Yuma 4×4

Media and Communications

Installing Enterprise CA for AD FS

Installing Enterprise CA for AD FS


Welcome to the ITFreeTraining video on installing
an Enterprise CA on Windows Server 2012 R2 for use with Active Directory Federation Services. In this video, I will install an enterprise
CA and configure the enterprise CA to start issuing certificates. In particular, I will
configure a template on the enterprise CA for use with Active Directory Federation Services. Once the template has been created, certificate
auto-enrollment can be used to issue a certificate to the Active Directory Federation Server.
In this case, I have used a simple CA setup. This does not have any redundancy and is not
as secure as it could be. This video is only designed to get you going with the basics
of Active Directory Federation Services or setup a template on an existing Enterprise
CA. If you are using a standalone CA I will look at how to create a certificate using
a standalone CA in the video looking at how to configure AD FS for HighCostTraining. If you are planning to use Active Directory
Federation Services on your network, you should consider learning more about certificates.
With certificates, once you start using them, it is difficult to change later on if you
decide to go in a different direction; so it is worth the time doing your research first.
I will now change to my Windows Server 2012 R2 and look at how to install an Enterprise
CA and configure it for Active Directory Federation Services. First of all, I need to install the Certificate
Authority role; so I will open Server Manager and select the option “Add roles and features”
from the dashboard. Since I am installing the role on the local
server, I will accept all the defaults in the install wizard until I get to the “Select
server Roles” screen. On this screen, I will select the role “Active Directory Certificate
Services”. Once selected, I will be prompted to also add additional features for certificate
management. Once I press “add features” to add these I will move on to the “Select
features” screen. I do not require any additional features so
I will press next. The next part of the wizard is the welcome screen for the certificates
components install. Once I press next, I need to select which components of certificates
services that I require. Since I only want basic certificate services, I will leave it
on the default option of “Certification Authority”. This component is enough to
use the auto enrollment system in Active Directory to issue certificates to Active Directory
Federation Services. Once I press next, I will be taken to the
install screen where I can press install to start the installation. The install does take
a minute or two to complete so I have sped up the process. Once the install is complete, Certificate
Services still needs to be configured. To do this, I need to select the exclamation
at the top and then select the option “Configure Active Directory Certificates Services on
the destination server”. This will launch the certificates services post configuration
wizard. On the welcome screen, it will ask what credentials
you want to use to perform the install. I am logged in as a domain administrator so
I will leave this as is and move on to the next screen. On the next screen, I need to select which
components I want to configure. This is easy because the only component that I installed
was the “Certification authority” component. Once I select this and move on to the next
screen, I need to select if I want to install an Enterprise or standalone CA. In this case I will accept the default option
of Enterprise CA. If this option is grayed out make sure that the server is a member
of the domain. On the next screen, I need to select if I
want to install a subordinate or root CA. To make things simple I will select a root
CA. Personally I would not use an enterprise CA for a root CA, but to make things simple,
I will use it in this case. In the certificate course, I discussed this in a lot more detail. On the next screen, I need to decide if I
want to create a new private key or use an existing one. In this case this is a new CA
and thus I don’t have a previous private key that I can use; so I will accept the default
option of “Create a new private key” and move on. On the next screens, I will accept all the
defaults for cryptographic options, name of the CA, validity period and database location.
Now that all the settings have been set, all I need to do is press configure to configure
the CA. This process may take a minute or two but I have sped it up for us. Once the wizard has completed, I can exit
out of here and run “Certification Authority” from the tools menu. The CA has been installed,
but now I need to configure a certificate template that will be used to create a certificate
for Active Directory Federation Services. To do this, I will expand down until I get
to “Certificate Templates”. This will show all the currently configured certificate
templates. To create a new template, I will right click on “Certificate Templates”
and select the option “manage”. You will notice that there are more templates
listed here than were on the previous screen. Before a template will appear on the previous
screen, and thus be available, it must be enabled. If you want to create a new template,
it is best to find one that is simpler, duplicate it and then make changes to it. In this particular
case, I will select the “Web Server” template, right click it and then select the option
“Duplicate Template”. This will display the properties of the duplicated
“Web Server” template. It is just a matter of making the required changes for Active
Directory Federation Services to this template. First I will select the “General” tab
and change the name of the template to “ADFS SSL Certificate” since this is a certificate
template for Active Directory Federation Services Secure Sockets Layer. Next, I will select the tab “Subject Name”.
To make things simple, I will select the option “Build from this Active Directory Information”
rather than the default option which asks the administrator for this information. The
certificate will automatically be created using Active Directory information. Next,
I need to configure which information will be used. To do this, under subject name, select
the option “Common name and then tick “DNS name” and untick “User principal
name (UPN)”. This essentially says, “use the DNS name in the certificate”, which
will essentially be the fully qualified domain name of the server. If I select the security tab, by default the
server will not have enough access to enroll or, to put it another way, to automatically
obtain a certificate. To add the server, I need to press “add” and then select the
option “Object Types” and make sure that “computers” is ticked. Otherwise when
I perform a search for the computer name of the server it will not appear in the results. Once this is selected, I can go back to the
previous screen and enter in the computer name of the server that I will use to install
Active Directory Federation Services on in a later video. Once the computer name is entered, I need
to also make sure “enroll” is enabled so the server is able to obtain a certificate. That is all the settings configured. I can
now exit out of here and go back to the “Certification authority” tool, right click “Certificate
Templates” and select new “Certificate Template to issue”. This will show all the certificate templates
that are available including the one that I just created. All I need to do is select
it and press o.k. You will notice now that the ADFS SSL Certificate has been added to
the list of certificates. That’s it. The enterprise CA has been setup
and is ready to issue a certificate to be used for Active Directory Federation Services,
but that will be done in the next video. Thanks for watching this video from ITFreeTraining.
I hope to see you in the next video where I install Active Directory Federation Services.
Until then, thanks and see you next time.

15 thoughts on “Installing Enterprise CA for AD FS

  1. Hi. Do I have to create a certificate template or is this just for the demo here and I can instead use a third party certificate?

  2. I had AD CS and AD FS on two separate servers, when I try to request a certificate I get a an enrollment error "The specified server cannot perform the requested operation" – I checked the permissions even allow full control to the computer account and all domain admins. Disabled all firewalls – still no luck – Are there thing you could suggest i could check or docs i could read regarding the configuration and prerequisites. this one has not been helpful https://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx

  3. Did you use one server in your environment or you have multiple servers? I see that you have DC, but it looks like you are installing other Roles & Features on the DC. Is that right?

  4. well described, can you please advise when you close mmc window after creating certificate from template how to open that same location, i did not save while closing. thanks.

  5. What would you suggest for the additional steps needed to create redundancy and best security configurations on the root CA?

  6. Enterprise CA was disable in my configuration. I searched that & it tells that Server machine has to be a member server (domain joined). Now I don't understand how do I solve this. Please help.

  7. i tried requesting the new certificate selected active directory enrollment policy after that i cant further click next . Its showing certificates type not available you cannot request a certificate at this time because no certificate types are available

  8. Of all the dang videos on youtube for ADFS and SSL… THIS was the one that filled in the blanks. This needs more views.

Leave comment

Your email address will not be published. Required fields are marked with *.