Configure AD FS

  1. After installing ADFS, a notification icon will appear at the top of the Server Manager window. Click the icon to make a drop-down menu appear. Then, click Configure the federation service on this server. This will open the Active Directory Federation Services Configuration Wizard.

  2. On the Welcome tab of the Wizard, select Create the first federation server in a federation server farm. Click Next.

  3. On the Connect to AD DS tab, select the administrator account. Click Next.

  4. On the Specify Service Properties tab, click Import.

  5. Browse the certificate generated/stored in Generation SSL certificate step.
  6. The name of the certificate will appear in the SSL Certificate and Federation Service Name fields. Enter a Federation Service Display Name. Click Next.

  7. On the Specify Service Account tab, a possible error will appear: “Group Managed Service Accounts are not available because the KDS Root Key has not been set…”. Click “Show more” to see the full error message.

    Screenshot 11-7

  8. To resolve this error, open Powershell and run the command “Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)”.
  9. Select Use an existing domain user A person (member) that is using a registered client (application) to access resources (API). account (admin account) or group Managed Service Account, and then specify the GMSA account that you created when you created the domain controller. Click Next.

  10. On the Specify Database tab, select Create a database on this server using Windows Internal Database. Then click Next.

  11. If the following error will appear “An AD FS configuration database already exists on this server.”, tick Overwrite existing AD FS  configuration database data. Click Next.

  12. On the Review Options tab, click Next.

  13. On the Pre-requisite Checks tab, you may see a warning about the time that the root key for the Managed Service Account that was created. This will not be an issue if you have only one domain controller. Click Configure.

  14. Once the installation is complete, click Close.
  15. Open Powershell and run the following command:  Set-AdfsProperties -EnableIdPInitiatedSignonPage $true