Advanced Customization of ADFS for Cloud Usage (Part 3 of 4)

Advanced Customization of ADFS for Cloud Usage

Written by Kevin Saye

This is part 3 of a 4 part blog about customizing Microsoft’s ADFS for advanced user scenarios. I will break down this series into the following parts:

Part 1 – Customizing the Login Page

Customizing the Login Page for advanced features. We will add icons and have automated presentation logic.

Part 2 – Using Cloud or on Premises MFA

What changes happen in the claims and how to control where MFA takes place.

Part 3 – User Certificates

Enabling enrollment and usage of user certificates for ADFS.

Part 4 – Expired Passwords

How to detect and address users with expired passwords.


Part 3 – User Certificates

Often overlooked but very effective are User Certificates. These certificates are a legitimate form of multi factor by meeting the something you have (certificates) factor.

ADFS has long supported User Certificates and Windows Server has long supported a Certificate Enrollment Website. Combining these two capabilities, we can user certificates as a single or multi factor login method.

To get started, we need to (1) allow the user to request (enroll) for a certificates and (2) allow the user the ability to authenticate with a certificate.

Allow the user to request a certificate

While it is not the purpose of this document to explain certificates services and PKI, we will assume there is an existing Certificate Services exist and that we have installed the certificate enrollment website.

Security WARNING: Most people view certificates as a highly secure capability, as it does not have an expiring password and often are long lived expiration dates. To enable a user to enroll, I strongly suggest you require multi factor, such as a Phone to verify authenticity of the user. To meet these requirements, our setup will require MFA before the user can request a certificate, which is another form of MFA. Also, our demonstration does not have a certificate approver, yet this could be a security control for your solution.

The default Certificate Enrollment Website look like this, enabling a user to request a user cert.

To securely publish the Certificate Server with Windows Server 2012 R2 Web Application Proxy and Windows Server 2012 R2 ADFS, follow these steps:

  1. Identity the Server with the Certificate Services Web Enrollment Role enabled.  My server is named:, which by default required Windows authentication.

  2. Open the AD FS Management Console on the ADFS Server

  3. Click AD FS à Trust Relationships à Relying Party Trust and select Add Non-Claims Aware Relying Party Trust

  4. Specify a Display name, like Certificate WebSite and click next

  5. Specify the Identifier as https://<servername>/certsrv.  My identifier is and click add and next

  6. Select Configure multi-factor authentication settings for this relying party trust and click next

  7. Under Locations select Extranet and click next, next and close

  8. If promoted to edit the claim rules, simply ok this dialog box

  9. If using a different host name for the Certificate Web Server, you will need to run the command “setspn” to register the unique SPN (used by Kerberos) else Web Application Proxy will not be able to find the server.

  10. Use Active Directory Users and Computers to modify the Kerberos Constrained Delegation of the Web Application Proxy to include the SPN of the Certificate Services Web Enrollment Server, as illustrated below:

  1. Open the Remote Access Management Console on the Web Application Proxy Server and select Publish

  2. Select ADFS as the Preauthentication method

  3. Select the name of the Certificate WebSite, as defined in step 4 and click next

  4. Type a name, external URL, select a cert that matches the external name, a backend url and the SPN as shown below:

  1. Click next and publish

If followed correctly and the pre requisites (including DNS) are setup, you should be able to access the External URL and once prompted for ADFS authentication and Multi-Factor authentication, you can request user certificates.

Allow the user to authenticate with a certificate

To enable users to authenticate with certificates as a single or Multi-Factor authentication, follow these steps:

  1. Open the AD FS Management Console on the ADFS Server

  2. Select AD FS à Authentication Policies and click Edit Global Primary Authentication

  3. If you want to enable Certificates as a single Factor authentication for extranet users, under Extranet click Certificate Authentication

  4. If you want to enable Certificates as a Multi-Factor authentication, click the Multi-Factor Tab and click Certificate Authentication and any other MFA method you have installed.  Also determine when MFA is required (users/groups, location and devices) as shown below: