How to Set Up AD FS 3.0 for Single Sign-On on Windows Server 2012 R2
Active Directory Federation Services 3.0 on Windows Server 2012 R2 delivers enterprise Single Sign-On capabilities, allowing users to authenticate once with their corporate Active Directory credentials and access multiple applications — both on-premises and cloud-hosted — without re-entering credentials. AD FS 3.0 introduces significant improvements over previous versions including support for OAuth 2.0, a new multi-factor authentication framework, enhanced claims provider support, and improved administrative tooling. This guide walks through a complete AD FS 3.0 deployment for SSO across internal and cloud applications.
Prerequisites
– Windows Server 2012 R2 domain member server (dedicated server recommended)
– Active Directory domain with Windows Server 2008 or higher domain functional level
– SSL certificate for the federation service name (wildcard or dedicated cert for adfs.corp.com)
– A Group Managed Service Account or standard service account
– DNS record for the AD FS service name
– Port 443 inbound for external access
– .NET Framework 4.5 installed
– At least 4 GB RAM and 2 vCPUs for production deployments
Step 1: Prepare Infrastructure
# Verify all prerequisites
Import-Module ActiveDirectory
# Check domain functional level
(Get-ADDomain).DomainMode # Should be Windows2008Domain or higher
# Create service account
New-ADServiceAccount -Name "svc_ADFS30" `
-Description "AD FS 3.0 Service Account" `
-DNSHostName "adfs.corp.com" `
-PrincipalsAllowedToRetrieveManagedPassword "ADFS-Servers-Group"
# OR create a standard user account if gMSA is not feasible
New-ADUser -Name "svc_ADFS" `
-SamAccountName "svc_ADFS" `
-AccountPassword (ConvertTo-SecureString "Str0ngPassw0rd!" -AsPlainText -Force) `
-PasswordNeverExpires $true `
-Enabled $true `
-Description "AD FS service account"
# Install required Windows features
Install-WindowsFeature -Name ADFS-Federation, NET-Framework-45-Features `
-IncludeManagementTools -IncludeAllSubFeature
# Import certificate
$certPwd = ConvertTo-SecureString "CertPass!" -AsPlainText -Force
$cert = Import-PfxCertificate -FilePath "C:Certsadfs_corp_com.pfx" `
-CertStoreLocation "Cert:LocalMachineMy" -Password $certPwd
Write-Host "SSL Cert Thumbprint: $($cert.Thumbprint)"
Step 2: Install and Configure AD FS Farm
Import-Module ADFS
$certThumbprint = (Get-ChildItem Cert:LocalMachineMy |
Where-Object { $_.Subject -like "*adfs.corp.com*" } |
Select-Object -First 1).Thumbprint
# Install a new AD FS farm with Windows Internal Database
# For production with HA, use SQL Server
Install-AdfsFarm `
-CertificateThumbprint $certThumbprint `
-FederationServiceName "adfs.corp.com" `
-FederationServiceDisplayName "Contoso Identity Provider" `
-GroupServiceAccountIdentifier "CORPsvc_ADFS30$" `
-OverwriteConfiguration
# Verify the farm is running
Get-AdfsFarmInformation
Get-AdfsProperties | Select-Object HostName, HttpsPort, IdTokenIssuer, SigningCertificate*
# Start the AD FS service
Start-Service adfssrv
Set-Service adfssrv -StartupType Automatic
# Test the federation metadata endpoint
Invoke-WebRequest -Uri "https://adfs.corp.com/FederationMetadata/2007-06/FederationMetadata.xml" `
-UseBasicParsing | Select-Object StatusCode
Step 3: Configure the AD FS Sign-In Page
Import-Module ADFS
# Customize the sign-in page branding
Set-AdfsWebTheme -TargetName default `
-CompanyName "Contoso Corporation" `
-SignInPageDescriptionText "Sign in with your Contoso corporate account" `
-HomeRealmDiscovery $false
# Create a custom web theme
New-AdfsWebTheme -Name "Contoso" -SourceName default
Set-AdfsWebConfig -ActiveThemeName "Contoso"
# Add company logo (PNG, max 260x35 pixels)
Set-AdfsWebTheme -TargetName "Contoso" `
-Illustration @{Path = "C:ADFSAssetsbanner.png"} `
-Logo @{Path = "C:ADFSAssetslogo.png"}
# Customize sign-in page text
Set-AdfsGlobalWebContent -SignInPageDescriptionText `
"Having trouble signing in? Contact IT at [email protected] or ext. 5000.
"
# Enable Home Realm Discovery hint in URL (for multi-tenant scenarios)
Set-AdfsProperties -EnableOAuthDeviceFlow $true
Step 4: Configure Claims Provider Trust for Active Directory
The AD Claims Provider Trust is created automatically when AD FS is installed, but you can customize which attributes are passed as claims:
Import-Module ADFS
# View the default Active Directory claims provider trust
Get-AdfsClaimsProviderTrust -Name "Active Directory" | Format-List Name, Enabled
# Customize the acceptance transform rules for AD
$ldapRules = @"
@RuleName = "Map AD attributes to claims"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = (
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"http://schemas.xmlsoap.org/claims/department",
"http://schemas.xmlsoap.org/claims/employeeid"
),
query = ";userPrincipalName,mail,givenName,sn,tokenGroups,department,employeeID;{0}",
param = c.Value);
"@
Set-AdfsClaimsProviderTrust -TargetName "Active Directory" `
-AcceptanceTransformRules $ldapRules
Write-Host "AD claims provider trust updated"
Step 5: Create Relying Party Trusts for Applications
Import-Module ADFS
# Example: Relying Party for Office 365 / Azure AD
# Microsoft provides the metadata URL
$o365MetadataUrl = "https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml"
Add-AdfsRelyingPartyTrust `
-Name "Microsoft Office 365 Identity Platform" `
-MetadataUrl $o365MetadataUrl `
-AutoUpdateEnabled $true `
-MonitoringEnabled $true `
-Enabled $true
# Claims rules for Office 365
$o365Rules = @"
@RuleName = "Issue Account Name"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(claim = c);
@RuleName = "Issue UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(claim = c);
@RuleName = "Issue ObjectGUID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = "samAccountName={0};objectGuid;{1}", param = regexreplace(c.Value,"(?i)^.*\",""), param = c.Value);
"@
Set-AdfsRelyingPartyTrust -TargetName "Microsoft Office 365 Identity Platform" `
-IssuanceTransformRules $o365Rules
# Example: Generic SAML 2.0 relying party
Add-AdfsRelyingPartyTrust `
-Name "InternalHRSystem" `
-Identifier "https://hr.corp.com/saml" `
-SamlEndpoint (New-AdfsSamlEndpoint -Protocol SAMLAssertionConsumer `
-Uri "https://hr.corp.com/saml/acs" `
-Binding POST -Index 0 -IsDefault $true) `
-Enabled $true
# Claims rules for HR system
$hrRules = @"
@RuleName = "Send UPN as NameIdentifier"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
@RuleName = "Send Email and Groups"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"),
query = ";mail,tokenGroups;{0}", param = c.Value);
"@
Set-AdfsRelyingPartyTrust -TargetName "InternalHRSystem" `
-IssuanceTransformRules $hrRules
Write-Host "Relying Party Trusts configured"
Get-AdfsRelyingPartyTrust | Select-Object Name, Enabled | Format-Table
Step 6: Configure Multi-Factor Authentication
Import-Module ADFS
# View available authentication methods
Get-AdfsAuthenticationProvider | Select-Object Name, DisplayName, Enabled | Format-Table
# Enable Certificate Authentication as additional factor
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider @()
Enable-AdfsDeviceRegistration
# Configure MFA trigger via per-relying-party access control
# Require MFA for users accessing sensitive application from outside corporate network
Set-AdfsRelyingPartyTrust -TargetName "InternalHRSystem" `
-AdditionalAuthenticationRules @"
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
"@
# Or use the global additional authentication rule
Set-AdfsAdditionalAuthenticationRule @"
c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",
Value =~ "^(?!10.|192.168.|172.(1[6-9]|2[0-9]|3[01]).)d+.d+.d+.d+$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",
Value = "http://schemas.microsoft.com/claims/multipleauthn");
"@
Step 7: Enable OAuth 2.0 / OpenID Connect (AD FS 3.0)
Import-Module ADFS
# AD FS 3.0 adds OAuth 2.0 authorization code flow support
# Register an OAuth client (native app or web app)
Add-AdfsClient -Name "CorpPortalApp" `
-ClientId "corp-portal-client-id" `
-RedirectUri @("https://portal.corp.com/oauth/callback","https://portal.corp.com") `
-Description "Corporate portal web application"
# Configure scopes for the application
Add-AdfsScopeDescription -Name "profile" `
-Description "Access to user profile information"
# Create application group for OAuth flows (AD FS 4.0 / WS2016 feature)
# On WS2012 R2, use native AD FS 3.0 OAuth support via:
Set-AdfsProperties -EnableOAuthTokenLifetime $true
# Verify OAuth is accessible
Invoke-WebRequest "https://adfs.corp.com/adfs/oauth2/authorize" -UseBasicParsing |
Select-Object StatusCode
Verification
Import-Module ADFS
Write-Host "=== AD FS 3.0 Deployment Verification ===" -ForegroundColor Cyan
# Service status
Get-Service adfssrv | Select-Object Status, StartType
# Farm information
Get-AdfsFarmInformation | Format-List
# Configured relying parties
Write-Host "Relying Party Trusts:"
Get-AdfsRelyingPartyTrust | Select-Object Name, Enabled, Identifier | Format-Table -AutoSize
# SSL certificate
Get-AdfsSslCertificate | Format-Table HostName, CertificateHash, PortNumber
# Test federation metadata
$metadata = Invoke-WebRequest "https://adfs.corp.com/FederationMetadata/2007-06/FederationMetadata.xml" -UseBasicParsing
if ($metadata.StatusCode -eq 200) {
Write-Host "Federation Metadata: ACCESSIBLE" -ForegroundColor Green
} else {
Write-Host "Federation Metadata: INACCESSIBLE" -ForegroundColor Red
}
# Event log health
$errors = Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 50 |
Where-Object { $_.Level -le 2 }
Write-Host "Recent AD FS errors: $($errors.Count)"
Summary
AD FS 3.0 on Windows Server 2012 R2 provides a complete enterprise SSO platform supporting SAML 2.0, WS-Federation, and OAuth 2.0. By deploying the AD FS farm with proper SSL certificates, configuring the Active Directory claims provider to pass rich user attributes, creating relying party trusts for each application, setting up claims transformation rules, configuring multi-factor authentication triggers, and validating the federation metadata endpoint, you enable a seamless authentication experience across your application portfolio. Users sign in once at the AD FS sign-in page and gain access to all federated applications for the duration of their SSO session, dramatically reducing helpdesk calls while maintaining security control.
