< back
~ / writing / setting-up-adfs-2016

Setting up ADFS 2016

This guide walks through deploying a highly available Active Directory Federation Services 2016 environment. It's written after two full implementation iterations — covering the design choices and gotchas that existing documentation tends to gloss over.

Requirements

A minimum of four servers running Windows Server 2016:

  • Two ADFS farm nodes
  • Two Web Application Proxy (WAP) nodes

You'll also need:

  • Valid SSL certificates for your chosen subdomain and its certauth variant
  • Dual load balancers (internal and external)
  • Split DNS zones if external access is required

Installation

Install the ADFS role on both designated servers:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

Configure the First Node

Use a Group Managed Service Account (gMSA) for the service account. Before running the configuration wizard, ensure the gMSA has been created and that the server is authorized to retrieve its password:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name adfs-svc -DNSHostName adfs.yourdomain.com -PrincipalsAllowedToRetrieveManagedPassword "Domain Computers"

Run the ADFS configuration on the first node, selecting the gMSA as the service account.

Add the Second Node

After the first node is configured, join the second server to the existing farm. A common failure point here is gMSA permissions — if the secondary node can't retrieve the managed password, the join will fail.

Verify the SPNs are correctly set and that the second server is included in the principals allowed to retrieve the password:

Set-ADServiceAccount -Identity adfs-svc -PrincipalsAllowedToRetrieveManagedPassword "ADFS-Node1$","ADFS-Node2$"

Deploy Web Application Proxy Nodes

Install the Remote Access role on both WAP servers and configure them as federation proxies pointing to your internal ADFS load balancer:

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy -FederationServiceTrustCredential (Get-Credential) -CertificateThumbprint <thumbprint> -FederationServiceName "adfs.yourdomain.com"

Customization

A few PowerShell commands worth applying after the base configuration:

# Enable password change through ADFS
Set-AdfsEndpoint -TargetAddressPath /adfs/portal/updatepassword/ -Proxy $true
Enable-AdfsEndpoint -TargetAddressPath /adfs/portal/updatepassword/

# Support modern browsers
Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0","MSIPC","Windows Rights Management Client","Mozilla/5.0")

# Configure extranet lockout to mirror AD settings
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 5 -ExtranetObservationWindow (New-TimeSpan -Minutes 30)

Extranet lockout settings should align with your Active Directory fine-grained password policy to avoid inconsistent behavior across authentication paths.