As we’re setting up collaboration sites on our SharePoint 2010 farm, we wanted to provide the ability to have external logins using Facebook or Google accounts. Everything soon pointed into the direction of Active Directory Federation Services. As the version 1.0 that comes with Windows Server 2008 R2 is already outdated I needed to download the 2.0 version. Make sure that you download the proper version as you might run into some very strange errors otherwise. Since I’m running Windows 2008 R2 x64 I selected the RTW\W2K8R2\amd64\AdfsSetup.exe.
When the installation started the IIS part took quite some time. When I figured it was stuck and the TrustedInstaller.exe was using around 750MB of memory I decided to kill the process as it might crash the entire server. As this seemed the right thing to do, the consequences where somewhat strange. When I restarted the installation it ran into an error right away stating that the install of KB981002.msu could not complete. I tried installing this update manually, but it indicated that the system doesn’t need the update. I rebooted the system and retried the installation, which then proceeded without a hitch.
Make sure that you have a Certificate Authority installed in your domain. You can use these certificates for Exchange servers, SharePoint Servers and also need it for the ADFS server.
If you don’t have a proper certificate installed you might get an error like this, which might put you on the wrong track. Just create a new certificate, or use one that is already installed.
To create a SSL certificate request in IIS you have to open IIS Manager, select the host and double-click the Server Certificates icon. You have your certificate options on the right.
When you installed the SSL certificate in IIS, you can set it by right clicking the website in IIS and select Edit Bindings. Then edit or add a https port and select the SSL certificate you want to use.
Configure ADFS 2.0
As I didn’t have a Federation Server running anywhere I needed to create a new Federation Service. Here are the steps:
- After the install the ADFS configuration was started.
- Click the AD FS 2.0 Federation Server Configuration Wizard to start the configuration.
- Select Create a new Federation Service
- Select New Federation server farm
- The certificate should be automatically selected. You get the option to select the Federation Service name
Create a service account for the ADFS services The following permissions are needed for this account:
Service Logon right. This right is required for an account to logon using the service logon type.
Audit Privilege right. This right is required to generate audit log entries.
See this post for setting the permissions. You can use the same guide for the service logon.
- A summary of the settings will be presented. ADFS will be installed with a Windows Internal Database service. However you can change this later on.
If the name of the federation service is already in use you might be presented with an error: “The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.” You’ll have to use setspn.exe to set the proper SPN.