Installing Enterprise CA for AD FS on Windows Server 2012

This video will look at how to install and setup Active Directory Certificate Services (AD CS) for use with Active Directory Federation Services (AD FS) on Windows Server 2012. Check out http://itfreetraining.com for more of our always free training videos. This video only performs a basic setup, if you are planning to use certificates in your organization you should perform additional research on certificates to ensure that the certificate hierarchy that you install meets the requirements of your organization.

Download the PDF handout http://ITFreeTraining.com/handouts/fe...

Demonstration role installation
The server used is Windows Server 2012 Standard. The base install has been performed and the server added to the domain.
1) To install the Active Directory Federation Services role, open Server Manager from the quick launch bar and then select the option on the welcome screen “Add roles and features”. This will start the add/roles and features wizard.
2) For the first few screens the default will be selected. This will select the local server to install the role on.
3) On the “Select server roles” screen, tick the component “Active Directory Certificate Services”. When this is ticked, the wizard will also prompt for the feature “[Tools] Certification Authority Management Tools” to be added if it is not already installed.
4) On the “Select features” screen, no additional features are required so it is safe to press next and move on.
5) The next screen of the wizard is the Certificate Services welcome screen. Additional information about certificate services is displayed here. Once next is pressed, the next screen will be about configuration of the Certificate Services components.
6) On the “Select roles services” screen the administrator needs to decide which components of certificate services that they want to install. In this case the only component that is required is the default component “Certification Authority” so this can be left ticked and next can be pressed.
7) On the “Confirm installation Services” this will show the options that were chosen in the wizard, once the install button is pressed the install will start. It is just a matter of waiting until the role has been installed before it can be configured.

Demonstration configuration the role
Once the “Certification Authority” component of the Active Directory Federation Services role has been installed, it next needs to be configured.
1) To configure the role, open Server manager and select the exclamation mark next to the flag at the top of Server Manager. From the pull down menu, select the option “Configure Active Directory Certificate Services on the destination server” to start the configuration wizard.
2) The first screen of the wizard will ask which user that you want to use to perform the configuration. The user needs to be a member of the Enterprise Admin group and also have administrator rights on the local server.
3) The next screen asks which components of Active Directory Certificate Services that you want to configure. In this particular case, only the “Certification Authority” component was installed and is required to issue certificates. Once the “Certification Authority” component has been ticked the next button can be pressed to move on to the next screen of the wizard.
4) On the screen “Specify the setup type of the CA”, in this case the default option of “Enterprise CA” will be selected. An Enterprise CA works with Active Directory to issue certificates. In a later video the Standalone CA will be looked at when the install for HighCostTraining is performed.
5) The screen “Specify the type of CA”, the option “Root CA” will be selected. This performs an install that allows certificates to be installed that does not require other CA’s in order to operate. In order to have better security it is recommend to use the subordinate CA and have a secure Root CA in the company or use a 3rd party certificate authority. In order to keep the install simple in this video, the option for “Root CA” was selected and means that no other CA’s are required.
6) For the “Private Key”, “Cryptography”, “CA Name”, “Validity Period” and “Certificate Database” the default options were selected. If you are performing the install in a production environment, you should have a look at the options on these screens to determine if the options are right for you.
7) On the “Confirmation” screen this will show all the options that have been selected. Once the “Configure” button is pressed this will start the configuration of the role.

Description to long for YouTube. Please see the following link for the rest of the description.
http://itfreetraining.com/federation#...

See http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.

---

Closed Caption:

Welcome to the ITFreeTraining video on setting
up an Enterprise CA for use with Active Directory
Federation Services. This video will set up
an Enterprise Root CA for use with Active
Directory Federation Services. If you already
have an Enterprise CA configured on your network,
you can follow the steps in the later part
of this video for creating a template to issue
certificates. If you do not have a certificate
hierarchy already, this video will get you
up and going with the basic requirements.
If you are planning to use certificates in
your company, I would recommend doing some
additional research on how to deploy a certificate
hierarchy, as this is a big, long term investment
for your company. I will now change to my computer
running Windows Server 2012 to have a look
at how to set up an Enterprise Root CA for
use with Active Directory Federation Services.
This is a basic Windows Server 2012 standard
install. No additional roles have been added.
The only change to the base install was to
add it to the ITFreeTraining domain. To start
with, I need to add the certificate role to
the server. To do this, I will need to open
Server Manager. Once Server Manger has opened,
I next need to select the option "Add roles
and features" found on the welcome screen
to start the add roles and features wizard.
Once I am past the welcome screen, I will
leave it on the default option to install
a "role-based or feature based installation"
and then, on the next screen, leave it on
the default option of the current server.
On the next screen I need to select which
role I want to install. In this case, the
only role that I need to select is "Active
Directory Certificate Services". Once selected,
Windows will prompt for some additional features
that need to be installed. So, I will press
"add features" and then move onto the
next screen of the wizard.
This screen will allow you to select additional
features of which there are none. For this
reason I will press next and move on.
The next screen is the welcome screen for
certificates services. Once I move pass this
screen, I next need to select which components
of certificates services that I want to install.
In this case, the default option of "Certification
Authority" is the only component that is
required, so I will leave it selected and
move on to the next screen of the wizard.
The last screen will show me the options that
I have selected. Once I press install, the
role will be installed. This process does take
a few minutes to complete, so I will pause
the video and return shortly.
Now that the role has been installed, I can
close the wizard. The next step is to configure
the role. To do this, I need to select the
exclamation mark at the top of the screen
and then select the option "Configure Active
Directory Certificate Services on the destination
server".
The first screen of the configuration wizard
will ask which user account you want to use.
By default it will use the currently logged
in user, which is a domain administrator.
This has enough rights to perform the install
so I will press next to move on.
On the next screen I need to select which
components I want to configure. In this case
the only component that has been installed
is the "Certification Authority" component
so I will tick that component and move on
to the next screen of the wizard.
On the next screen I need to make sure that
"Enterprise CA" is selected. If this option
is grayed out, check to make sure the server
has been added to the domain. In a later video
I will configure the High Cost Training CA,
for which I will use the Standalone CA option,
if you are interested in how to do this.
With "Enterprise CA" selected, I will
move on to the next screen of the wizard.
In this particular case I will select the
option "Root CA". In a production environment
I would use an offline standalone CA for the
root CA, for additional security. In this
case I am performing just the basic install
to obtain a certificate for the Active Directory
Federation Server.
For the next few screens, I will accept the
default options. If you are planning to configure
certificates in your organization, you should
take your time to understand and configure
these options to meet your needs. In this
case, the default options will work fine to
install and use AD FS, but remember, the options
you select here cannot be changed later. So
if you plan to deploy certificates services for
use in your company, do your research first.
Once I press configure, the server will be
configured as an Enterprise Root CA. This
does take a minute or so to complete so I
will pause the video and return shortly.
Once the server has been configured, I will
close the wizard. The next step is to configure
a certificate template to be used with Active
Directory Federation Services.
To do this, I will select the tools menu,
and then select the option "Certification
Authority". Once open, I will need to expand
down to "Certificate Template", right
click it and select the option manage.
From the list of templates I need to select
one that provides the basic functionality
for Federation Services. Since Federation
Services uses web protocols, I will scroll
down to the bottom and select the Web Server
template.
The next step is to right click the template
and select the option "Duplicate Template".
Once selected, the properties for the copy
of the "Web Server" template will be displayed.
It is now just a matter of customizing this
template for use with Active Directory Federation
Services.
The first change that I will make can be found
on the tab "General". For the display
name, I will enter in "ADFS SSL Certificate
2012" to make it is easy to tell apart from
the other certificates.
Next I will select the "Subject Name"
tab. On this tab I will need to select the
option "Build from this Active Directory
information". When the Active Directory
Federation Server requests a certificate from
the Certificate Authority, it will supply
this information. If you are using a stand-alone
certificate authority you would need to enter
in this information. I will look at how to
configure these settings manually when I set
up the CA for High Cost Training.
Under "Subject name format" I need to
select the option "Common name". Active
Directory Federation Services requires that
both the common name in the certificate and
also the DNS name be configured. To configure
the DNS information, make sure the tick box
"DNS name" is ticked. The other tickbox's
do not need to be ticked.
Next I need to select the security tab to
ensure that the server has enough access to
request a certificate. To do this, I will press
the add button and press button "Object Types".
Before I can enter in the names of the server
to search for, I first need to tick the option
"Computers". If this option is not selected,
the search will not find the computer account
associated with the server.
Once ticked, I can go back and enter the computer
name of my Active Directory Federation Server.
This server has had the base install performed
and been added to the domain, but nothing
else has happened to it, as yet.
Once the server has been added to the permissions
list, I need to also ensure that "Enroll"
permission is ticked, which can be found in
the allow column. If the read and enroll permissions
are not set to allow, the server will not
be able to request a certificate.
Once I exit out of here, you will notice the
new template has been added to the list of
available templates; however, it will not
be available to the CA yet. To make it available,
I need to close this Window and go back to
"Certification Authority". From here I
need to right click "Certificate Templates"
and select the option "Certificate Template
to Issue" under the new menu.
Once selected, a Window will appear showing
all the available templates. It is just a
matter of selecting the template that I want
to use and press the o.k. button. You will
notice the template is now available and listed
in Certificate Templates.
The certificate template has now been configured
and added to the Enterprise CA. Now the server
that is running Active Directory Federation
Services will be able to request the certificate
to be used with Active Directory Federation
Services. But the install of Active Directory
Federation Services I will leave to another
video. Till that time, I hope you have found
this video useful and I look forward to seeing
you in the next video from this series on
Active Directory Federation Services. Until
then, thanks for watching.