I was recently working with the customer on ADFS Upgradation from 2.0 - 4.0. This blog post will help you to design parallel infrastructure for ADFS 4.0 and to migrate your existing configuration from ADFS 2.0 to 4.0. Will suggest to use same ADFS namespace while migration.
Current Deployment:
The current deployment consists of two servers, an ADFS Proxy Server in DMZ and an ADFS Server using Windows internal database and based on the Windows Server 2008 R2.
Do refer below Microsoft articles to understand about ADFS 2.0 & ADFS Proxy migration
ADFS 2.0
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/prepare-to-migrate-a-stand-alone-ad-fs-federation-server
ADFS Proxy
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/prepare-to-migrate-ad-fs-fed-proxy
Prerequisites:
You can refer below articles to understand ADFS 4.0 requirements.
https://docs.microsoft.com/en-in/windows-server/identity/ad-fs/overview/ad-fs-requirements
Lets Start with deployment.
1. ADFS 4.0 Preparation Work
1.1 Note down ADFS 2.0 Server Properties:
a.) Login to ADFS 2.0 Server
b.) Go to ADFS 2.0 Management Tools
c.) Right click on root "ADFS" on right pane and click on "Edit Federation Server Properties".
d.) Note down below details:
d.1) Federation Service Display Name: adfs01.turtledesk.in
d.2) Federation Service Name: adfs01.turtledesk.in
d.3) Federation Service Identifier: http://adfs01.turtledesk.in/adfs/services/trust
1.2 Export Service Communication Certificate:
a.) Login to ADFS 2.0 Server
b.) Under the ADFS 2.0 Management Console, Click on Certificates and select Service Communication Certificate and Right click and select View Certificate.
c.) On the Certificate, properties page, Go to Details tab and click on “Copy to File”
d.) Once you click on “Copy to File”, it will open the “Certificate Export Wizard” and Click on Next
e.) Select, Yes, Export the private key and click “Next”
f. ) Click the checkbox next to "Include all certificates in the certification path if possible" and “Export all Extended Properties” and then click Next.
g.) Enter and confirm a password and Click Next. This password will be needed whenever the certificate is imported to another server.
h.) Click Browse and find a location to save the .pfx file to. Type in a name such as "ServiceCommunicationCertADFS2.0" and then click Save.
i. ) Review details and Click on Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.
1.3 Export ADFS Configuration to Files
a.) Login to ADFS 2.0 Server
b.) Mount the Windows Server 2016 install media and open a Power Shell with “Run as Administrator” privilege.
c.) Navigate to the \support\adfs\
d.) Create a folder to export your ADFS configuration to with “c:\adfs_backup”
e.) Run below Command to export a copy of your ADFS 2.0 configuration.
.\export-federationconfiguration.ps1 -path c:\adfs_backup
f. ) Dismount the Windows 2016 install media
g.) Copy the C:\adfs_backup folder and certificate you exported above to new ADFS server i.e. ADFS Server 4.0
2. Installation of ADFS 4.0 Server
Active Directory Federation Services provides access control and single sign on (SSO) across a wide variety of applications including Office 365, cloud based SaaS applications, and applications on the corporate network.
For the IT organization, it enables you to provide sign on and access control to both modern and legacy applications, on premises and in the cloud, based on the same set of credentials and policies.
For the user, it provides seamless sign on using the same, familiar account credentials.
For the developer, it provides an easy way to authenticate users whose identities live in the organizational directory so that you can focus your efforts on your application, not authentication or identity.
2.1 Import the Service Communication Certificate:
a.) Login to new ADFS 4.0 Server
b.) Right click on Service Communication Certificate that you copied from old ADFS 2.0 Server
c.) Once you click Install PFX and it will open Certificate Import Wizard, select Local Machine and click Next
d.) At File to Import page, review the certificate path and click Next
e.) Enter the password that you set when you exported the .pfx file and Select "Mark this key as exportable" and also Select “Include all extended Properties” and click Next.
f. ) Select "Automatically select the certificate store based on the type of certificate" and click Next.
g.) Review the details on Completing the certificate import wizard and click Finish
2.2 Install ADFS 4.0 Server on new server
a.) Open Server Manager and click on “Add Roles and Features”
b.) Once you click “Add roles and features”, it will open “Add roles and features” wizard and will show you “Before you begin” wizard page and Click Next
c.) On the Select installation type page, click Role-based or Feature-based installation, and then click Next.
d.) On the Select destination server page, click Select a server from the server pool Select "your server name", and then click Next
e.) On the Select server roles page, click Active Directory Federation Services, and then click Next
f. ) On the Select features page and also select .NET Framework 3.5 Features , click Next ( The required prerequisites are already preselected for you i.e. .NET Framework 4.6 Features)
g.) On the Active Directory Federation Service (ADFS) page, click Next.
h.) After you verify the information on the Confirm installation selections page, click Install
i. ) Once you click on Install, it will show the installation progress and once installation will succeed, please open “Configure the federation service on the server”.
j. ) Once you click on “Configure Federation Service on the Server”, it will open the new wizard page to configure federation service.
On the Welcome Page, Please select “Create the first federation server in a federation server farm” and click Next
k.) On the “Connect to AD DS” wizard page, provide the domain admin credentials and click on Next.
l. ) On the “Specify Service Properties” page, Select the SSL Certificate from drop down, provide the “Federation Service Name” and “Federation Service Display Name” and click Next.
SSL Certificate: (Select the SSL certificate which you have installed
Federation Service Name: adfs01.turtledesk.in (As we are using same namespace, you can provide the details which you have noted at 1.1)
Federation Service Display Name: adfs01.turtledesk.in
m.) On the “Select Service Account” wizard page, Select "use an existing domain user
account or group Managed Service Account" and provide the service account credentials and click Next.
n.) On “Specify Database” wizard page, Select “Create a database on this server using Windows Internal Database” and click Next.
o.) On “Review Options” wizard page, Review you selection and proceed Next.
p.) Once all Pre-requisites will passed successfully, Click on Configure
q.) Once you will click Configure, it will show the installation progress and once installation will succeed, you can close the ADFS Configuration Wizard page and restart your ADFS Server.
2.3 Import the ADFS Configuration files
a.) Mount the Windows Sever 2016 install media and open a PowerShell with “Run as Administrator” privilege
b.) Navigate to the \support\adfs\
c.) Run below command to import a backup of your ADFS 2.0 configuration which you copied from old ADFS Server
.\import-federationconfiguration.ps1 -path c:\adfs_backup
d.) Dismount the “Windows 2016 Installation Media”
2.4 Verify the ADFS 4.0 Services
a.) Login to Client Machine within the Local Area Network(LAN).
b.) Open CMD(Run as administrator)
c.) Navigate to C:\Windows\System32\Drivers\etc
d.) Execute Notepad hosts and will open host file
e.) Add new host entry for “adfs01.turtledesk.in” (namespace which you have used)
f. ) Once you will save host file, you can browser below URL and you will be able to see new Sign in Page for ADFS 4.0
https://adfs01.turtledesk.in/adfs/ls/IdpInitiatedSignon.aspx
Note: Just FYI, incase, if you will not be able to browse default ADFS 4.0 Sign in page, Please do validate ADFS 4.0 Properties
Open Windows PowerShell (Run as Admin)
Execute below command
Get-ADFSProperties | Select-Object EnableIdpInitiatedSignonPage
If it is set to false, Please run the below command to enable it
Set-ADFSProperties -EnableIdpInitiatedSignonPage $true
Reference URL:
https://docs.microsoft.com/hi-in/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-initiatedsignon
3.Installation of ADFS Web Application Proxy (WAP) Server
The Web Application Proxy (WAP) is a role service of the Remote Access server role in Windows Server 2016. One of the primary roles of the WAP is to performs pre-authenticates access to web applications using Active Directory Federation Services (AD FS), and in this capacity the WAP functions as an AD FS proxy.
In general, WAP provides reverse proxy functionality for web applications in the corporate network which allows users on most devices to access internal web applications from external networks.
3.1 Import the Service Communication Certificate
a.) Login to new ADFS WAP Server
b.) Paste the Service Communication Certificate which you exported in ADFS 2.0 Server. You can refer the 1.2 section of this blog post.
c.) Please repeat all the steps mentioned in 2.1
3.2 Installation and Configuration of ADFS WAP
a.) Login to new ADFS WAP Server i.e. cloudprox02
b.) Before proceeding with the installation of WAP, Please do the host entry as this server is hosted in DMZ, So you need to do host entry to point DNS record to your new ADFS Server.
Run CMD (as administrator)
Navigate to C:\Windows\System32\Drivers\etc
Execute Notepad hosts
Please do dns entry
c.) Go to Server Manager and click on “Add roles and features”
d.) On the “Before you begin” page, Click on Next
e.) On the “Select Installation Type” wizard page, Select “Role-based or feature-based installation” and then click Next.
f. ) On the “Select Destination Server” wizard page, click on “Select a Server from the server pool” and click on Next.
g.) On the “Select Server Roles” wizard page, Select “Remote Access” roles and click on Next.
h.) On the “Select Features” wizard page, Select “.Net Framework 3.5 Features” and click on Next.
i. ) On the “Remote Access” wizard page, click on Next
j. ) On the “Role Services” wizard page, Select “Web Application proxy” and it will pop up to add required features for WAP, Click on “Add Features” and do tick the check box “Include Management Tools (If applicable) and do click Next.
k.) On the “Confirm Installation Selections”, Click on Install.
l. ) Once the installation will succeed, Click on “Open the Web Application Proxy Wizard”
m.) Once you open WAP wizard, it will show the Welcome page, Click on Next.
n. ) On the “Federation Server” page, Provide the Federation Service name i.e. adfs01.turtledesk.in and the Username & Password to validate the local administrator account.
o.) On the ADFS Proxy Certificate, Select the SSL certificate from the drop down and click on Next.
p.) On the “Confirmation” wizard page, validate all the settings for Web Application Proxy and do click on Configure.
q.) Once the configuration will succeed, it will show the result as “Web Application Proxy was configured successfully”
3.3 Publish New Application through Web Application Proxy
a.) Open Remote Access Management Console and click on Publish from the right menu.
b.) Once you click Publish, it will open the “Publish new application” wizard page. On the Welcome page, click on Next.
c.) On the Preauthentication wizard page, Select Pass-Through and click on Next.
d.) On the “Publishing Settings” , Provide the Name, External URL, External Certificate, Backend Server URL and do select the checkbox to “Enable HTTP to HTTPS redirection”, click on Next.
Name : ADFS WAP
External URL: https://adfs01.turtledesk.in
Backend Server URL: https://adfs01.turtledesk.in
e.) Validate all the details on the Confirmation wizard page and click on Publish
f. ) Once you publish it, you will get result as “Web Application ADFS Published Successfully”
3.4 Verification of ADFS WAP Service
a.) Login to Client Machine from external network.
b.) Open CMD(Run as administrator)
c.) Navigate to C:\Windows\System32\Drivers\etc
d.) Execute Notepad hosts and will open host file
e.) dd new host entry for “adfs01.turtledesk.in” as per below snapshot:
"PublicIPoftheADFSWAPServer" adfs01.turtledesk.in
f. ) nce you will save host file, you can browser below URL and you will be able to see new Sign in Page.
https://adfs01.turtledesk.in/adfs/ls/IdpInitiatedSignon.aspx
Once you will be able to verify all your existing services, you can do DNS cutover to new server.