Just for those interested, here’s the screenshots of the ADFS installation on a Windows 2012 R2 Preview installation. Before 2012 R2 it wasn’t advised to install ADFS on a domain controller as the ADFS solution relied on IIS. But with the 2012 R2 version the IIS dependency is gone and Microsoft recommends installing ADFS on domain controllers. I think this will lower the bar for a lot of companies. Also the enhanced authentication options (multi factor) seem really promising.
Remark: in the end my system didn’t need to reboot
Remark: small sidestep here: obviously I want to use Group Managed Service Accounts!
Remark: lab only procedure: ensures Group Managed Service Accounts are available immediately
The management console with the focus on the new Authentication Policies section
A new Relying Party Trust type:
If I read the explanation correct this will allow you to publish non claims-aware application over the new Web Application Proxy role.
- The option for a stand alone ADFS server is no more. Either you install a single node farm or you install a real farm. Makes sense to me.
- You still have the option to choose between a Windows Internal Database or a dedicated SQL Server database. This might be a hard choice. I’m not sure I’m happy to have Internal Databases running on my domain controllers. The SQL on the other hand requires a cluster for proper availability which might be quite expensive to sell to your customers.
- Named certificate forces you to take the subject of the certificate as the Federation Service Name. Wildcard certificate allows you to pick freely as long as the wildcard is respected. It seems you can have additional . in the wildcard part though. I advise against this as you’ll probably face certificate validation errors in your browser. Example: *.realdolmen.com allows you to select sts.sub.realdolmen.com.
- More on Group Managed Service Accounts: vankeyenberg.be: Why you need group managed service account and how to use them and Ask PFE Platforms: Windows Server 2012: Group Managed Service Accounts
- If you want to compare=: the Windows 2012 ADFS installation: vankeyenberg.be: ADFS Part 1: Install and configure ADFS on Windows 2012
- The Authentication Policies section in the management console seems awesome. Very clear and it seems very easy to manage.