Configuring an Exchange 2013 Hybrid Deployment and Migrating to Office 365 (Exchange Online) (Part 6)

by [Published on 25 July 2013 / Last Updated on 25 July 2013]

In this article we will install and configure Active Directory Federation Service (ADFS) 2.1 on the two ADFS Proxy servers in the perimeter network.

If you would like to read the other parts in this article series please go to:


In part 5 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we deployed the Active Directory Federation Proxy (ADFS) servers that are required for external identity federation with Office 365. More specifically, we deployed and configured two ADFS Proxy servers. In order to achieve high availability, the ADFS Proxy servers have been load balanced using Windows Network Load Balancing (WNLB).

In this part 6, we will continue where we left off in part 5. That is we will install and configure Active Directory Federation Service (ADFS) 2.1 on the two ADFS Proxy servers in the perimeter network. After we have configured the servers, we will verify they work as expected.

Let’s get going...

Importing the Server Authentication Certificate into IIS   

Since all client communication against ADFS occurs via SSL and because the ADFS Proxy servers communicate with the ADFS servers on the internal network via SSL, we need to import a server authentication certificate on each ADFS Proxy server. Because all clients (and the ADFS servers on the internal network) must trust this certificate, it is recommended to import a certificate from a 3rd party certificate provider. Although we use a wildcard certificate in this article series, a single name SSL certificate is sufficient. If you use a single name certificate, the FQDN included should match the FQDN we configured in the previous article (in this example

To import the certificate, first install the Windows Server 2012 “Web Server (IIS)” role. You can do this just like you installed the Network Load Balancing component earlier on. That is by opening the Server Manager > click “Manage” > Add Roles and Features and then tick the Web Server (IIS) role in the wizard.

Figure 1: Selecting the Web Server (IIS) role

To import the server authentication certificate, open the IIS Manager, and select the web server object followed by opening “Server Certificates” in the middle pane.

Figure 2: Launching the IIS Manager

Figure 3:
Selecting Server Certificates in IIS Manager

Under Server Certificates, click ”Import” in the action pane as shown in Figure 4.

Figure 4:
Clicking “Import” under Server certificates in the IIS Manager

Point to the certificate you wish to import and then specify the password, then click ”OK”.

Figure 5: Pointing to the certificate we wish to import

As can be seen in Figure 6, the certificate has now been imported to IIS.

Figure 6: Certificate has been imported

Next step is to bind the certificate to the “Default Web Site”. To do so, expand ”Sites” then select the ”Default Web Site” and click on the ”Bindings” link in the ”Action Pane”.

Figure 7: Clicking “Bindings” under Sites in IIS Manager

Under ”Site Bindings” click ”Add”. In ”Add Site Bindings”, select ”HTTPS” in the ”Type” drop-down box and then point at the imported certificate under ”SSL certificate”.

Figure 8:
Adding a new site binding for HTTPS

Click ”OK” twice.

Repeat the above steps on the secondary ADFS server.

Installing & Configuring the ADFS Proxy Server Settings

With the two ADFS Proxy servers configured in a WNLB cluster and the required certificate imported, it is time to get the Windows Server 2012 Active Directory Federation service (AD FS) role installed and configured on both servers.

With Windows Server 2008 R2 based servers, we had to use the separate ADFS 2.0 RTW package, that could be downloaded here. However, with Windows Server 2012 we use the native ADFS role (ADFS 2.1).

To install the ADFS role, open the “Server Manager” and click “Add Roles and Features” > Next > ADFS Proxy.

Figure 9:
Installing the ADFS role

Tick “Federation Service Proxy” and click “Next”.

Figure 10: Selecting Federation Service Proxy

When the ADFS role has been installed, click “Run the AD FS Management snap-in” in order to perform the rest of the post-deployment configuration.

Figure 11:
Launching the ADFS Proxy Management console

On the “Welcome” page, in the “AD FS Federation Proxy Server Configuration Wizard”, click “Next”.

Figure 12: Launching the AD FS Federation Proxy Server Configuration Wizard

Enter the name of the federation service to which the ADFS Proxy server will redirect client requests (in this case it’s “”) and then click “Test Connection”.

Figure 13:
Specifying the name of the federation service to which the ADFS Proxy server will redirect client requests

If things are configured properly and you have access to the federation service via port 443, then you will see the dialog box in Figure 14.

Figure 14:
The Federation Service was contacted successfully

Click “OK” and then “Next”. You will be prompted for credentials that have the permissions to establish a trust between the ADFS Proxy server and the ADFS servers on the internal network.

Do so and click “OK”.

You can use the ADFS service account that is used for the ADFS servers on the internal network. Bear in mind that you have to specify these one time only and that they are not configured for a service on the ADFS Proxy servers.
Figure 15:
Entering credentials that have permissions to establish trust with ADFS Servers

Click “Next”.

Figure 16: Settings that will be configured for ADFS 2.1

When the wizard has configured each component with success, click “Close” to exit the wizard.

Figure 17:
Each component has been configured with success

Repeat the above steps on the other ADFS Proxy server.

The ADFS Proxy servers have now finished the required configuration steps for the ADFS Proxy servers.

Verifying the ADFS Proxy Servers has been configured properly

In order to verify the ADFS Proxy servers are operating as expected, we can open the AD FS log and look for event id 198. If you see this event id, the ADFS Proxy server has been configured properly.

Figure 18:
Event id in the AD FS Admin log

This concludes part 6 of this multi-part article in which I explain how you configure an Exchange 2013 hybrid deployment followed by migrating to Office 365 (Exchange Online).

If you would like to read the other parts in this article series please go to:

See Also

The Author — Henrik Walther

Henrik Walther avatar

Henrik Walther is a respected writer with special focus on Microsoft Exchange and Office 365 solutions. He works as a Principal Architect/Consultant on engagements of all sizes and complexity and have close to two decades of experience in the IT business.


Featured Links