Part 4a: Windows Server 2012 R2 AD FS - Federated Web SSO
This is Part 4a of a multi-part series on how to deploy a complete end-to-end Federated Web SSO solution using Windows Server 2012 R2's AD FS role and the Web Application Proxy. In this part I will deploy CONTOSO's SharePoint Foundation 2013 SP1 web server. I broke this part into 4a and 4b because installing SharePoint requires so many steps that I broke this post into two parts; CONTOSO's SharePoint installation and FABRIKAM's SharePoint installation. In case you missed it:
Here is Part 1 - Overview
Here is Part 2 - Installing AD DS, AD CS, and DNS Records
Here is Part 3 - Installing SQL Database Services
The following topology highlights in yellow the two servers that will be built for parts 4a and 4b and where they fit into the overall topology. If you wish to see the full topology click here.
Windows Server AD FS 2012 R2 provides trusts between organizations however the end users need a service to connect to in order to utilize that trust. SharePoint 2013 which will be deployed in this post will ultimately be the endpoint that users in the CONTOSO and FABRIKAM forests access and present federated identities to. I recommend studying the hardware and software requirements for SharePoint 2013 prior to deployment. For simplicity purposes, SharePoint Foundation 2013 SP1 will be used as a part of this blog series.
SharePoint 2013: Hardware and Software Requirements for SharePoint 2013
SharePoint Foundation 2013 with SP1: Additional Information / Download
OPTIONAL: Create ISO of SharePoint Foundation 2013 SP1 Installation
All of the servers and clients in this blog post are virtual and the first thing I ran into was that the SharePoint Foundation 2013 SP1 server installation files were contained in an executable. So I converted them to an ISO which is easier to mount and present to virtual machines using the following steps.
- Download the SharePoint.exe executable file
- Open a PowerShell Window and navigate to the download location
- Type the following command from the PowerShell window: .\<name of file>.exe /extract
- Select a location to extract the files to then click OK.
- Obtain a copy of oscdimg.exe. Click here to read more about it.
- Type the following command from a PowerShell window: .\oscdimg -n -d -m "sourcedirectory" "targetfile"
- You should now have an ISO of the SharePoint Foundation 2013 installation media
Deploy CONTOSO's SharePoint Foundation 2013 SP1 Server
The following steps will deploy SharePoint Foundation 2013 SP1 server. If you are deploying a different version of SharePoint consult the documentation of the version you are installing. IMPORTANT: You must use SharePoint Foundation 2013 with SP1 to successfully install SharePoint Foundation 2013 on Windows Server 2012 R2. You can read more about the hardware and software requirements here.
- Log into the CONTOSO domain controller (CONT-DC01) and create a new Domain User called srv_SP.
- Log into the CONTOSO SQL server (CONT-SQ01) and give srv_SP sysadmin rights.
- Open SQL Server Management studio > Security > Logins > New Login > Search > Locations > Entire Directory > OK
- Type srv_SP > OK
- Select Server Roles > Check sysadmin > OK
- In a production environment the rights should be modified to give the service account the least permissions necessary after SharePoint is deployed.
- Deploy a Windows Server 2012 R2 workgroup server and configure the IP addess, subnet mask, hostname, and DNS servers. For the purposes of this series the information will be as follows:
- Hostname: CONT-SP01
- IP Address: 192.168.30.4
- Subnet Mask: 255.255.255.0
- DNS Servers: 192.168.30.2
- Join the contoso.com domain
- After rebooting, log into the server using CONTOSO domain credentials (i.e. CONTOSO\Administrator)
- Disable Internet Explorer Enhanced Security Configuration (IE ESC)
- Open Server Manager > Local Server > IE Enhanced Security Configuration > Administrators > Off. Note: This should only be performed on lab servers for test purposes.
- If you are installing SharePoint Foundation 2013 SP1 to a Virtual Machine I recommend you take a snapshot of the Virtual Machine at this point so that in the event that the SharePoint install fails, you can revert to snapshot and try again vs. having to reinstall the Virtual Machine's Operating System.
- Insert the Windows Server 2012 R2 installation media then run the following command from an elevated PowerShell window: Add-WindowsFeature Net-Framework-Core -Source <driveletter>:\sources\sxs. This will add .NET Framework 3.5 to the server.
- At this point I recommend you temporarily configure the server with an IP address that can reach the Internet since the prerequisite installer will attempt to connect to the Internet for most of the prerequisites. After obtaining the prerequisites or providing a means for the server to reach the Internet proceed to the next step.
- Insert the SharePoint Foundation 2013 SP1 installation media then right click > Run as administrator on the prerequisiteinstaller executable to start the installation.
- Click Next > I Accept > Next > to begin the prerequisites installation.
- Click Finish to reboot the server when prompted.
- The prerequisites installer will install more prerequisites then click Finish to reboot when prompted.
- Click Finish once the prerequisites have successfully installed, the server will reboot again.
- Click Finish to complete the prerequisites installation.
- At this point change the IP address back to the lab subnet if needed. For this blog I changed the IP address back to 192.168.30.4/24 with a DNS server IP address of 192.168.30.2.
- Double click Setup from the SharePoint Foundation 2013 SP1 media to begin the installation SharePoint.
- Click I Accept > Continue > Select Complete > Install Now
- Click Close to run the SharePoint configuration wizard
- Click Next > Yes > Create a new server farm > Next.
- For the Database server type CONT-SQ01
- For the Username type CONTOSO\srv_SP, enter the Password then click Next
- Enter a passphrase when prompted then click Next.
- Select Negotiate (Kerberos) then click Next
- Click Yes to use Kerberos > Next > after the installation is complete click Finish.
- Select whether you wish to participate in the Customer Experience Improvement Program then click OK.
- You should now be able to view CONTOSO's Central Admin page as shown in the following Figure.
Configure CONTOSO's SharePoint Foundation 2013 SP1 Server
The following steps will complete the configuration of CONTOSO's SharePoint server and will create the SharePoint Application that will later be used by federated users.
- From the Central Administration page shown in the preceding Figure, click Start the Wizard
- Select Use an existing managed account, leave everything else at their defaults then click Next. Note: A new account should be used here for a production environment
- Once the farm is created enter the following information to create a site Collection
- Title: CONTOSO SharePoint
- Description: CONTOSO's Portal
- Template: Team Site
- Click OK
- Click Finish
- Click Application Management > Configure Alternate Access Mappings
- Highlight http://cont-sp01 as shown in the following figure then click Edit Public URLs
- Under Alternate Access Mapping Collection change "No Selection" to SharePoint - 80
- Type https://www.contoso.com for the Default URL then click Save.
- Click Application Management > Manage Web Applications > Highlight SharePoint -80 > Authentication Providers
- Click Default then click Enable Anonymous Access
- Ensure Integrated Windows authentication is set to Negotiate (Kerberos) then click Save
- Close the dialogue box then click Anonymous Policy. Select Deny Write - Has no write Access then click Save.
- Open an Elevated PowerShell window and type the following command: Get-Certificate -Template WebServer -DnsName www.contoso.com -CertStoreLocation cert:\LocalMachine\My
- You should now have a web server certificate with a subject name of www.contoso.com
- Configure IIS Bindings for the new certificate
- Open IIS Manager > Expand Sites > Highlight SharePoint - 80 > Click Bindings
- Click Add > https
- Select the certificate you just obtained then click OK > Close
- Open an elevated PowerShell command prompt and type the following command setspn -S HTTP/www.contoso.com srv_SP
- Open a web browser and type the following URL: https://www.contoso.com. If you get a username/password prompt enter CONTSO\Administrator and the Password then click OK.
- The portal should appear as shown in the following Figure.
- Click the gear icon in the upper right corner > Site Settings > Site Permissions
- Click Anonymous Access > Anonymous users can access > Entire Web Site > Click OK
- Clear out all cookies and close and re-open the browser. You should now be able to view CONTOSO's SharePoint portal anonymously. As shown in the following Figure.
You now have two forests one named contoso.com and one named fabrikam.com along with the DNS records, certificate services, database services, and CONTOSO's SharePoint Foundation 2013 services needed to support AD FS. In part 4b SharePoint Foundation 2013 SP1 will be deployed in FABRIKAM's forest.
- If you cannot connect to the SQL server and the Windows Firewall is enabled ensure port TCP 1433 is enabled inbound on the Windows Firewall as per the following instructions.
- If SharePoint fails to install with an error stating that it cannot configure the Application IIS server ensure you are installing a version of SharePoint 2013 with SP1 integrated into it.
- If the installation of SharePoint fails half way through the install, verify that the service account has at least DB Owner on the SQL server for the target database
- If you get an error when attempting to obtain a certificate ensure that Domain Computers have rights to read the Web Server template
- If you get an error when attempting to obtain a certificate ensure thatthe CRL has not expired
- If you get repeated password prompts when viewing the portal even after it is set to anonymous, ensure the Web Application is set to Negotiate (Kerberos)
- If the page displays page not found ensure you created an A record for the site in DNS