If you would like to read the other parts in this article series please go to:
- Windows Server 2012 R2 and BYOD (Part 1)
- Windows Server 2012 R2 and BYOD (Part 2)
- Windows Server 2012 R2 and BYOD (Part 3)
- Windows Server 2012 R2 and BYOD (Part 5)
- Windows Server 2012 R2 and BYOD (Part 6)
- Windows Server 2012 R2 and BYOD (Part 7)
- Windows Server 2012 R2 and BYOD (Part 8)
- Windows Server 2012 R2 and BYOD (Part 9)
Introduction
In the previous article in this series, I walked you through the process of provisioning your ADFS server with the certificates that are going to be required in order to facilitate using the workplace join feature. Unfortunately, I got a little bit ahead of myself and accidentally omitted a step. As such, we are going to have to back track just a bit.
The problem is that later on in the process, we are going to have to import the ADFS server’s SSL certificate in a way that allows it to be directly used by the ADFS service. The reason why this is a problem is because Windows contains a security mechanism that prevents certificates from being exported from the certificate store.
This means that we are going to have to build a certificate template that will allow for the creation of exportable certificates, and then we will have to reissue the certificate request.
Building a New Certificate Template
The good news is that we do not have to create a certificate template from scratch. Instead, we can base our new template off of an existing template. To do so, enter the CERTMPL.MSC command onto your certificate authority server’s Run prompt. This will cause Windows to open the Certificate Template console.
When the console opens, scroll to the bottom of the template list to locate the Web Server template. Next, right click on the template and choose the Duplicate Template command from the shortcut menu, as shown in Figure A.
Figure A: You must duplicate the Web Server template.
At this point, you will see the Properties of New Template dialog box. Go to the dialog box’s General tab and enter a new name for the template. For the purposes of this article, I will be calling the template SSL.
Next, go to the Request Handling tab and select the Allow Private Key to Be Exported option, as shown in Figure B.
Figure B: The Allow Private Key t be Exported option must be selected.
The last thing that you must do before we move on is to go to the Subject Name tab and make sure that the Supply in the Request option is selected, as shown in Figure C. Otherwise, the Web enrollment interface won’t display the certificate. Click OK to create the new certificate template.
Figure C: The Supply in the Request option must be selected.
Requesting a Certificate
The certificate request process works exactly as described in the previous article, with two minor, but important differences. First, if you look at Figure D, you can see an option on the Certificate Template drop down list called SSL. SSL is the template that I just created. You must choose the SSL option.
Figure D: Choose the template that you created earlier.
The other difference is that the Mark Key as Exportable check box must be selected, as shown in the figure above. In fact, the reason why we just did all of this work was to keep the Mark Keys as Exportable check box from being grayed out.
Exporting a Certificate
Now that we have created an exportable certificate, we are back on track. As you might have already figured out, the next step in the process is to export the certificate.
Enter the Certmgr.msc command at the ADFS server’s Run prompt. This will cause Windows to open the Certificate Manager console. Navigate through the console tree to Certificates – Current User | Personal | Certificates. Next, right click on your SSL certificate and select the All Tasks | Export command, as shown in Figure E.
Figure E: You must export your SSL certificate.
Windows will now launch the Certificate Export Wizard. Click Next to bypass the wizard’s Welcome screen. You will now see a screen asking you if you want to export the certificate’s private key. Choose the Yes Export the Private Key option and click Next.
On the following screen, the Personal Information Exchange – PKCS #12 (.PFX) option should be selected. The option to include all certificates in the certification path should be selected. The option to delete the private key if exported successfully must not be selected. You can see the correct configuration in Figure F.
Figure F: You must export the private key to a PFX file.
Click Next and you will be prompted to protect the private key using either a group or user name or a password. Choose the password option and assign a password to the private key.
Click Next and you will be prompted for a path and filename, Be sure to remember the password that you assigned in the previous step and the path and filename that you chose, because you will need it a little bit later on. Click Next, followed by Finish to export the certificate.
Adding the Required Role
Now that the required certificates are in place, we can move forward with configuring the ADFS server. The first thing that we will need to do is to add the Active Directory Federation Service role to your ADFS server. Begin the process by opening Server Manager on your ADFS server and choosing the Add Roles and Features command from the Manage menu. When you do, Windows will launch the Add Roles and Features Wizard.
Click Next to bypass the wizard’s Welcome screen and you will see a screen asking which type of installation you would like to perform. Choose the Role Based or Feature Based Installation option, and click Next.
The next screen that you will see asks you to select a server on which to install the role or feature. Make sure that your ADFS server is selected, and then click Next. You will now see the role selection screen. Select the Active Directory Federation Service role, as shown in Figure G, and then click Next.
Figure G: Select the Active Directory Federation Service role.
Click Next and you will see a screen prompting you to select the features that you want to install. No features are required, so just click Next. You will now see a screen telling you a little bit about the Active Directory Federation Service role. Take a moment to read this screen and then click Next. When the installation process completes, click Close.
Configuring the Active Directory Federation Service
Now that the Active Directory Federation Service role has been installed, you are going to have to configure the Active Directory Federation Service. To begin the process, open Server Manager and click on the notification flag. When you do, you will see a post deployment configuration notification, like the one shown in Figure H. As you can see in the figure, this notification contains a link labeled Configure the Federation Service on this Server. Click this link to begin the configuration process.
Figure H: Click the notification flag, followed by the Configure the Federation Service on this Server link.
At this point, Windows will launch the Active Directory Federation Service Configuration Wizard. Make sure that the Create the First Federation Server in a Federation Server Farm option is selected on the wizard’s Welcome screen, and then click Next.
You should now see the Connect to Active Directory Domain Services screen. This screen requires you to specify an account that has administrative permissions for the domain to which the server is joined. If you are already logged in with such an account, that account will automatically be listed.
After specifying an administrative account, click Next and you will be taken to the wizard’s Specify Service Properties screen. There are a few different things that you will have to do on this screen.
The first thing that you will need to do is to specify the SSL certificate that you want the Active Directory Federation Service to use. To do so, click the Import button and then select the certificate that you exported earlier. Upon doing so, you will be prompted to provide a password for the certificate.
You won’t have to worry about populating the Federation Service Display Name, because the name should be automatically populated by the certificate. You will however, have to enter a display name for the federation service. This is a friendly name that will be used to identify the service to clients. For the purpose of this article, I am going to use the name BYOD Lab. The full configuration should look like what you see in Figure I.
Figure I: You must import your SSL certificate.
Click Next, and you will be prompted to enter the name of a service account. As you may recall, I walked you through the process of creating a service account in Part 3 of this series. That service account was called FSGMSA.
Click next and you will be prompted to choose the type of database that you want to use. For our purposes, go ahead and choose the option to create a database on this server using Windows Internal Database, and click Next.
After a brief delay you will see a summary of the configuration options that you have specified. Take a moment to make sure that everything is correct and click Next. Wait for the prerequisite check to complete, and then click Configure.
Conclusion
Hopefully by now you have been able to work through the wizard to get ADFS up and running. We still have a little bit more configuration work to do, and I will walk you through the process in Part 5.
If you would like to read the other parts in this article series please go to:
- Windows Server 2012 R2 and BYOD (Part 1)
- Windows Server 2012 R2 and BYOD (Part 2)
- Windows Server 2012 R2 and BYOD (Part 3)
- Windows Server 2012 R2 and BYOD (Part 5)
- Windows Server 2012 R2 and BYOD (Part 6)
- Windows Server 2012 R2 and BYOD (Part 7)
- Windows Server 2012 R2 and BYOD (Part 8)
- Windows Server 2012 R2 and BYOD (Part 9)
