Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.

 

Migration Paths

There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods. This method will only work if ADFS 2.0 is in a farm configuration. If you are not in a farm configuration, you must do a manual migration. See the links below.

http://technet.microsoft.com/en-us/library/dn486815.aspx

http://technet.microsoft.com/en-us/library/dn486787.aspx

 

Assumptions

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
  2. Add server to the local domain
  3. Export SSL certificate on AD FS 2.0 server (with private key)
  4. AD FS service account and password that was used to deploy AD FS 2.0
  5. Directory Sync is running

 

Import SSL Certificate

 

***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

 

I assume that you have exported the SSL certificate and this is the procedure on how to import it.

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Install AD FS Role on Windows Server 2012 R2

 

Login to the AD FS 3.0 Server

Open Server Manager

Click Local Server

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Active Directory Federation Services

Click Next

 

Click Next

 

Click Next

 

Click Install

Installation starts

 

Install completed. Don’t close and continue to the next step

 

 

Configure AD FS 3.0

 

Click Configure the federation service on this server

 

Select Create the first federation server in a federation farm

Click Next

 

Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.

Click Next

 

Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm

Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name

Click Next

 

Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions

Enter Password

Click Next

 

Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.

Click Next

 

Click Next

 

Click Configure

 

Configuration started

 

Configuration Finished

 

If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.

 

 

Export the AD FS 2.0 Configuration

 

Login to the AD FS 2.0 Server

Insert or mount the Windows Server 2012 R2 DVD into the server

Run PowerShell as Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Script

.\export-federationconfiguration.ps1 –path c:\adfs_export”

This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.

Export completed

Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server

Import the AD FS Configuration to AD FS 3.0

Login to the AD FS 3.0 Server

Open PowerShell as an Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration

.\import-federationconfiguration.ps1 –path C:\ADFS_Export

    

Import started

Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.

Imported successfully

Verify the Import in AD FS Management

Testing Single Sign-On

 

From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm

 

Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.

Test signing in

 

Once this is completed, then you can test logging into the Microsoft Office365 Portal.

 

Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.

 

Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

35 thoughts on “Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

  1. Steve Rackham

    Hi Kelsey,
    We wish to place the ADFS in the cloud. The on-premise ADFS is running 3.0 (server 2012r2) already.
    The ability to export the configuration is not available (or does not seem to be at this level). Do we still create a new farm? Is another/different service account possible?
    Thanks for your help.

    S.

    Reply
    1. Kelsey EppsKelsey Epps Post author

      What cloud are you thinking of? Azure?

      If you have 3.0 onsite already, then just use a VPN connection to extend your internal network to the cloud service. Once that is in place then just add another ADFS server to the same farm. Switch the new server to to primary role and then decommission the on-premise one. There is obviously more steps than that, but that’s the theory.

      Reply
  2. Jon

    Hi,

    On the import step I’m getting this error:

    Set-ADFSProperties : ADMIN0108: Certificate management service cannot be enabled in a farm without creating
    certificate sharing container. Use Set-ADFSCertSharingContainer cmdlet to create the container.
    At line:1 char:1
    + Set-ADFSProperties -CertificateDuration $Parameters[“CertificateDuration”] -Auto …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-AdfsProperties], InvalidDataException
    + FullyQualifiedErrorId : System.IO.InvalidDataException,Microsoft.IdentityServer.Management.Commands.SetServicePr
    opertiesCommand

    Reply
  3. Steve Rackham

    Hi Kelsey
    Yes, Azure. Thanks for that. I had thought the same, but was mildly paranoid over the simplicity :-)
    So, for adding WAP servers would this be done after decommissioning of the on-premise?
    Thanks for your help.

    S.

    Reply
    1. Kelsey EppsKelsey Epps Post author

      No, you can add the WAP servers at any time. I recently did a project where I exported the config from ADFS 2.0 and build out a whole AD FS 3.0 solution in azure. The ADFS 2.0 was up and running until I cut over the DNS to point at Azure and AD FS 3.0. Once the DNS us updated, then you can decommission the 2.0 servers.

      Reply
  4. Trevor

    Thanks, this looks like a good start. I’m looking to utilize the same SQL Server with the new ADFS 3.0 databases, does ADFS 3.0 still use databases named ADFSArtifactStore and ADFSConfiguration? If so, can they be renamed or does a new SQL instance need to be created to store the new databases before import?

    Reply
  5. Eugen

    Hi,
    I have tried to import ADFS Config from old Server but get this.

    Reading configurations from folder ‘C:\temp\adfs_export’…
    Importing federation services configurations to server ‘ADFS01’…
    Set-ADFSProperties : ADMIN0108: Certificate management service cannot be
    enabled in a farm without creating certificate sharing container. Use
    Set-ADFSCertSharingContainer cmdlet to create the container.
    At line:1 char:1
    + Set-ADFSProperties -CertificateDuration $Parameters[“CertificateDuration”]
    -Auto …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~
    + CategoryInfo : NotSpecified: (:) [Set-AdfsProperties], InvalidD
    ataException
    + FullyQualifiedErrorId : System.IO.InvalidDataException,Microsoft.Identit
    yServer.Management.Commands.SetServicePropertiesCommand

    I have create “Set-ADFSCertSharingContainer” Conntainer, but i donot help.
    Can I use normal Active Directory User Account, not ServiceAccount or GroupServiceAccount?

    Reply
    1. Kelsey EppsKelsey Epps Post author

      I’ll have to update this article, because the error that you are referencing happens when the ADFS 2.0 isn’t in a farm configuration. You’ll have to do a manual migration.

      Reply
  6. Massimo

    Kelsey, I definitely love your article. Just a question: are you REALLY sure that you don’t need to export Token Signing certificates? AFAIK if you don’t do it, Microsoft Federation Gateway will not recognize you unless you issue a powershell command to update federation. Am I wrong?

    Reply
  7. Pingback: How to Enable ADFS Change Password Portal without Workplace Join | Bandara 's - Blogs

  8. dmcgee333

    My current adfs 2 server runs on the “network service” account. It doesn’t seem that adfs 3.0 allows this user to be the service account. What do you recommend. (either how do i get 3.0 to recognize this account, or how do i switch 2.0 without breaking everything)

    Reply
    1. Kelsey EppsKelsey Epps Post author

      I would have to dig into this and research. Unfortunately I dont have the time. It might be worth it to open a service request with Microsoft. Let me know how it turns out.

      Reply
  9. O365MigratorNovice

    What if the certificate does not have a Private Key? When I go to export, it is grayed out.

    Reply
  10. Tom Lee

    Hi Kelsey,

    We have ADFS 2.0 running for several years and now try to upgrade to 3.0. We have two ADFS servers and two proxies and use SQL Server as the database. I followed your instruction up to the point that I was supposed to click on ‘Configure’ but stopped right there. The reason I stopped was because it said it would configure the primary server in the new ADFS farm with the same farm name as the production one. I don’t know how it would impact my current production ADFS if any. Any advice?

    Thank you so much!

    Tom Lee

    Reply
  11. John G

    Hi Kelsey
    What if I created a new ADFS farm on W2012R2, with a total different ADFS name than used on the farm in production (W2008R2) – How do I change this, so when logging on to O365 I use the new DNS (ADFS) name ?

    W2008R2 name: ADFS.domain.name
    W2012R2 name: FS.domain.name
    I use a * certificate

    When i check “Get-MsolFederationProperty” for the source “Microsoft Office 365” it point to ADFS.domain.name.

    Also in “Get-MsolDomainFederationSettings” configuration is using ADFS.domain.name

    Reply
  12. Kevin Conway

    Do you have to run the Export Configuration Script from the machine that contains the SQL Database? My primary ADFS 2.1 Server and the ADFS SQL server are on 2 different machines. When I run the export command from the ADFS 21. machine, I receive an error”
    Failed to read service setting from the AD FS Configuration Database.

    Reply

Leave a Reply