Step by Step Guide for Installing and Configuring ADFS 3.0 on Windows Server 2012
Welcome to the Active Directory Federation Services Configuration Wizard.
Before you begin configuration, you must have the following:
- An Active Directory domain administrator account.
- A publicly trusted certificate for SSL server authentication.
This server will be configured as the primary server in a new AD FS farm ‘fs.poc.lan’.
AD FS configuration will be stored in Windows Internal Database.
Windows Internal Database feature will be installed on this server if it is not already installed.
All existing configuration in the database will be deleted.
A group Managed Service Account POC\adfs$ will be created if it does not already exist and this host will be added as a member.
Federation service will be configured to run as POC\adfs$.
If you click on View Script:
<br>#<br># Windows PowerShell script for AD FS Deployment<br># <p>Import-Module ADFS <p>Install-AdfsFarm `<br> -CertificateThumbprint:"3923273B4862WEE0CBAF3WEWE99125EDBWEWEWC0C5" `<br> -FederationServiceDisplayName:"ADFS POC" `<br> -FederationServiceName:"fs.poc.lan" `<br> -GroupServiceAccountIdentifier:"POC\adfs`$" `<br> -OverwriteConfiguration:$true <p>
The root key for the group Managed Service Account was created at 6/18/2014 4:16:18 AM. If you have more than one domain controller in your Active Directory forest, the key may not yet have replicated to all domain controllers and therefore the service may not successfully install or start. To avoid service startup problems, wait 10 hours to ensure the key has replicated to all DCs before completing the Active Directory Federation Services Configuration Wizard, executing Install-AdfsFarm or Add-AdfsFarmNode on any other servers in your network, or restarting any AD FS service.
All prerequisite checks passed successfully. Click ‘Configure’ to begin installation.
Verifying that AD FS is working fine:
Checkout your IdP Sign-on landing page by navigating to
In AD FS Management Console you’ll the Federation Service properties as shown below:
Possible Errors while configuring AD FS:
Issue#1: You’ll receive warning “Group Managed Service Accounts are not available because the KDS Root Key has not been set.” as shown below:
Specify Service Account
Group Managed Service Accounts are not available because the KDS Root Key has not been set. Use the following PowerShell command to create the key: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”
Fix: Run the suggested PS command as domain administrator.
PS C:\> Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Issue#2: You’ll receive Database Overwrite confirmation prompt if you already have had ADFS previously installed on the same server: