In this article, I will detail how to enable ADFS Server to authenticate users in Adxstudio. Please check out the Part 1 of this series which provides an overview of the solution.
Before you start, make sure you have SSL certificates for ADFS, WAP, and Adxstudio. If you are setting up development environments, you can use self-signed certificates. To learn ow to create a self-signed certificate, please see below article.
Enable ADFS Role
Login to ADFS server.
Open Server Manager and click on Add roles and features.
Select Active Directory Federation Services and click Next.
Select Restart the destination server automatically if required.
Click on the Configure the federation service on this server.
The Active Directory Federation Services Configuration Wizard opens.
Specify an account with AD Domain admin permissions. Click Next.
Select the certificate for example; adfs.dyn365apps.local.
Enter Federation Service Display Name: for example Dyn365Apps Corporation
Ignore the warning Group managed Service Accounts are not available because KDS Root Key has not been set since a domain user account will be used as the service account.
Click Select… button under Use an existing domain user account. Type svc_adfs and click Check Names. Click OK. Note: I created a specific service account called svc_adfs to use with ADFS.
Enter password. Click Next.
If ADFS was previously configured, below error will occur. Click Overwrite existing AD FS configuration database data check box. Click Next.
If you would like to view the PowerShell script, click View Script. Click Next.
The PowerShell script looks like below.
# Windows PowerShell script for AD FS Deployment
# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
-FederationServiceDisplayName:"Dyn365Apps Corporation" `
If below error occurs, then there’s an issue with the certificate.
The certificate with the specified thumbprint XXXX has a Cryptography Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
Download Windows SDK and use MakeCert command to create the certificate. Please see below article for more details.
If below warning occurs, create the SPN manually.
An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.
For more information, please refer to below thread.
Please check out next article in the series to learn how to configure relying party trust.
Thank you for visiting Dyn365Apps.com.
Follow me on Twitter to get the latest news, tips and tricks and more …
Until next time…