In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” I explained the genaeral design and concept for setting up SSO with ADFS at “http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/”
This article takes it step-by-step through initializing a new domain in Windows Intune WaveD , its verification, and configuration for single sign-on. This guide will show how to perform these steps on Windows Server 2012 with AD FS 2.1.
Again our design we are going to follow :

Determine the ADFS Farm Name
We really need to get this information sorted first, because our certificate requests will be based on the FQDN of the farm name, and it isn’t possible to install ADFS services without a certificate.
We’ll use “Federation.scug.be” – this name will be used by by Windows Intune federation services. This certificate absolutely must be issued by a public CA.
Request a Certificate
Really quick overview of ADFS certificates: there are three certificates used by ADFS; one is used for server authentication and the remaining two certificates are used for ADFS token signing and verification
For best practice and supportability this certificate should NOT a wildcard certificate. However my wildcard certificates were working flawless, but if you go that way and something does not work later down the road, your support options may be limited at this time.
Service Account for ADFS Federation Service
Next, we will create a service account for the purpose of installing and running ADFS Federation Service. This service account will be used to perform initial installation of the service as well as the WID SQL databases. During this initial installation, the service creates certificate containers in Active Directory, as well as SPN records for the shared IIS pool identity. To perform these tasks, the service account must be at least a Domain Admin.
Install ADFS Service on the First Windows Server 2012 Server (FED1PRD.SCUG.BE)
Prerequisites :
- Make sure that you installed the ADFS Services thru “Add Roles and Features”.
- Make sure you have copied your *.SCUG.be certificate on your ADFS Servers
- Make sure they are added to the domain
- Your Active Directory Domain must be in Windows 2003 mixed or native mode.
1. Open the wizard and select “Create a new Federation Wizard” …

2. Provide your SSL certificate and Federation Service Name …

3. Provide your Service Account and password …

4. Click Next tot continue after reviewing…

5. When everything is ok , click close to close the wizard.

Install ADFS Service on the Second Windows Server 2012 Server (FED2PRD.SCUG.BE)
1. Open the wizard and select “Add a federation server to an existing Federation Service” …
![clip_image002[5] clip_image002[5]](http://scug.be/sccm/files/2013/07/clip_image0025_thumb.jpg)
2. Specify your primary federation Server name and your ADFS service account .

3. Click next to install and finish
![clip_image002[7] clip_image002[7]](http://scug.be/sccm/files/2013/07/clip_image0027_thumb.jpg)
Important :
Create a host file on the FED1PRD.SCUG.BE and FED2PRD.SCUG.BE with the following line:

Now your ADFS Farm is installed and configured correctly.Now let’s show you how to introduce an AD FS Proxy Server.
In addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second hardware Network Load Balancing host. The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name (federation.SCUG.be) setting as the previous NLB cluster that you configured on the corporate network (Federation.scug.be). The federation server proxies should also be configured with Internet-accessible IP addresses.
Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers
Importing the Certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE
After that , Import your *.SCUG.BE certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE in your website as described below :
After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.
Next, you’ll need to add the Certificate to the Default Web Site. With the Default Web Site Selected click Bindings.
Click Add
Choose Type https, IP addresss All Unassigned, and Port 443. Then select the newly imported certificate and click Ok.
The site bindings should now look like:

Install ADFS Proxy Servers on Windows Server 2012 Server (ADFSPROXY01 – ADFSPROXY02)
1. Select “ADFS Federation Services Proxy” thru “Add Roles and Features”.
![clip_image002[9] clip_image002[9]](http://scug.be/sccm/files/2013/07/clip_image0029_thumb.jpg)
2. Leave the defaults selected and select “Next”
![clip_image002[11] clip_image002[11]](http://scug.be/sccm/files/2013/07/clip_image00211_thumb.jpg)
3.Hit “install” button.
![clip_image002[13] clip_image002[13]](http://scug.be/sccm/files/2013/07/clip_image00213_thumb.jpg)
Important :
Create a host file on the ADFSPROXY01 and ADFSPROXY with the following line:

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers
Importing the Certificate on ADFSPROXY01 and ADFSPROXY02
After that , Import your *.SCUG.BE certificate on ADFSPROXY01 and ADFSPROXY02 in your website as described below :
After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

Next, you’ll need to add the Certificate to the Default Web Site. With the Default Web Site Selected click Bindings.

Click Add

Choose Type https, IP addresss All Unassigned, and Port 443. Then select the newly imported certificate and click Ok.

The site bindings should now look like:

DNS Configuration
- Configure internal DNS to point to the federation hosts cluster (NLB) IP
- Set up a host (A) record for the domain (federation.scug.be) on a public-facing DNS server for external name resolution to point to the proxy servers cluster (NLB)
Optional – in case the proxy servers doesn’t have DNS connectivity to the internal DNS server, you can configure the host file (see above topic) on each server to resolve the AD FS host servers name
The end
Now your ADFS Farm is completely installed and configured correctly.
This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and troubleshooting steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.
Stay Tuned !
Hope it Helps ,
Kenny Buntinx
Enterprise Client MVP