tow SharePoint farms (SP 2010 and SP 2013).

Strange observation is in SP 2010 Role claim has plain user name without doman e.g. "sudarshan" but when I debug through SP 2013 I am getting Role as "domansudarshan".

Please could you how can same ADFS provider different strings for same user in two different SP environments.

Sudarshan Vatturkar

correct role as "domainsudarshan" while accessing through SP 2013

Thanks a bunch for sharing this with all folks you actually realize what you are talking about! Bookmarked. Please also discuss with my website =). We can have a link change contract between us

So what could be said about the adjectives provided by
the Apple i – Phone 4 32GB handset models. It broadcasts through my truck radio when cabled or with
the bluetooth option. Nowadays soft phone providers ensure that you don’t have to shed lots of money on buying costly hardware or PBX system.

Thanks ..the article was very useful and you rightly indicated most articles on this topic miss something but this was pretty complete.
BTW I have one issue that I am not able to login from the ADFS form login screen any idea why this could be so. (it always redirects back to the same screen)

Yvees Guiolemot of Ubisoft has provided some comments in regards to the usual
platforms assassin’s creed 4 keygen Nintendo Wii U is your platform,
don’t let that dissuade you. So GamePad use is limited
to off-screen play, and a greatt addition to the shadows.

I mean, thhe hero’s primary ship; this ship will be a multiplayer aspect to Assassin’s Creed 4 Black Flag.
On land, and is one of the main missions take place in the cities.

We are a bunch of volunteers and opening a new scheme in our community.
Your web site provided us with valuable information to work on. You’ve performed a formidable job and our
entire neighborhood can be grateful to you.

If you are interested in topic: earn money online without investment genuine parts –
you should read about Bucksflooder first

Hello and thank you for the blog! This is great but I’m not sure why you’d want to setup ADFS if your users are in the same domain as your SharePoint environment. What would be really nice is how to setup federation between two domains. For example, an extranet scenario. I will have a SharePoint farm in the DMZ AD domain for partners to access via the Internet while my internal users access the same site in our Internal AD domain. Do you have a how to or a blog for such a scenario?

Thank you in advance!

Rumi

I’d like to add that there is no trust between the internal and DMZ AD domains.

I have noticed you don’t monetize your site, don’t waste your traffic, you can earn additional
cash every month because you’ve got high quality content.
If you want to know how to make extra money, search for: best adsense alternative Wrastain’s tools