Friday 6 March 2015

Office 365 Installing and Configuring Active Directory Federation Services (AD FS) with a Trusted SSL Certificate

This post is a follow on from my last two blog posts on configuring Office 365, DirSync and AD FS for unified identities from your on-site Active Directory to the Office 365 cloud. 

If you review this TechNet article ( you will see that AD FS requires a globally trusted SSL certificate if you are going to federate to Office 365 for Single Sign On (SSO). Although it would be possible to use your internal Certificate Authority if your CRL's were published externally it is recommended to use an SSL certificate issued from a global provider. As this is only a test lab I got a cheap SSL certificate from GoDaddy for £5.

Getting the certificate successfully installed so that AD FS can use it can be confusing at first, when GoDaddy issue certificates they come in the .CER format, which when imported into the AD FS server do not show up when you run the AD FS configuration wizard.

I found the easiest way to get round this is to download the DigiCert utility from here, once it's installed open the GUI. Click on the SSL icon from the left hand side and then click Import.

Once you have downloaded your SSL certificate from your certificate provider browse to the location of the file and click Next.

Enter a friendly name for the certificate, I have just used the single Common Name in this instance. Click Finish.

The certificate will then be listed in the DigiCert utility, click on the certificate once and then click Export Certificate.

Choose Yes Export the Private Key and ensure the format is set to PFX and include all related certificates, click Next.

You will be prompted for a password to protect the certificates private key, click Next.

Point to a path to output the new certificate file. Click Finish.

Get the newly generated certificate PFX file onto the AD FS server and right click on it, and select Install PFX.

Run through the Certificate Import Wizard, ensuring you have to import it in to the Local Machines Certificate store.

You will be required to enter the password that you set during the DigiCert utility stage. Ensure you make the key exportable as you will need to export this if you are going to use the AD FS WAP. Click Next.

Now it's time to install Active Directory Federation Services, open Server Manager and click Manage then Add Roles and Features.

Click Next and select AD FS from the list of available server roles, click Next.

Once the installation has completed, return to Server Manager and click on the yellow icon and select Configure the Federation Service on this Server.

Once the wizard launched select Create the first federation server in a federation server farm and then click Next.

Now you will be prompted to select the SSL Certificate you would like AD FS to use, from the drop down the certificate you imported in the last stage should appear here, click Next.

An AD FS Service Account is required, then click Next.

In this example I am going to install AD FS with the Windows Internal Database it is possible to configure AD FS to use full SQL Server but it's only for large environments that require over 5 AD FS servers in a farm. Click Next.

Click Next, and the wizard will configure the basic AD FS settings.