Jump to content




Sign in to follow this  
Peter van der Woude

How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure AD FS



Recommended Posts

In the first part of this blog series I went through the introduction and the prerequisites. This second part of the blog series will be all about installing and configuring Active Directory Federation Services (AD FS) and the AD FS proxy, which is the Web Application Proxy (WAP) in Server 2012 R2. AD FS will be used to federate with Microsoft Azure AD for the authentication of the user’s on-premises.

Install Active Directory Federation Services
The first thing that’s required is to install is AD FS. This installation will be done through PowerShell on the CLDSRV01.

  • To install AD FS use the following PowerShell command.
    • Install-WindowsFeature Adfs-Federation -IncludeManagementTools
  • To verify the success of the PowerShell action, simply look at the output of the action.
    • SSO_ADFS_Install.jpg

Configure the federation server
After installing AD FS it’s required to configure the federation server. This configuration will be done through PowerShell on the CLDSRV01. The first steps will get the required input for the command.

  • Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.
    • dir Cert:\LocalMachine\My
  • To provide the credentials of the service account for AD FS run the following command and provide the credentials.
    • $ADFSCred = Get-Credential
    • SSO_ADFS_Cred.jpg
  • To configure AD FS run the following command. In this command CertificateThumbprint is the thumbprint of the required certificate (first step) and ServiceAccountCredential is the supplied credentials (second step).
    • Install-AdfsFarm -CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" -ServiceAccountCredential $ADFScred
  • To verify the success of the PowerShell action, simply look at the output of the action.
    • SSO_ADFS_Config.jpg

Install Web Application Proxy
The next component that needs to be installed is WAP. This installation will be done through PowerShell on the CLDSRV00. One important thing to note here is that this server should be able to resolve the public federation service name to the CLDSRV01.PTCLOUD.LOCAL. This can be solved to either add an entry to the host file or by adding the information to DNS.

  • To install WAP use the following PowerShell command.
    • Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
  • To verify the success of the PowerShell action, simply look at the output of the action.
    • SSO_WAP_Install.jpg

Configure Web Application Proxy
After the installation of WAP it’s required to configure it to connect to the AD FS server. This will be done through PowerShell on the CLDSRV00.

  • Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate.
    • dir Cert:\LocalMachine\My
  • To perform the configuration of WAP run the following command in which CertificateThumbprint is the thumbprint of the required certificate (previous step) and FederationServiceName is the name of the configured federantion service. Also, this command will ask for the credentials with enough permissions to configure the federation services.
    • Install-WebApplicationProxy –CertificateThumbprint "6532759C67678B50811739261B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl"
    • SSO_WAP_Cred.jpg
  • To verify the success of the PowerShell action, simply look at the output of the action.
    • SSO_WAP_Config.jpg

Verify the AD FS Sign-In page
After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working. This testing can be done on any device connected to the Internet.

  • Open the Internet Explorer and browse to https://sts.petervanderwoude.nl/adfs/ls/idpinitiatedsignon.htm
  • Click Sign in and provide the required credentials and click Sign in again. This should change the displayed text to You are signed in.
    • SSO_ADFS_WAP_Config.jpg
    • Note: Replace the public domain for the personal (or company’s) own public domain name.

Create a trust between AD FS and Azure AD
The next thing that’s required is to configure the federation with the Microsoft Online Services. To do this it’s required to add the public domain name to the Microsoft Online Services as a federated domain. This will allow us to use the public domain name for the various Microsoft Online Services. This configuration will be done through PowerShell on the CLDSRV02.

  • First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription.
    • Connect-MsolService –Credential $cred
    • SSO_Intune_Cred.jpg
  • After that it’s required to also connect with the on-premises AD FS by using the following command.
    • Set-MsolADFSContext -Computer cldsrv01.ptcloud.local
  • Now it’s possible to add a new federated domain, by using the following command.
    • New-MsolFederatedDomain –DomainName petervanderwoude.nl
  • A message will show that it’s required to verify the specified domain name, by adding a TXT record to the domain registar.
    • SSO_Intune_DNS.jpg
  • Logon to the domain registar and specify the information about the TXT record.
    • SSO_Intune_DNS_Record.jpg
  • After specifying the TXT record it’s required to run the previous command again. This time to verify the domain name.
    • New-MsolFederatedDomain –DomainName petervanderwoude.nl
  • To verify the success of the PowerShell action, simply look at the output of the action.
    • SSO_Intune_Success.jpg
  • Another place to verify a successful configuration is to simply logon to the Account portal and verify the Single sign-on setting by navigating to Management > Users. It should display the following information.
    • SSO_Intune_Success_Online.jpg

Verify the Single Sign-On configuration
After installing and configuring AD FS and WAP it’s very important to know for sure that it’s working.

  • Open the Internet Explorer and browse to https://portal.manage.microsoft.com/
  • Click Use another account and provide the required credentials and click Sign in. After specifying the public UPN of the user the page will redirect to the on-premises AD FS.
    • SSO_Verify.jpg
    • Note: Replace the public domain for the personal (or company’s) own public domain name.

Share this post


Link to post
Share on other sites


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


×