How to Configure Active Directory Federation Services on Windows Server 2016

How to Set Up Windows Server 2016 Active Directory Federation Services

Active Directory Federation Services (AD FS) is a Microsoft identity solution that provides single sign-on (SSO) and claims-based authentication across organizational boundaries. It enables users to authenticate once with their corporate credentials and access applications hosted in other organizations, cloud services like Microsoft 365, or internal web applications — without needing separate usernames and passwords for each. Windows Server 2016 ships with AD FS 4.0, which includes significant improvements including support for OpenID Connect, OAuth 2.0, and device authentication.

Prerequisites

Before deploying AD FS, you need an Active Directory domain, a service account for AD FS (or you can use Group Managed Service Accounts — gMSA), and a valid SSL certificate for the AD FS service name. The SSL certificate’s Subject or SAN must match the AD FS service name (e.g., adfs.yourdomain.com). Optionally, a SQL Server instance can be used for the AD FS configuration database instead of WID (Windows Internal Database).

Create a Group Managed Service Account for AD FS:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name "svc-adfs" -DNSHostName "adfs.corp.local" -PrincipalsAllowedToRetrieveManagedPassword "ADFS-Servers"

Step 1: Install the AD FS Role

Install the AD FS server role and management tools:

Install-WindowsFeature ADFS-Federation -IncludeManagementTools

Verify the installation:

Get-WindowsFeature ADFS-Federation | Select Name, InstallState

Step 2: Obtain and Import the SSL Certificate

Import your SSL certificate to the local machine certificate store. If using an internal CA, request the certificate using the following template approach:

$pfxPassword = ConvertTo-SecureString "YourPassword" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:certsadfs.pfx" -CertStoreLocation Cert:LocalMachineMy -Password $pfxPassword

# Get the thumbprint of the imported certificate
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*adfs*" }
$certThumbprint = $cert.Thumbprint
Write-Host "Certificate thumbprint: $certThumbprint"

Step 3: Configure the First AD FS Server in the Farm

Configure the first AD FS server. This creates the configuration database using WID (Windows Internal Database) by default:

$gmsaCredential = "corpsvc-adfs$"
$certThumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"

Install-AdfsFarm `
    -CertificateThumbprint $certThumbprint `
    -FederationServiceDisplayName "Contoso Federation Service" `
    -FederationServiceName "adfs.yourdomain.com" `
    -GroupServiceAccountIdentifier "corpsvc-adfs$" `
    -OverwriteConfiguration

For SQL Server backend, add the SQLConnectionString parameter:

Install-AdfsFarm `
    -CertificateThumbprint $certThumbprint `
    -FederationServiceName "adfs.yourdomain.com" `
    -GroupServiceAccountIdentifier "corpsvc-adfs$" `
    -SQLConnectionString "Data Source=sql01.corp.local;Initial Catalog=ADFSConfig;Integrated Security=True"

Step 4: Configure DNS for AD FS

Create a DNS A record pointing the AD FS service name to the server IP. On your internal DNS server:

Add-DnsServerResourceRecordA -ZoneName "yourdomain.com" -Name "adfs" -IPv4Address "10.0.0.50" -ComputerName "dc01"

Verify DNS resolution from the AD FS server itself:

Resolve-DnsName adfs.yourdomain.com
Test-NetConnection adfs.yourdomain.com -Port 443

Step 5: Verify AD FS Service Status

Check that the AD FS service is running and the federation metadata is accessible:

Get-Service adfssrv | Select Status, StartType
Get-AdfsSslCertificate
Get-AdfsProperties | Select FederationServiceName, AutoCertificateRollover, SignedSamlRequestsRequired

Test the metadata endpoint from a browser or PowerShell:

Invoke-WebRequest -Uri "https://adfs.yourdomain.com/federationmetadata/2007-06/federationmetadata.xml" -UseBasicParsing | Select StatusCode

Step 6: Add a Relying Party Trust for an Application

A relying party trust tells AD FS about an application that will use it for authentication. Add a trust for a web application:

Add-AdfsRelyingPartyTrust `
    -Name "Internal Web Application" `
    -Identifier "https://webapp.yourdomain.com/" `
    -WsFedEndpoint "https://webapp.yourdomain.com/login" `
    -IsEnabled $true `
    -AutoUpdateEnabled $false

For SAML 2.0 applications, specify the SAML endpoints:

$samlEndpoint = New-AdfsSamlEndpoint -Binding POST -Protocol SAMLAssertionConsumer -Uri "https://app.yourdomain.com/saml/acs"
Add-AdfsRelyingPartyTrust -Name "SAML App" -Identifier "urn:app:yourdomain" -SamlEndpoint $samlEndpoint

Step 7: Configure Claims Rules

Claims rules define what user attributes are sent to the relying party. Add a rule to send the UPN, email, and group claims:

$ruleSet = New-AdfsClaimRuleSet -ClaimRule @"
@RuleTemplate = "LdapClaims"
@RuleName = "Send LDAP Attributes"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";userPrincipalName,mail;{0}", param = c.Value);
"@

Set-AdfsRelyingPartyTrust -TargetName "Internal Web Application" -IssuanceTransformRules $ruleSet.ClaimRulesString

Step 8: Enable Extranet Lockout Protection

AD FS in Windows Server 2016 includes an extranet soft lockout feature to protect against brute-force attacks on externally accessible AD FS endpoints:

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 10 -ExtranetObservationWindow (New-TimeSpan -Minutes 30)
Get-AdfsProperties | Select EnableExtranetLockout, ExtranetLockoutThreshold, ExtranetObservationWindow

Monitoring and Diagnostics

View AD FS audit events and diagnostics:

Get-WinEvent -LogName "AD FS/Admin" -MaxEvents 25 | Select TimeCreated, LevelDisplayName, Message
Get-AdfsEndpoint | Where-Object { $_.Enabled -eq $true } | Select FullUrl, Protocol, IsActive

AD FS on Windows Server 2016 is foundational infrastructure for modern identity management, enabling cloud application integration, federated authentication, and single sign-on experiences that improve security and user productivity simultaneously.