Microsoft AD FS
This guide is designed to assist security administrators in integrating Microsoft Active Directory Federation Services (AD FS) with Thales Luna HSM devices or Luna Cloud HSM services. By securely offloading cryptographic operations—such as key generation, encryption, decryption, and signing—from the AD FS Server to the Luna HSM, the integration not only enhances system performance but also fortifies security. Offloading these operations frees up the AD FS Server to focus on managing authentication requests more efficiently, reducing the overall processing load and improving response times.
From a cybersecurity perspective, this integration significantly strengthens the security posture by isolating and protecting high-value cryptographic keys (such as token signing, decrypting, and TLS keys) within a dedicated, FIPS 140-2 certified hardware security module. This mitigates the risk of key compromise by preventing the keys from being exposed on the AD FS Server, reducing the attack surface, and ensuring that sensitive cryptographic operations occur within a tamper-resistant environment.
Key benefits of integrating Microsoft AD FS with Luna HSM devices or Luna Cloud HSM services include:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration has been tested and verified on the following platforms:
| HSM Type | Platform Tested |
|---|---|
| Luna HSM | Windows Server 2019 |
| Luna Cloud HSM | Windows Server 2019 |
Prerequisites
The prerequisites for this integration are:
Set up Microsoft AD FS
This procedure outlines the steps to set up Microsoft AD FS using a Windows Server as a Domain Controller and Certificate Authority (CA), and another as a Federation and Web Server. Follow these instructions to create the necessary Group Managed Service Account (gMSA) and configure the AD FS service for your domain.
1Set up the following machines for the AD FS installation:
-
A Windows server acting as a domain controller and CA.
-
A Windows server serving as the federation server and Web server.
Note
Ensure that Active Directory Domain Services (AD DS) are installed on the domain controller machine, and the AD FS/Web server has joined the domain. In this guide, we are using contoso.com as the domain.
2Denote the machines used in the setup as follows:
-
ADFSCA: Domain controller and CA machine.
-
ADFSWEB: AD FS and Web server machine.
3Create a Group Managed Service Account (gMSA) that will be used to run the AD FS service. Perform the following steps on the AD DS (domain controller) machine:
a. Open PowerShell as an Administrator to execute the commands.
b. Create a Key Distribution Services (KDS) Root Key so that Domain Controllers can begin generating gMSA passwords:
PS C:\> Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
c. Create the Group Managed Service Account to run the AD FS service:
PS C:\> New-ADServiceAccount adfsgMSA -DNSHostName adfsweb.contoso.com -ServicePrincipalNames http/adfsweb.contoso.com
d. Set the Service Principal Name (SPN) for the AD FS service:
PS C:\> setspn -s http/adfsweb.contoso.com contoso.com\adfsgMSA
Note
The gMSA account created here must be registered with SafeNet KSP later when configuring the Key Storage Provider (KSP).
Set up Luna HSM
You need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up On-Premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
2Create a partition that will be later on used by Microsoft AD FS.
3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
4Initialize Crypto Officer and Crypto User roles for the registered partition.
5Run the following command to verify that the partition has been successfully registered and configured:
C:\Program Files\SafeNet\LunaClient>lunacm.exe
Upon successful execution, you should observe an output similar to the example provided below:
lunacm.exe (64-bit) v10.7.1-125. Copyright (c) 2024 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> TPA01 Serial Number -> 1312109862218 Model -> LunaSA 7.7.1 Firmware Version -> 7.7.1 Bootloader Version -> 1.1.2 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM Current Slot Id: 0
Note
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
Set up Luna HSM in High Availability Mode
Refer to Luna HSM documentation for High Availability (HA) steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Note
This integration been tested using Luna Client in both HA and FIPS-compliant modes.
Set up Luna Cloud HSM
The following steps are applicable for setting up the Luna Cloud HSM on a Windows environment:
1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
2Extract the .zip file into a directory on your client workstation.
3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
cvclient-min.zip
4Run the setenv script to generate a new configuration file with the necessary information for the Luna Cloud HSM service. Right-click setenv.cmd and select Run as Administrator.
Note
To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.
5Run the LunaCM utility and verify that the Cloud HSM service is listed.
Note
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Integrating Luna HSM with Microsoft Active Directory Federation Services
To successfully integrate Microsoft AD FS with Luna HSM or Luna Cloud HSM, follow these key steps:
1Configure SafeNet Key Storage Provider
2Install AD CS using SafeNet KSP
3Set up your CA to issue AD FS certificates through SafeNet KSP
4Configure and enroll your AD FS TLS certificate to secure communications
5Install and configure AD FS to ensure proper integration with Luna HSM
7Verify that AD FS is fully operational and correctly integrated with Luna HSM
Note
Before beginning the integration, it is recommended to get acquainted with Microsoft AD FS. Refer to the Microsoft AD FS documentation for detailed information.
Configure SafeNet Key Storage Provider
The SafeNet Key Storage Provider (KSP) must be configured on both ADFSCA (for securing the certificate authority signing keys on Luna HSM) and ADFSWEB to enable the necessary user accounts and systems to access the Luna HSM or Luna Cloud HSM service. Follow these steps to configure SafeNet KSP:
1Log in to both ADFSCA and ADFSWEB as a domain administrator.
2Navigate to the <Luna HSM Client Installation Directory>/KSP directory. If using the Luna Cloud HSM service, the /KSP folder is included in the service client package.
3Launch the KSP configuration wizard by double-clicking the KspConfig.exe file.
4Access the Security Library by double-clicking Register or View Security Library in the left pane.
5Register the Cryptographic Library by clicking Browse, navigating to the Luna HSM Client installation directory, and selecting cryptoki.dll. Then, click Register. If using Luna Cloud HSM, the cryptographic libraries are in the service client package.
6Confirm successful registration with the message: Success registering the security library!
7Register HSM Slots by double-clicking Register HSM Slots in the left pane.
8Select the logged-in user and enter the Slot Password.
9Register the user slot for User \ Domain by clicking Register Slot. A message will confirm successful registration: The slot was successfully and securely registered!
10Repeat the slot registration process for SYSTEM \ NT AUTHORITY.
11Confirm successful registration with the message: The slot was successfully and securely registered!
12Close the KSP configuration wizard.
13Register the gMSA account on ADFSWEB by registering the slot for the ADFS gMSA account created during the AD FS setup. This step is required only on the ADFSWEB system where AD FS will run.
Note
Steps 13 and onward apply only to the ADFSWEB system where the AD FS service is being set up.
14Navigate to the <Luna HSM Client Installation Directory>/KSP directory. If using Luna Cloud HSM, the /KSP folder is in the service client package.
15Double-click the KspConfig.exe file to launch the KSP configuration wizard.
16Double-click Register HSM Slots on the left side of the pane.
17Enter the gMSA account name in the User section. Enter the Slot Password.
18Click Register Slot to register the slot. Upon successful registration, the following message will appear on screen: The slot was successfully and securely registered!
19Close the KSP configuration wizard and restart the ADFSWEB system.
Install AD CS using SafeNet KSP
Active Directory Certificate Services (AD CS) can be installed using Microsoft's Key Storage Provider, but it is recommended to use a Luna HSM for securing Certificate Authority (CA) signing keys. To install Microsoft AD CS and secure the signing keys with Luna HSM, follow these steps:
1Log in to ADFSCA as an Enterprise Admin or Domain Admin with administrative privileges.
2Open Server Manager and click Add Roles and Features.
3Click Next when the Add Roles and Features wizard appears.
4Select the Role-based or feature-based installation option and click Next.
5Select the Select a server from the server pool option and choose your server from the Server Pool menu.
6Click Next and select the Active Directory Certificate Services check box.
7A prompt will appear asking if you want to add the required features for Active Directory Certificate Services. Click Add Features to confirm.
8Click Next to proceed.
9Click Next on the Features page to continue.
10Click Next on the AD CS page to continue.
11Select the Certification Authority check box from the Role Services list and click Next.
12Click Install.
13After installation is complete, click Configure Active Directory Certificate Services on the destination server to open the AD CS Configuration wizard.
14Click Next on the Credentials page of the AD CS Configuration wizard to continue.
15Select the Certification Authority check box in Role Services and click Next.
16Select the Enterprise CA radio button and click Next.
17Select the Root CA radio button and click Next.
18Select the Create a new private key radio button and click Next.
19Click the Select a cryptographic provider drop-down menu and choose RSA#SafeNet Key Storage Provider. Select the key length, for example, 2048.
20Choose the hash algorithm for signing certificates issued by this Certificate Authority; for example, select SHA256 as the desired hash algorithm.
21Click Next.
22Enter a common name to identify this Certificate Authority and click Next.
23Set the Certificate Validity Period, then click Next. Configure the location of the Certificate database, which stores all certificate requests, issued certificates, and records of revoked or expired certificates. Click Next to proceed.
24Click Configure to apply the selected roles, role services, or features.
25Click Close to exit the AD CS Configuration wizard after viewing the installation results. A private key for the CA will be generated and stored on the Luna HSM.
Set up your CA to issue AD FS certificates through SafeNet KSP
Follow the steps below to configure a CA to create a certificate template and issuing properties for AD FS server certificates.
1Log in to ADFSCA as a domain administrator.
2Select Run from the Start menu. Type certtmpl.msc and hit Enter. The Certificate Templates Console dialog box will appear.
3Expand the Certificate Templates snap-in under Console Root. View all available certificate templates in the middle section and update the template that your CA will issue.
4Scroll down to locate the Web Server template.
5Right-click on the Web Server template and select Duplicate Template from the options that appear.
6In the Compatibility tab, select Windows Server 2016 Enterprise and set the Certificate Recipient to Windows 10/Windows Server 2016 Enterprise.
7Click on the General tab.
8Enter the Template Display Name, such as ADFS Server.
9Select Publish certificate in Active Directory.
10Click on the Cryptographic tab and select Key Storage Provider in the Provider Category.
11Select the Request can use any CSP available on subject’s computer option.
12Click on the Request Handling tab. In the Purpose field, select Signature and encryption.
13Select Authorize additional service accounts to access the private key.
14Click on Key Permissions… and then click Add….
15Click on Object Types…, select Service Accounts and Computers, and then click OK.
16Type the gMSA service account name and the ADFS service computer name, then click Check Names.
17Click OK. In the Permissions for accounts section, select Full Control in Allow for both the gMSA account and ADFSWEB, then click OK.
18Click on the Security tab and click Add.
19Type NETWORK SERVICE and click OK.
20Click on NETWORK SERVICE in the Group or user names area.
21Ensure that the Read and Enroll check boxes are selected in the Permissions area.
22Similarly, add and provide Read and Enroll permissions to the following members: Domain Computers, Domain Controllers, NETWORK SERVICE, and IIS_IUSRS.
23Provide Read, Write, and Enroll permissions for Domain Admins and Enterprise Admins by selecting the respective check boxes.
24Click Apply, then click OK. Close the Certificate Template Console.
25From the Start menu, select Control Panel > Administrative Tools > Certification Authority.
26Expand the CA in the console tree. Look for the computer icon with a green tick next to it.
27In the Certification Authority snap-in's console tree, right-click Certificate Templates, and then select New Certificate Templates to Issue.
28In the Enable Certificates Templates window, choose the ADFS Server or the other configured certificate template, and click OK to confirm your selection.
29Open Certificate Templates in the Certification Authority and verify that the modified certificate templates appear in the list.
30Stop and start the Certificate Authority.
Configure and enroll your AD FS TLS certificate to secure communications
To secure communication between your AD FS server and clients, follow the steps below to configure and enroll the AD FS TLS certificate:
1Log on to ADFSWEB as a domain administrator.
2Select Run from the Start menu.
3Type mmc in the Run dialog box and click OK.
4When the MMC console appears, select File > Add/Remove Snap-in….
5In the Add or Remove Snap-Ins dialog box, select the Certificates snap-in from the Available snap-ins section.
6Click Add >>, select Computer Account, and click Next.
7Select Local Computer and click Finish.
8Click OK and expand Certificates under Console Root.
9Right-click the Personal folder and select All Tasks > Request New Certificate….
10Click Next, select Active Directory Enrollment Policy, and then click Next. The configured certificate template will be displayed.
11Click Details, then select Properties.
12Select the Subject tab when the Certificate Properties window appears.
13Choose Common Name from the Type dropdown in the Subject Name section. Enter the system's fully qualified domain name, such as ADFSWEB.contoso.com, in the Value field. Click Add and repeat as necessary to add additional values.
14Select DNS from the Type dropdown in the Alternative Name section. Enter the following values in the Value field:
-
ADFSWEB.contoso.com: Fully qualified domain name of the AD FS Server.
-
certauth.ADFSWEB.contoso.com: A DNS name used by the AD FS server to authenticate certificate-based authentication requests.
15Click the General tab and provide the Friendly Name. For example: ADFS TLS Cert.
16Click the Private Key tab and under Cryptographic Service Provider, select RSA, SafeNet Key Storage Provider. Ensure all other providers are deselected.
17Click the Certificate Authority tab and ensure that Enterprise Root CA is selected.
18Click Apply, then click OK.
19Select the AD FS certificate template or the configured template, and click Enroll.
20Wait for the enrollment process to complete. When it succeeds, click Finish.
21Close the certificate console.
Install and configure AD FS to ensure proper integration with Luna HSM
To install and configure Active Directory Federation Services (AD FS) on your server, follow these steps:
1Log in to ADFSWEB as a domain administrator.
2Open Server Manager. In the Quick Start tab on the Welcome tile of the Dashboard page, click Add roles and features. Alternatively, click Add Roles and Features on the Manage menu.
3Click Next on the Before you begin page.
4Select Role-based or Feature-based installation on the Select installation type page, and click Next.
5Select Select a server from the server pool, verify the target computer is selected, and click Next on the Select destination server page.
6Click Active Directory Federation Services on the Select server roles page, and then click Next.
7Click Next on the Select features page. The required prerequisites are preselected.
8Click Next on the Active Directory Federation Service (AD FS) page.
9Verify the information on the Confirm installation selections page, and click Install.
10On the Dashboard page of Server Manager, click the Notifications flag, and then click Configure the federation service on the server.
11Open the Active Directory Federation Service Configuration Wizard.
12Select Create the first federation server in a federation server farm on the Welcome page, and click Next.
13Enter domain administrator credentials for the Active Directory (AD) domain to which this computer is joined on the Connect to AD DS page, and click Next.
14On the Specify Service Properties page:
-
Select the certificate configured for AD FS TLS using SafeNet Key Storage Provider.
-
Enter a name for the federation service, such as adfsweb.contoso.com, ensuring it matches one of the Subject or Subject Alternative Names in the certificate.
-
Provide a display name for the federation service that will appear on the sign-in page.
-
Click Next.
15Select Use an existing domain user account or group Managed Service Account on the Specify Service Account page. Click Select…, and specify the gMSA account provisioned to access the SafeNet Key Storage Provider during AD FS setup. Click Next.
16Specify an AD FS configuration database on the Specify Configuration Database page, then click Next. You can either select Create a database on this computer using Windows Internal Database or specify the location and instance name of an existing Microsoft SQL Server Database, if configured.
17Verify your configuration selections on the Review Options page, and then click Next.
18Ensure all prerequisite checks are completed successfully on the Pre-requisite Checks page, then click Configure.
19Check the Results page to confirm whether the configuration has been completed successfully, then click Next steps required for completing your federation service deployment.
20Click Close to exit the configuration wizard.
21Restart the ADFSWEB server.
Enroll and configure AD FS for token signing and decrypting certificates, ensuring secure authentication
In this procedure, you will enroll and configure Active Directory Federation Services (AD FS) for token signing and token decryption certificates. The initial token-decryption and token-signing certificates created by the AD FS role configuration are software-based and self-signed. We have previously configured the TLS certificate to use a Luna HSM-backed private key for SSL. Follow the steps below to configure new token decryption and token signing certificates using keys generated on the Luna HSM:
1Log on to ADFSWEB as a domain administrator.
2Select Run from the Start menu.
3Type mmc in the Run dialog box, and click OK.
4Select File > Add/Remove Snap-in… when the MMC console appears on the screen.
5Select the Certificates snap-in from the Available snap-ins section in the Add or Remove Snap-Ins dialog box.
6Click Add>>, select Computer Account, and click Next.
7Select Local Computer, and click Finish.
8Click OK and expand the Certificates under Console Root.
9Right-click the Personal folder and select All Tasks > Request New Certificate…
10Click Next, select Active Directory Enrollment Policy, and then click Next. The certificate template that you’ve configured will be displayed.
11Click on Details and then Properties.
12Select the Subject tab in the Certificate Properties window that appears on the screen.
13In the Subject Name section, choose Common Name and enter the values for AD FS token signing/encryption along with the fully qualified domain name of the computer where you are installing the certificate in the Value field:
-
For Token Signing: ADFS Token Signing - ADFSWEB.contoso.com
-
For Token Decrypting: ADFS Token Encryption - ADFSWEB.contoso.com
14Click Add to include the value. Repeat this step to add additional values, if necessary.
15Click the General tab and provide a Friendly Name:
-
For the signing certificate: ADFS Signing
-
For the decrypting certificate: ADFS Decryption
16Click the Private Key tab, and under Cryptographic Service Provider, select RSA, SafeNet Key Storage Provider. Ensure that all other listed providers are deselected.
17Click the Certificate Authority tab and verify that Enterprise Root CA is selected.
18Click Apply, then OK.
19Select the AD FS certificate template or the configured certificate template and click Enroll.
20Wait for the enrollment process to complete, then click Finish.
21Ensure that both ADFS token signing and token decrypting certificates have been created successfully.
22Close the certificate console.
23Open the PowerShell command prompt as an Administrator. Run the following command to check the ADFS TLS certificate:
PS C:\> Get-AdfsSslCertificate
24Copy the CertificateHash and run the following command to confirm that the TLS certificate is using the SafeNet Key Storage Provider:
PS C:\> certutil -verifystore My [CertificateHash]
25To replace the Token Signing and Encryption certificate with the newly generated certificates, run the following command:
PS C:\> Set-AdfsProperties -AutoCertificateRollover $false
26Navigate to Start > Windows Administrative Tools > AD FS Management.
27Expand the ADFS folder and navigate to Service > Certificates.
28Update the Token Signing certificate to use the new Luna HSM backed certificate/key:
a. Right-click on Certificates and select Add Token-Signing Certificate…
b. In the Select a token-signing certificate screen, click More choices and select the newly created HSM-based token signing certificate, then click OK. In this demonstration, we have named it ADFS Signing.
c. A warning will pop up advising you to ensure that the private key is accessible for each AD FS server; select OK.
d. The new certificate should be visible in the middle pane. Double-click on the certificate to view its properties.
e. In the middle pane, right-click on the new HSM token signing certificate and select Set as Primary.
f. You can delete the original certificate, which should now be marked as Secondary.
29Update the Token Decrypting certificate to use the new Luna HSM backed certificate/key:
a. Right-click on Certificates and select Add Token-Decrypting Certificate….
b. In the Select a token-decrypting certificate screen, click More choices and select the newly created HSM-based token decrypting certificate, then click OK. In this demonstration, we have named it ADFS Decryption.
c. A warning will pop up advising you to ensure that the private key is accessible for each AD FS server; select OK.
d. The new certificate should be visible in the middle pane. Double-click on the certificate to view its properties.
e. In the middle pane, right-click on the new HSM token decrypting certificate and select Set as Primary.
f. You can delete the original certificate, which should now be marked as Secondary.
30Close the AD FS Management Console.
31Navigate to Start > Windows Administrative Tools > Computer Management.
32In the left pane, expand Local Users and Groups. Double-click on Groups to display all local groups.
33Locate the Administrators group. Right-click on it and click Add to Group….
34In the Properties window, click Add… and then enter the gMSA account that is running the AD FS Service.
35Click Check Names and then OK to add the gMSA account to the Local Administrator group.
36Click Apply and then OK. Close the Computer Management Console.
37Restart the AD FS Service by running the following command in the PowerShell command prompt:
PS C:\> net stop adfssrv PS C:\> net start adfssrv
Note
Ensure that the PowerShell command prompt is launched as an Administrator.
38Navigate to Start > Windows Administrative Tools > AD FS Management.
39Expand the ADFS folder and navigate to Service > Certificates.
40Double-click the Token signing or decrypting certificate to open the certificate properties. Copy the certificate Thumbprint.
41Run the following command in the PowerShell command prompt to verify the certificate is using SafeNet Key Storage Provider:
PS C:\> certutil -verifystore My [Thumbprint]
42Close the PowerShell command prompt and AD FS Management console.
43Verify that AD FS is operational.
Verify that AD FS is fully operational and correctly integrated with Luna HSM
After configuring AD FS to use Luna HSM for securing TLS, Token Signing, and Token Decrypting keys, it is essential to verify that the AD FS server is functioning correctly. This procedure will guide you through the steps to confirm that your federation server is operational and properly utilizing the SafeNet Key Storage Provider on Luna HSM for key access. Follow the steps below to complete the verification.
1Open a browser and in the address bar, type the federation server name, appending it with /federationmetadata/2007-06/federationmetadata.xml to browse to the federation service metadata endpoint. For example: https://adfsweb.contoso.com/federationmetadata/2007-06/federationmetadata.xml
Note
Ensure that your browser is configured to trust the federation server role by adding your federation service name (e.g., https://adfsweb.contoso.com) to the browser’s local intranet zone.
2Verify that the federation server metadata is displayed without any Secure Socket Layer (SSL) errors or warnings in the browser window. This confirms that your federation server is operational.
3Enable the AD FS sign-on page for verification by opening PowerShell as an Administrator and running the following command:
PS C:\> Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
4Open a browser and in the address bar, type the federation server name, appending it with /adfs/ls/idpinitiatedsignon.aspx to access the AD FS sign-on page. For example: https://adfsweb.contoso.com/adfs/ls/idpinitiatedsignon.aspx
5Click on Sign in on the AD FS sign-in screen, provide your credentials, and click Sign in again.
6Confirm that a message "You are signed in" is displayed, verifying that AD FS is operational and using the SafeNet Key Storage Provider for accessing the keys secured on the Luna HSM.
