none
Is it possible to set up ADFS without domain admin rights in Windows 2012 R2?

    Question

  • I've set up Windows 2012 R2 on my development box and want to enable the ADFS feature to test claims based authN. In ADFS 2.0, you could opt to install standalone and local admin privileges would be enough to install ADFS and authenticate against the domain AD.

    However, with the new ADFS, after installing the feature it asks to enter the credentials for an account that is a domain admin. Is it still possible to configure ADFS without domain admin privileges?


    Thursday, October 31, 2013 10:09 PM

All replies

  • Hi,

    According to my research, if you want to set up AD FS in Windows server 2012 R2, each computer that functions as a federation server must be joined to an Active Directory domain.
    Besides, AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. Furthermore, you need a membership in Administrators on the local computer to install the AD FS role service.

    For more detailed information, please refer to the links below:

    How to deploy AD FS in Windows Server 2012 R2

    http://technet.microsoft.com/en-us/library/dn303423.aspx

    Best regards,

    Susie

    Sunday, November 03, 2013 4:54 AM
    Moderator
  • Hi Susie,

    That link does not work, but I found the article you refer to anyway. The problem I have is that 'Step 4: Configure a Federation Server' says: On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.

    We have a development environment were everyone installs their own version of ADFS locally. We can't give everyone domain administrator privileges.

    This link: http://technet.microsoft.com/en-us/library/hh831502.aspx explicitly says support for stand-alone has been removed. So how are these development scenarios supposed to work?

    Thanks for your reply.

    -- Marcel


    Tuesday, November 05, 2013 4:19 PM
  • "So how are these development scenarios supposed to work?" - Most developers work in a test domain - not in the production.  There they can have a variety of different privileges they would never be granted in a production domain.  Or you could use something like Configuration Manager to install.  It can have a package for ADFS that has the proper permissions, ensuring the person getting ADFS does not need the elevated privileges.

    .:|:.:|:. tim

    Wednesday, November 06, 2013 3:42 PM
  • We do work in a test lab domain. But that test lab domain is still managed by our IT department and no developers are given domain admin privileges.

    Seems to me the ADFS team took away a perfectly valid feature (standalone install) without a good backup scenario. Does anyone know why this decision was made?

    -- Marcel

    Wednesday, November 06, 2013 5:07 PM
  • I'm running into a similar scenario.

    Our AD administrators don't want to provide AD domain priviliges (Even temporarily) for the installation wizard. Is there any workaround for this such as setting up SPN's or creating containers in advance, and then just using service account that doesn't have AD domain administrator privileges needed in the Connect to AD DS page?

    Tuesday, November 18, 2014 7:48 PM
  • Does anyone have any new information on this?  

    With ADFS V2 we where able to work out the domain admin issue by temporary granting the instatation user access to create the specific container and then having domain admins manually create the SPN after the install was complete.  This allowed us to install and ADFS farm with out any need for domain admin rights.

    Now with ADFS V3, Microsoft has really thrown a wrench in our ability to utilize this product.  Like so many other organizations our test domains are managed by a central team and they do not give out domain admin rights to anyone....to do so would a horrible security practice.  Additionally, it makes no sense that the full keys to the kingdom be required if they are not needed.


    Wednesday, June 24, 2015 3:51 PM