Ethan Brooks
How To Install ADFS on Windows Server 2022: A Complete Step-by-Step Guide
So, trying to get ADFS up and running on Windows Server 2022? Yeah, it’s a bit of a grind, but once you get the hang of it, it’s pretty straightforward. Usually, folks run into hiccups around the SSL certs or not installing the right roles, so here’s a rundown based on some real-world messes and fixes.
Prerequisites
Before doing anything, you gotta have these:
- Windows Server 2022 installed, obviously.
- Admin rights—if you don’t have these, forget it.
- Some familiarity with PowerShell and server stuff.
- Access to a CA or a self-signed cert (sometimes that’s fine for testing, but not for prod). Basically, you’ll need an SSL cert to keep things secure.
Step 1: Check Your Windows Version
If you’re not sure the server is on Windows Server 2022, just pop open Run, type winver, and hit Enter. On some setups, this fails the first go, so if it doesn’t pop up info right away, try restarting or verifying your server version in System > About in Settings.
Step 2: Install ADFS with PowerShell
This is usually the easy part—run PowerShell as admin and slap this in:
Install-WindowsFeature -Name ADFS-Federation -IncludeManagementTools
This command adds the ADFS feature along with management tools, saving you some clicks in Server Manager. It kind of helps because you won’t have to go manually through Server Manager, which sometimes messes up on recent builds.
Expect this to take a minute. If it throws errors saying “feature not found”, double-check your Windows version and update if needed.
Step 3: Start Configuring ADFS
Once installed, open Server Manager and look for the warning icon—it’ll prompt you to “Configure the Federation Service.” If that option isn’t showing, you might need to restart, or sometimes the setup wizard hangs; in that case, try running Microsoft’s official setup walkthrough.
Step 4: Handle Your SSL Certificate
Here’s where things get a bit tricky—certs. You can buy a real one or whip up a self-signed, but honestly, for testing, self-signed works. So, if you’re creating one, you could do this:
- Go to Server Manager > Manage > Add Roles and Features, check Active Directory Certificate Services, and install. Because of course, Windows has to make it harder than necessary.
- After that, configure the CA by following the wizard, then duplicate the Web Server certificate template in your CA to allow enrollment (yes, in ~certificates~, not just in IIS).
This way, your server will have a valid SSL cert for ADFS. If it’s just for test labs, a self-signed is fine, but for anything real, get a cert from a trusted CA like DigiCert or Let’s Encrypt (which can be automated, but that’s a separate saga).
Step 5: Request and Install the Self-Signed Cert
If you’re going self-signed, here’s the quick and dirty: open MMC (mmc), add the Certificates snap-in for Computer Account, then right-click Personal > All Tasks > Request New Certificate. Pick your template—probably something like “Web Server,” and add your DNS names (like adfs.yourdomain.com).
On some servers, this process doesn’t work flawlessly the first time. You might need to restart MMC or specify DNS names explicitly. Easy fix: Just make sure your DNS is right before requesting.
Step 6: Finalize ADFS Setup
Now, go back to the ADFS wizard in Server Manager. When asked for the SSL cert, pick the one you just created or imported. Give your ADFS service a display name, make sure the URLs match your DNS, and keep clicking Next. If the cert doesn’t show up, double-check that it has a private key and is valid for server authentication.
Step 7: Reboot & Test
After all that, restart the server. Yeah, a reboot seems necessary sometimes because Windows seems to hold onto old configs. Once it’s back up, open your browser and navigate to your ADFS endpoint, something like https://adfs.yourdomain.com/adfs/ls/IdpInitialize. If your cert is configured right, no scary SSL warnings should pop up.
Check Event Viewer (Application logs) for Event ID 100—if it’s there, your ADFS is probably happy.
Extra Tips & Troubleshooting
Things to watch out for:
- Make sure your DNS entries are spot-on—adfs.yourdomain.com should point where you think it does.
- Firewall rules matter—allow port 443 inbound on your ADFS server.
- Certs: if signed, make sure they are issued correctly and match the URLs.
- If ADFS won’t authenticate or gives SSL errors, restart the IIS service or run
iisreset.
Sometimes, creating a new self-signed cert and reassigning it to the service fixes weird SSL handshake issues. Just don’t forget to update the DNS name in your cert!
Summary
- Verify server version and admin rights.
- Install ADFS via PowerShell.
- Make sure SSL certificates are set up correctly, either via CA or self-signed.
- Configure ADFS in Server Manager, selecting the right cert.
- Reboot, test, and keep an eye on logs.
Hopefully this shaves off a few hours for someone. If this gets one update moving, mission accomplished.