none
Is it possible to set up ADFS without domain admin rights in Windows 2012 R2?

    Question

  • I've set up Windows 2012 R2 on my development box and want to enable the ADFS feature to test claims based authN. In ADFS 2.0, you could opt to install standalone and local admin privileges would be enough to install ADFS and authenticate against the domain AD.

    However, with the new ADFS, after installing the feature it asks to enter the credentials for an account that is a domain admin. Is it still possible to configure ADFS without domain admin privileges?


    Thursday, October 31, 2013 10:09 PM

All replies

  • Hi,

    According to my research, if you want to set up AD FS in Windows server 2012 R2, each computer that functions as a federation server must be joined to an Active Directory domain.
    Besides, AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. Furthermore, you need a membership in Administrators on the local computer to install the AD FS role service.

    For more detailed information, please refer to the links below:

    How to deploy AD FS in Windows Server 2012 R2

    http://technet.microsoft.com/en-us/library/dn303423.aspx

    Best regards,

    Susie

    Sunday, November 03, 2013 4:54 AM
    Moderator
  • Hi Susie,

    That link does not work, but I found the article you refer to anyway. The problem I have is that 'Step 4: Configure a Federation Server' says: On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.

    We have a development environment were everyone installs their own version of ADFS locally. We can't give everyone domain administrator privileges.

    This link: http://technet.microsoft.com/en-us/library/hh831502.aspx explicitly says support for stand-alone has been removed. So how are these development scenarios supposed to work?

    Thanks for your reply.

    -- Marcel


    Tuesday, November 05, 2013 4:19 PM
  • "So how are these development scenarios supposed to work?" - Most developers work in a test domain - not in the production.  There they can have a variety of different privileges they would never be granted in a production domain.  Or you could use something like Configuration Manager to install.  It can have a package for ADFS that has the proper permissions, ensuring the person getting ADFS does not need the elevated privileges.

    .:|:.:|:. tim

    Wednesday, November 06, 2013 3:42 PM
  • We do work in a test lab domain. But that test lab domain is still managed by our IT department and no developers are given domain admin privileges.

    Seems to me the ADFS team took away a perfectly valid feature (standalone install) without a good backup scenario. Does anyone know why this decision was made?

    -- Marcel

    Wednesday, November 06, 2013 5:07 PM