{"id":152,"date":"2022-02-23T10:37:00","date_gmt":"2022-02-23T02:37:00","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=152"},"modified":"2023-08-31T01:51:13","modified_gmt":"2023-08-30T17:51:13","slug":"instruction-of-deploy-a-new-primary-adfs-server","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/","title":{"rendered":"Instruction of Deploy a New Primary ADFS Server"},"content":{"rendered":"\n

1. Install the SSL Certificate<\/h2>\n\n\n\n

Prepare your new primary ADFS server. Join the primary ADFS server to your domain. Install your SSL certificate<\/strong> and import the certificate to the local computer’s certificates personal store. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

2. Create the ADFS Service Account<\/h2>\n\n\n\n

(Recommend)<\/em><\/strong> Move to Domain Controller, create a new ADFS Service Account, make sure this user account is added to the local administrators group of your AD FS server.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n

Otherwise, we can create and use a Managed Service Account<\/strong> instead of manully creating a user. And the Active Directory Federation Service is running under the above ADFS service account.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

3. Set Service Principal Name for the Service Account<\/h2>\n\n\n\n

3.1 Add the SPN (Option 1: Use PowerShell Command)<\/h3>\n\n\n\n

(Important)<\/em><\/strong> Set the SPN (Service Principal Name) for this service account. By running the following PowerShell command:<\/p>\n\n\n\n

setspn -a host\/<server name> <service account>\nsetspn -a http\/<server name> <service account>\n<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
3.2 Add the SPN (Option 2: Manually Add through the Attribute Editor)<\/h3>\n\n\n\n
Go to Active Directory Users and Computers<\/strong> > Click View<\/strong> > Mark Advanced Features<\/strong> > right click this service account > Properties<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Open Attribute Editor<\/strong> tab > Find servicePrincipalName<\/strong> attribute > Double click the attribute > Add host\/http entries in it > Click Add<\/strong> > Click OK<\/strong> <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
4. Add the Active Directory Federation Service Role<\/h2>\n\n\n\n
Move to the ADFS Server, add Server Role “Active Directory Federation Service<\/strong>” by Server Manager<\/strong>. After server role has been added, we will continue to “Configure the federation service at the server<\/strong>“<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
As we are setting up our new ADFS, select “Create the first federation server in a federation server farm<\/strong>” > Make sure there is “Domain Admin<\/strong>” connected to ADDS<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n

 Select the SSL certificate<\/strong> we previously installed<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
 (Important)<\/em><\/strong> Choose the ADFS service account that we previously configured<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Choose the database depends on our environment (e.g. The default Windows Internal Database)<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Review and Click Next<\/strong> > Click Configure<\/strong> > Finish the configuration<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
4. Create the DNS Zone & Records for the Active Directory Federation Service<\/h2>\n\n\n\n
4.1 Create the DNS Zone<\/h3>\n\n\n\n
Move to the Domain Contoller, open DNS Manager<\/strong> > Expand “PDC<\/strong>” and create a “New Zone<\/strong>” under “Forward Lookup Zone<\/strong>” > Keep default zone type as “Primary Zone<\/strong>” > Enter the added Public Domain Name under Zone name<\/strong> > Finish rest of configuration with default settings. \"\"<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.2 Create the A Record<\/h3>\n\n\n\n
Right click the Zone > New Host (A or AAAA)<\/strong> > Fill in the ADFS service name<\/strong> and ADFS server IPv4 address<\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n\n\n\n
5. Verify the Active Directory Federation Service Fucntion<\/h2>\n\n\n\n
5.1 Verify the Active Directory Federation Service Account<\/h3>\n\n\n\n
Open Services<\/strong> > Double click Active Directory Federation Service<\/strong> > Change to Log on<\/strong> tab > And verify our service account<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.2 Test the IDP Sign-in Dummy Page<\/h3>\n\n\n\n
IDP test page is disabled by default. You will need to manually enable IDP page, you can use following PowerShell command to enable it:<\/p>\n\n\n\n
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true\n<\/code><\/pre>\n\n\n\n
After IDP page is enabled, please test sign-in from ADFS IDP page:<\/p>\n\n\n\n
https://<youradfsservicename>\/adfs\/ls\/idpinitiatedsignon.aspx\n<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
1. Install the SSL Certificate Prepare your new primary ADFS server. Join the primary ADFS server to your domain. Install your SSL certificate and import the certificate to the local computer’s certificates personal store.  2. Create the ADFS Service Account (Recommend) Move to Domain Controller, create a new ADFS Service Account, make sure this user account is added […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[42,10],"tags":[5],"class_list":["post-152","post","type-post","status-publish","format-standard","hentry","category-adfs","category-tutorial","tag-adfs"],"yoast_head":"\nInstruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Instruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"1. Install the SSL Certificate Prepare your new primary ADFS server. Join the primary ADFS server to your domain. Install your SSL certificate and import the certificate to the local computer’s certificates personal store.  2. Create the ADFS Service Account (Recommend) Move to Domain Controller, create a new ADFS Service Account, make sure this user account is added […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-23T02:37:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:51:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Instruction of Deploy a New Primary ADFS Server\",\"datePublished\":\"2022-02-23T02:37:00+00:00\",\"dateModified\":\"2023-08-30T17:51:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\"},\"wordCount\":519,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\",\"keywords\":[\"ADFS\"],\"articleSection\":[\"ADFS\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\",\"name\":\"Instruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\",\"datePublished\":\"2022-02-23T02:37:00+00:00\",\"dateModified\":\"2023-08-30T17:51:13+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\",\"width\":859,\"height\":226},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Instruction of Deploy a New Primary ADFS Server\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Instruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/","og_locale":"en_US","og_type":"article","og_title":"Instruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT","og_description":"1. Install the SSL Certificate Prepare your new primary ADFS server. Join the primary ADFS server to your domain. Install your SSL certificate and import the certificate to the local computer’s certificates personal store.  2. Create the ADFS Service Account (Recommend) Move to Domain Controller, create a new ADFS Service Account, make sure this user account is added […]","og_url":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2022-02-23T02:37:00+00:00","article_modified_time":"2023-08-30T17:51:13+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Instruction of Deploy a New Primary ADFS Server","datePublished":"2022-02-23T02:37:00+00:00","dateModified":"2023-08-30T17:51:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/"},"wordCount":519,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png","keywords":["ADFS"],"articleSection":["ADFS","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/","url":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/","name":"Instruction of Deploy a New Primary ADFS Server - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png","datePublished":"2022-02-23T02:37:00+00:00","dateModified":"2023-08-30T17:51:13+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/image-23.png","width":859,"height":226},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/instruction-of-deploy-a-new-primary-adfs-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Instruction of Deploy a New Primary ADFS Server"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=152"}],"version-history":[{"count":16,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/152\/revisions"}],"predecessor-version":[{"id":481,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/152\/revisions\/481"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}