As the first step of enabling Windows Azure Active Directory Federation Services (AD FS) for Windows Azure Pack for Windows Server, you must configure AD FS as explained in the following steps.
To configure AD FS |
1. If you use an existing AD FS, do the following: a. In AD FS, use the following address to add the management portal for administrators and management portal for tenants as relying parties: <Portal URI>/federationMetadata/2007-06/Federationmetadata.xml Replace <Portal URI> with the addresses of the management portal for administrators and the management portal for tenants. For example, https://www.contosotenant.com/federationMetadata/2007-06/Federationmetadata.xml b. Apply the following transformation rules to the management portal for tenants: · Transform AD Groups to 'Groups' Claims · Transform email address to UPN Claims c. Skip the remaining steps and go to Configure the management portals to trust AD FS. 2. If you are setting up a new AD FS, on the machine that you want to use for AD FS, enable the AD FS role. 3. Log on to the machine as the domain administrator. You have two options to configure AD FS: Run the Install-AdfsFarm cmdlet or run a script. · Run the Install-AdfsFarm cmdlet to configure AD FS.
Install-AdfsFarm –CertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SQLConnectionString <String>
You must provide the following information to run the Install-AdfsFarm cmdlet.
· Or, run the following script to configure AD FS. Note You must install makecert.exe before running this script. Alternatively, you can use IIS to create a self-signed certificate and pass the thumbprint in this script.
# Set these values: $domainName ='contoso.com' $adfsPrefix ='AzurePack-adfs' $username ='username' $password ='password' $dnsName = ($adfsPrefix + "." + $domainName)
# Generate Self Signed Certificate Import-Module -Name 'PKI','WebAdministration' # You must install makecert.exe before running this script. Alternatively use the IIS UI to create a self-signed certificate and pass the thumbprint in this script
$item = Get-Item -Path 'IIS:\SslBindings\0.0.0.0!443' -ErrorAction SilentlyContinue if (!$item) { MakeCert.exe -n "CN=$dnsName" -r -pe -sky exchange -ss My -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 cert = ,(Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object { $_.Subject -eq "CN=$dnsName" })[0] } $thumbprint = $cert.Thumbprint $securePassword = ConvertTo-SecureString -String $password -Force -AsPlainText $adfsServiceCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($domainname + '\' + $username), $securePassword
# If you want to install AD FS with a database, provide this data. Otherwise it will install with the Windows Internal Database (which should be enabled # prior to configuring AD fS) $dbServer ='AzurePack-SQl' $dbUsername = 'sa' $dbPassword ='<SQL_password>' $adfsSqlConnectionString = [string]::Format('Data Source={0};Initial Catalog=master;User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword)
# Configure AD FS Install-AdfsFarm ` -CertificateThumbprint $thumbprint ` -FederationServiceName $dnsName ` -ServiceAccountCredential $adfsServiceCredential ` -SQLConnectionString $adfsSqlConnectionString ` -OverwriteConfiguration |
Next steps |