[Integration] ADFS as the Identity Provider for Adxstudio – Part 2 – Configure ADFS Server

In this article, I will detail how to enable ADFS Server to authenticate users in Adxstudio. Please check out the Part 1 of this series which provides an overview of the solution.

[Integration] ADFS as the Identity Provider for Adxstudio – Part 1 – Overview

SSL Certificates

Before you start, make sure you have SSL certificates for ADFS, WAP, and Adxstudio. If you are setting up development environments, you can use self-signed certificates. To learn ow to create a self-signed certificate, please see below article.

[How To] Create a Self-Signed SSL Certificate to use with Dynamics 365 Infrastructure Setup

Enable ADFS Role

Open Server Manager and click on Add roles and features.

Click Next.

Select Active Directory Federation Services and click Next.

Click Next.

Select Restart the destination server automatically if required.

Click Yes.

Click Install.

Click on the Configure the federation service on this server.

Configure ADFS

The Active Directory Federation Services Configuration Wizard opens.

Click Next.

Specify an account with AD Domain admin permissions. Click Next.

Select the certificate for example; adfs.dyn365apps.local.

Enter Federation Service Display Name: for example Dyn365Apps Corporation

Ignore the warning Group managed Service Accounts are not available because KDS Root Key has not been set since a domain user account will be used as the service account.

Click Select… button under Use an existing domain user account. Type svc_adfs and click Check Names. Click OK. Note: I created a specific service account called svc_adfs to use with ADFS.

Enter password. Click Next.

If ADFS was previously configured, below error will occur. Click Overwrite existing AD FS configuration database data check box. Click Next.

If you would like to view the PowerShell script, click View Script. Click Next.

The PowerShell script looks like below.

#
# Windows PowerShell script for AD FS Deployment
#

Import-Module ADFS

# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."

Install-AdfsFarm `
-CertificateThumbprint:"ADDDD86AAAA2A5363C73333701BBBBA64CCCC7D0" `
-FederationServiceDisplayName:"Dyn365Apps Corporation" `
-FederationServiceName:"adfs.dyn365apps.internal" `
-OverwriteConfiguration:$true `
-ServiceAccountCredential:$serviceAccountCredential

# Windows PowerShell script for AD FS Deployment

Import-Module ADFS

# Get the credential used for the federation service account

$serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."

Install-AdfsFarm `

-CertificateThumbprint:"ADDDD86AAAA2A5363C73333701BBBBA64CCCC7D0" `

-FederationServiceDisplayName:"Dyn365Apps Corporation" `

-FederationServiceName:"adfs.dyn365apps.internal" `

-OverwriteConfiguration:$true `

-ServiceAccountCredential:$serviceAccountCredential

Click Configure.

If below error occurs, then there’s an issue with the certificate.

The certificate with the specified thumbprint XXXX has a Cryptography Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

Download Windows SDK and use MakeCert command to create the certificate. Please see below article for more details.

[How To] Create a Self-Signed SSL Certificate to use with Dynamics 365 Infrastructure Setup

If below warning occurs, create the SPN manually.

An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually. For more information about setting the SPN of the service account manually, see the AD FS Deployment Guide. Error message: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.