Skip to main content

 

Documentation & User Guides | FotoWare

Setting up Active Directory Federation Services (ADFS)

Setting up and maintaining ADFS is outside the scope of FotoWeb. Therefore, the instructions here are very basic and not necessarily suitable and secure enough for production systems. Please refer to the official documentation of Microsoft Active Directory Federation Services, or consult your IT administrator.

Warning:

For security reasons, do NOT expose the primary ADFS server (port 443) on the open internet! If users need to be able to use ADFS sign-in from outside the internal network of the organization, please see the subsection about setting up a Web Application Proxy.

Prerequisites

  • An on-premise Active Directory domain
  • Windows Server 2012 R2 or later
  • At least one server in the organization's domain that serves as ADFS server (may be the same as the domain controller)
  • (Optional) At least one server in the organization's domain that serves as CA root server (may be the same as the domain controller and/or ADFS server)
  • (Optional) A separate server in the DMZ that serves as web application proxy

Setting up the ADFS Server

  1. Open Server Manager → "Manage" → "Add Roles and Features"
    1. Select the role "Active Directory Federation Services".
    2. Install the role with default options.
  2. Open the post-install configuration wizard for ADFS from the notification menu in Server Manager
    1. Select "Create the first server in a federation server farm".
    2. When asked for a certificate, either import a certificate from a file, or enroll a certificate from your enterprise CA (if available).
    3. Select a user-friendly display name (will be displayed to the end user when signing in)
    4. Specify a service account (You may use a regular user account or a group-managed account, by following the instructions provided by the wizard)
    5. Finish the wizard.

 

 You may also follow the instructions in this video:

Setting up Web Application Proxy

The ADFS server should not be exposed on the open internet. If users need to be able to use ADFS sign-in from outside the internal network of the organization, then the solution is to set up a web application proxy on a separate server in the DMZ.

Warning:

The web application proxy MUST use HTTPS for encrypting credentials in transit. It is strongly recommended to use a certificate signed by a public CA.

The web application proxy does not need to be a member of the organization's domain. Not joining the domain can be more secure, but may also make it more difficult to manage the server.

Notes:

  • Even when using FotoWare SAAS with ADFS, it is not normally necessary to use web application proxy. As long as all users are logging in from the internal network of their organization, where they can access the ADFS server directly, this also works with FotoWare SAAS.
  • An alternative to web application proxy is to set up a VPN, so users from outside the internal network of their organization can also access the primary ADFS server directly and securely. This approach is not documented here.
  1. Install the web application Proxy role
    1. Open Server Manager
    2. Add the "Remote Access" role
    3. Add the "Web Application Proxy" role service under "Remote Access"
  2. Import TLS certificate to be used by the web application proxy.

    The certificate must have a subject name (CN) which matches the service name of the ADFS server (e.g., adfs.yourdomain.org).

    If you create the certificate in your enterprise root CA on a computer within your domain, and the web application proxy server is not a member of your domain, then you have to export and import the certificate. When enrolling the certificate, make sure to make its private key exportable. Then export the certificate with the private key and copy it to the web application proxy server. Do not make the private key exportable when importing the certificate again. You may want to delete all copies containing the private key, including the original. Such a certificate will not be trusted by any machines outside your domain, so this approach is not recommended.

  3. Configure web application Proxy
    1. Open Web Application Proxy Configuration Wizard (You can use the notification icon in Server Manager)
    2. Enter the name of the ADFS server and credentials for an administrator user on the ADFS server
    3. Select the TLS certificate

    4. Finish the wizard