Installing ADFS on Windows Server 2025

Hi All,
For a Project i had to test something with ADFS. That’s why i have set up an Active Directory Federation Server/Service (ADFS) on a Windows Server 2025.
To be clear: I don’t advocte for installing ADFS. In contrary i still recommend to use Entra ID instead of ADFS and get rid of Federated Domain in M365.
Install Windows Feature
Install-WindowsFeature ADFS-Federation -IncludemanagementTools
Certificate
There are many ways on how to get a public Certificate. These two ways i have documented with Blog Articles. But there are many more…
In this Article i use the Posh-ACME Module to enroll Let’s Encrypt Certificates. Mainly because they are free 😊
Install the PowerShell Module
Find-Module Posh-ACME
Install-Module Posh-ACME
Create new Account and set the default Key Lenght
Import-Module Posh-ACME
Set-PAServer LE_PROD
New-PAAccount -Contact a.bohren@icewolf.ch -AcceptTOS -KeyLenght 4096
Create a new Certificate
New-PACertificate 'adfs.serveralive.ch','certauth.adfs.serveralive.ch' -CertKeyLength 4096 -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15
Create the TXT Records in DNS
Let the Module query the TXT Records as proof that i am the owner of the Domain.
Now let’s import the Certificate into the Windows Computer Certificate Store
#Import PFX to LocalMachine Certificate Store
$Cert = Get-PACertificate
Import-PfxCertificate -FilePath $Cert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Cert.PfxPass -Exportable
We can now check the Certificate
certlm.msc
Configure ADFS
In the Server Manager we now need to finish our ADFS Configuration with a Wizard
Select “Create the first federation server in a federation server farm”
Select an Account with Active Directory “Domain Administrator” Permission
Select the Certificate and set the ADFS Display Name
Select “Create the Group Managed Service Account” and give it a name
Select “Create a database on this Server using Windows internal Database” (works for me as i will only install one ADFS Server and not a Farm)
Review Screen - you can view the PowerShell Code with the “View script” Button
PowerShell Script do configure ADFS Deployment
# Windows PowerShell script for AD FS Deployment
Import -Module ADFS
Install-AdfsFarm
-CertificateThumbprint:"8395ED7325C4F72B36CD82670DCCE24764232629" `
-FederationServiceDisplayName:"ADFS Serveralive" `
-FederationServiceName:"adfs.serveralive.ch" `
-GroupServiceAccountIdentifier:"HQ\gmsa_adfs`$"
All Checks passed
Warning
The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices. For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.
Learn more about that here: Configuring Device Registration
Windows Service
Let’s check the Windows Service “Active Directory Federation Services” and it runs under the gmsa Account
Managed Service Account
The Managed Service Accounts can be found in Active Directory Users and Computers (dsa.msc) under “Managed Service Accounts”
DNS Record
Now you need to create a public DNS Record that point’s to your ADFS Server. This can be a A or CNAME Record
DNS Record | Record Type | Value |
---|---|---|
adfs.domain.tld | A | IP Address |
adfs.domain.tld | CNAME | Public FQDN |
Testing ADFS
First let’s Enable the IdP-initiated sign-in page
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
Now we can check with the browser
https://adfs.domain.tld/adfs/ls/idpinitiatedsignon.aspx
Hit the “Sign in” Button
Enter UPN and Password
Yes i am logged in
ADFS Management
You can start the ADFS MMC with the following command
C:\Windows\ADFS\Microsoft.IdentityServer.msc
Overview
Certificates
Claims Provider Trust
Relying Party Trusts
Endpoints
PowerShell Nodule ADFS
Import-Module ADFS
Get-ADFSCertificate
Get-AdfsClaimsProviderTrust
Get-AdfsRelyingPartyTrust
Get-AdfsEndpoint | ft
Lockout Protection
Before putting a Server in Production or even expose to the Internet, you should probably configure the Extranet Lockout Protection
Configure AD FS Extranet Lockout Protection
Show details (default configuration)
Get-AdfsProperties | fl *extranet*
Enable Extranet Lockout Protection
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (New-TimeSpan -Minutes 30) -ExtranetLockoutRequirePDC $false
#ADPasswordCounter, ADFSSmartLockoutLogOnly, ADFSSmartLockoutEnforce
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
Restart-service adfssrv
Show details
Get-AdfsProperties | fl *extranet*
Summary
This Article has explained how you install a single node ADFS Server on Windows 2025 and how you can configure the most important settings. Hope this helps.
Regards
Andres Bohren