AD can be found when redirecting to ADFS service. In a real environment, you can use an ADFS agent or a Windows application.
Proxy, or other reverse proxy, publishes ADFS. In the test environment, we will introduce the virtual machine of Azure, because the virtual machine of Azure is in the cloud.
The service provides a public network address.
2. Public network certificate passed by the client. I used the subdomain corp1.jiashuang.cn as my domain, and you can also use the first-level domain name.
Then go all the way to the next step until installation.
9. Restart DC after installation.
10. Then, we installed our certificate service on DC, and then we kept installing it.
1 1. After the installation is completed, select the configuration. On the role service, select the certificate authority, and then proceed to the next step, and then select the configuration.
12. After completion, we need to create a new SSL certificate, which is the HTTPS communication of the user's ADFS. Run the command certsrv.msc, right-click the certificate template and select Manage.
13. Recruit a web server certificate in a new window, right-click and select Copy Template. In the General tab, name it ADFS SSL.
Enter the security tab, add domain users, domain computers, register and select permission to read.
Enter the User Name tab, and the user name format will change to: public name, and check DNS name.
14. Return to the certification authority, right-click the certificate template, click the new certificate template to be issued, and select ADFS SSL.
15. Then, run the domain.msc command to open the domain and trust management window. We need to add UPN's name. Right-click Active Directory domains and trusts, and then select properties. Fill in our domain name in the UPN tab, and then click Add–> Apply–> Finish.
15. At this point, we have completed the DC configuration. Now log in to the portal of Azure and open the virtual network we created earlier. In the configuration options, we need to specify the DNS of the virtual network, point to DC, add a record pointing to Azure public DNS (otherwise the external network cannot resolve it), and then click Save.
16. restart ADFS. Then add ADFS to the domain. After restarting, log in as a domain administrator.
17. Now we add two DNS records (path C: Windows System 32 drivers etc hosts) to the host file of ADFS, and add these two records according to our own domain name, DC name and IP address, mainly to prevent the DC from being found when there is a problem in DNS resolution.
corp 1 . jas Huang . cn 10 . 0 . 0 . 6
corp-DC . corp 1 . jas Huang . cn 10 . 0 . 0 . 6
18. After that, we need to install our previous certificate. Open MMC, click File-Add/Remove snap-in, select computer account, select local computer, click OK, right-click individual, click All Tasks-Apply for new certificate, and click Next all the time, and select ADFS SSL in certificate registration. Then select Register.
19 After installing the certificate, open Powershell on the DC server and run the following command.
add-kdsrootKey–effective time(get-date)。 Add hours (-10)
new-adserviceaccount fs gmsa–DNS hostname corp-adfs . corp 1 . jas Huang . cn–serviceprincipalnames
20. Then go back to ADFS and install the role of ADFS on ADFS.
2 1. When finished, click Configure ADFS. In the specified service attributes, select the certificate we imported before, select fsgmsa in the service account, and then continue to the next step until the configuration is completed.
23. After the configuration is completed, install the Web server role, mainly IIS Manager.
24. After the installation is completed, open IIS Manager, right-click the default website, select Edit Binding, click Add, and then add HTTPS. Select the certificate we imported earlier.
22. After the configuration is completed, you can open IE, enter the following URL, try to log in, and simply test whether ADFS is normal.