Chorus User Guide

Page tree

This guide is intended for advanced Active Directory administrators who do not currently have an AD FS deployment. This guide is based on Windows Server 2012R2 - the process is largely equivalent for Windows Server 2016, and should also be for 2008, 2008R2 or 2012, but the appearance varies. Third Light support staff cannot offer assistance with 3rd party tools, so while the following notes are provided for your convenience, they should not be relied upon without a full understanding of the AD FS technology. 

Prerequisites

Prior to configuring AD FS, you will need

  • A server running Windows Server 2008 or later, joined to your domain
  • A service user for AD FS
  • .NET Framework 3.5
  • An SQL Server instance
  • A valid, signed certificate for the domain of the AD FS 'Farm'

Configuring the Prerequisites

Creating a service user

  1. Launch Active Directory Users and Computers on a domain controller (or other system with AD management tools)
  2. Navigate to Managed Service Accounts within your domain (Administrative Tools > Active Directory Users and Computers > your.domain > Managed Service Account)
  3. Right click, select New -> User
  4. Enter 'AD FS Service Account' as name
  5. Enter 'adfs.svc' for user logon name
  6. Select a strong password, and make a note of it for later

Installing .NET Framework 3.5

  1. From Server Manager, select 'Add roles and features'



  2. If you see the 'Before you begin' page, click next



  3. Select Role-based or feature-based installation



  4. Select the server from the server pool
  5. Skip the Server Roles page
  6. Expand .NET Framework 3.5 Features, and select .NET Framework 3.5


  7. Finish the wizard

Preparing an SQL Server instance

This guide is based on SQL Server Express 2014.

Typically SQL Server Express will be sufficient for AD FS. It can be downloaded free from the MSDN Evaluation Center. Select 'Express with Advanced Services (SQLEXPRADV)'.

  1. Launch the Installer



  2. Select 'New SQL Server stand-alone installation or add features to an existing installation'



  3. Check Use Microsoft Update and click next



  4. You can normally leave the features and paths as defaults.



  5. Select Named instance, and enter ADFS



  6. You can normally use the default service account settings



  7. Select Windows authentication mode, and under SQL Server Administrators click Add, choose adfs.svc and press enter (to select the AD FS service account)



  8. The installation will now be performed



  9. If there were no errors, you will see the below. Click close, or go back and correct any errors raised.

Creating an SSL Certificate for AD FS

  1. Open Powershell, type mmc and press enter



  2. Select File -> Add/Remove Snap-in..



  3. Select Certificates, click Add, then choose Computer account



  4. Select Local computer and click Finish



  5. Click OK



  6. Right-click Certificates (Local Computer) -> Personal -> Certificates, and select Create Custom Request...
    (On a new installation, the 'Certificates' subfolder may not exist. In that case, right click 'Personal' instead.)



  7. Click next



  8. Select "(No template) Legacy key"



  9. Expand Details, and click Properties



  10. Enter a name and description for the certificate



  11. Specify the subject of the certificate. The CN (Common Name) field MUST match the URI under which you will access AD FS.
    You may choose to add one component at a time, or the entire "Distinguished Name"



  12. Select Private Key, and choose a key size of 2048. You may wish to make the private key exportable.



  13. Save the request to a convenient location



  14. Send the certificate request to a certification authority (e.g. Comodo, Geotrust or Verisign) and arrange for it to be signed.
  15. Once you have a signed certificate, right-click Certificates (Local Computer) -> Personal -> Certificates, and select Import...



  16. Click Next



  17. Browse to find the signed certificate from the certificate authority



  18. Choose the 'Personal' certificate store



  19. Confirm the details, and click Finish



  20. You should see a success message  - if you get an error, check that you selected the certificate (not the request) and that it is readable



  21. Select the certificate, click More Actions -> All Tasks -> Manage Private Keys...



  22. Click Add...



  23. Enter adfs.svc and click Check Names, then click OK



  24. Grant the AD FS service account full control

Installing AD FS

  1. From Server Manager, select 'Add roles and features'



  2. If you see the 'Before you begin' page, click next



  3. Select Role-based or feature-based installation



  4. Select the server from the server pool
  5. Check Active Directory Federation Services and click Next



  6. Click through the Features page



  7. Click Next



  8. Click Install



  9. Once the installation completes, click "Configure the federation service on this server"



  10. Select Create the first federation server in a federation server farm



  11. Specify an administrative account in AD



  12. Choose the AD FS SSL certificate, and (if using a wildcard or UC certificate supporting multiple names), select the preferred Federation Service Name.
    Enter a name to be displayed on the portal, and click Next



  13. Enter the username and password for the AD FS service account
    (If you followed the prerequisite installation guide, this will be <your domain>\adfs.svc)



    (At this stage, depending on your environment, you may see a warning like the following, which can safely be ignored)


  14. Choose "Specify the location of a SQL Server database" and enter the host name and instance name for the database
    (If you followed the prerequisite installation guide, this will be the local server name, and 'ADFS')



  15. Review the configuration options, and click Next



  16. When the Pre-requisite Checks run, click configure. If they fail, review the settings or correct the problem and try again.
    (If you followed the prerequisite installation guide, there should not be any issues. Otherwise, a common problem here is the service account not having the necessary database permissions.)



  17. After the installation completes, you should see a success message. Click Close to finish



  18. To test the new AD FS installation:
    1. For AD FS 2016 or later, in Powershell run
      Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
    2. Open a browser and go to https://<your Federation Service name>/adfs/ls/idpinitiatedsignon
      You should see a screen like the below, from which you can test signing in with your domain credentials



AD FS Configuration

Now that AD FS is installed, and known to be able to authenticate users, you can proceed to configure it for use with Chorus.


You are here: