windows-itpro-docs/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-deploy.md

ms.date, ms.topic

ms.date	ms.topic
01/03/2024	include

Deploy the AD FS role

Important

Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.

Sign-in the federation server with Enterprise Administrator equivalent credentials.

1. Start Server Manager. Select Local Server in the navigation pane
2. Select Manage > Add Roles and Features
3. Select Next on the Before you begin page
4. On the Select installation type page, select Role-based or feature-based installation > Next
5. On the Select destination server page, choose Select a server from the server pool. Select the federation server from the Server Pool list and Next
6. On the Select server roles page, select Active Directory Federation Services and Next
7. Select Next on the Select features page
8. Select Next on the Active Directory Federation Service page
9. Select Install to start the role installation

Review to validate the AD FS deployment

Before you continue with the deployment, validate your deployment progress by reviewing the following items:

[!div class="checklist"]

• Confirm the AD FS farm uses the correct database configuration
• Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
• Confirm all AD FS servers in the farm have the latest updates installed
• Confirm all AD FS servers have a valid server authentication certificate

Device registration service account prerequisites

The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.

GSMA uses the Microsoft Key Distribution Service that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.

Create KDS Root Key

Sign-in a domain controller with Enterprise Administrator equivalent credentials.

Start an elevated PowerShell console and execute the following command:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Configure the Active Directory Federation Service Role

Use the following procedures to configure AD FS.

Sign-in to the federation server with Domain Administrator equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.

1. Start Server Manager
2. Select the notification flag in the upper right corner and select Configure the federation services on this server
3. On the Welcome page, select Create the first federation server farm > Next
4. On the Connect to Active Directory Domain Services page, select Next
5. On the Specify Service Properties page, select the recently enrolled or imported certificate from the SSL Certificate list. The certificate is likely named after your federation service, such as sts.corp.contoso.com
6. Select the federation service name from the Federation Service Name list
7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Select Next
8. On the Specify Service Account page, select Create a Group Managed Service Account. In the Account Name box, type adfssvc
9. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and select Next
10. On the Review Options page, select Next
11. On the Pre-requisite Checks page, select Configure
12. When the process completes, select Close

Add the AD FS service account to the Key Admins group

During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the Key Admins global group.

Sign-in to a domain controller or management workstation with Domain Administrator equivalent credentials.

1. Open Active Directory Users and Computers
2. Select the Users container in the navigation pane
3. Right-click Key Admins in the details pane and select Properties
4. Select the Members > Add…
5. In the Enter the object names to select text box, type adfssvc. Select OK
6. Select OK to return to Active Directory Users and Computers
7. Change to server hosting the AD FS role and restart it

Configure the device registration service

Sign-in to the federation server with Enterprise Administrator equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.

1. Open the AD FS management console
2. In the navigation pane, expand Service. Select Device Registration
3. In the details pane, select Configure device registration
4. In the Configure Device Registration dialog, Select OK

:::image type="content" source="../images/adfs-device-registration.png" lightbox="../images/adfs-device-registration.png" alt-text="Screenshot that shows AD FS device registration: configuration of the service connection point.":::

Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.

:::image type="content" source="../images/adfs-scp.png" lightbox="../images/adfs-scp.png" alt-text="Screenshot that shows AD FS device registration: service connection point object created by AD FS.":::