I've set up Windows 2012 R2 on my development box and want to enable the ADFS feature to test claims based authN. In ADFS 2.0, you could opt to install standalone and local admin privileges would be enough to install ADFS and authenticate against the domain AD.
However, with the new ADFS, after installing the feature it asks to enter the credentials for an account that is a domain admin. Is it still possible to configure ADFS without domain admin privileges?
According to my research, if you want to set up AD FS in Windows server 2012 R2, each computer that functions as a federation server must be joined to an Active Directory domain.
Besides, AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. Furthermore, you need a membership in Administrators on the local computer to install the AD FS role service.
For more detailed information, please refer to the links below:
How to deploy AD FS in Windows Server 2012 R2
That link does not work, but I found the article you refer to anyway. The problem I have is that 'Step 4: Configure a Federation Server' says: On the Connect to AD DS page, specify an account with domain administrator permissions for the AD domain that this computer is joined to and then click Next.
We have a development environment were everyone installs their own version of ADFS locally. We can't give everyone domain administrator privileges.
This link: http://technet.microsoft.com/en-us/library/hh831502.aspx explicitly says support for stand-alone has been removed. So how are these development scenarios supposed to work?
Thanks for your reply.
"So how are these development scenarios supposed to work?" - Most developers work in a test domain - not in the production. There they can have a variety of different privileges they would never be granted in a production domain. Or you could use something like Configuration Manager to install. It can have a package for ADFS that has the proper permissions, ensuring the person getting ADFS does not need the elevated privileges.
We do work in a test lab domain. But that test lab domain is still managed by our IT department and no developers are given domain admin privileges.
Seems to me the ADFS team took away a perfectly valid feature (standalone install) without a good backup scenario. Does anyone know why this decision was made?
Does anyone have any new information on this?
With ADFS V2 we where able to work out the domain admin issue by temporary granting the instatation user access to create the specific container and then having domain admins manually create the SPN after the install was complete. This allowed us to install and ADFS farm with out any need for domain admin rights.
Now with ADFS V3, Microsoft has really thrown a wrench in our ability to utilize this product. Like so many other organizations our test domains are managed by a central team and they do not give out domain admin rights to anyone....to do so would a horrible security practice. Additionally, it makes no sense that the full keys to the kingdom be required if they are not needed.