Installing ADFS on Windows Server 2025

Installing ADFS on Windows Server 2025

Hi All,

For a Project i had to test something with ADFS. That’s why i have set up an Active Directory Federation Server/Service (ADFS) on a Windows Server 2025.

To be clear: I don’t advocte for installing ADFS. In contrary i still recommend to use Entra ID instead of ADFS and get rid of Federated Domain in M365.

Install Windows Feature

Install-WindowsFeature ADFS-Federation -IncludemanagementTools

Certificate

There are many ways on how to get a public Certificate. These two ways i have documented with Blog Articles. But there are many more…

In this Article i use the Posh-ACME Module to enroll Let’s Encrypt Certificates. Mainly because they are free 😊

Install the PowerShell Module

Find-Module Posh-ACME
Install-Module Posh-ACME

Create new Account and set the default Key Lenght

Import-Module Posh-ACME
Set-PAServer LE_PROD
New-PAAccount -Contact a.bohren@icewolf.ch -AcceptTOS -KeyLenght 4096

Create a new Certificate

New-PACertificate 'adfs.serveralive.ch','certauth.adfs.serveralive.ch' -CertKeyLength 4096 -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15

Create the TXT Records in DNS

Let the Module query the TXT Records as proof that i am the owner of the Domain.

Now let’s import the Certificate into the Windows Computer Certificate Store

#Import PFX to LocalMachine Certificate Store
$Cert = Get-PACertificate
Import-PfxCertificate -FilePath $Cert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Cert.PfxPass -Exportable

We can now check the Certificate

certlm.msc

Configure ADFS

In the Server Manager we now need to finish our ADFS Configuration with a Wizard

Select “Create the first federation server in a federation server farm”

Select an Account with Active Directory “Domain Administrator” Permission

Select the Certificate and set the ADFS Display Name

Select “Create the Group Managed Service Account” and give it a name

Select “Create a database on this Server using Windows internal Database” (works for me as i will only install one ADFS Server and not a Farm)

Review Screen - you can view the PowerShell Code with the “View script” Button

PowerShell Script do configure ADFS Deployment

# Windows PowerShell script for AD FS Deployment
Import -Module ADFS
Install-AdfsFarm
-CertificateThumbprint:"8395ED7325C4F72B36CD82670DCCE24764232629" `
-FederationServiceDisplayName:"ADFS Serveralive" `
-FederationServiceName:"adfs.serveralive.ch" `
-GroupServiceAccountIdentifier:"HQ\gmsa_adfs`$"

All Checks passed

Warning

The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices. For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.

Learn more about that here: Configuring Device Registration

Windows Service

Let’s check the Windows Service “Active Directory Federation Services” and it runs under the gmsa Account

Managed Service Account

The Managed Service Accounts can be found in Active Directory Users and Computers (dsa.msc) under “Managed Service Accounts”

DNS Record

Now you need to create a public DNS Record that point’s to your ADFS Server. This can be a A or CNAME Record

DNS Record Record Type Value
adfs.domain.tld A IP Address
adfs.domain.tld CNAME Public FQDN

Testing ADFS

First let’s Enable the IdP-initiated sign-in page

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Now we can check with the browser

https://adfs.domain.tld/adfs/ls/idpinitiatedsignon.aspx

Hit the “Sign in” Button

Enter UPN and Password

Yes i am logged in

ADFS Management

You can start the ADFS MMC with the following command

C:\Windows\ADFS\Microsoft.IdentityServer.msc

Overview

Certificates

Claims Provider Trust

Relying Party Trusts

Endpoints

PowerShell Nodule ADFS

Import-Module ADFS
Get-ADFSCertificate

Get-AdfsClaimsProviderTrust

Get-AdfsRelyingPartyTrust

Get-AdfsEndpoint | ft

Lockout Protection

Before putting a Server in Production or even expose to the Internet, you should probably configure the Extranet Lockout Protection

Configure AD FS Extranet Lockout Protection

Show details (default configuration)

Get-AdfsProperties | fl *extranet*

Enable Extranet Lockout Protection

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (New-TimeSpan -Minutes 30) -ExtranetLockoutRequirePDC $false

#ADPasswordCounter, ADFSSmartLockoutLogOnly, ADFSSmartLockoutEnforce
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
Restart-service adfssrv

Show details

Get-AdfsProperties | fl *extranet*

Summary

This Article has explained how you install a single node ADFS Server on Windows 2025 and how you can configure the most important settings. Hope this helps.

Regards
Andres Bohren

Security Logo

Windows Logo