Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-09-27) Azure AD Can Now Be Managed From The New Azure Portal

Posted by Jorge on 2016-09-27


I noticed that Azure AD is now available from the new Azure Portal as you can see below. Navigate to https://portal.azure.com/ and you should now see “Azure Active Directory” in the left column. When you click on that the tab expands to the right instead of taking you to the classic portal.

I was not able to add items like:

  • Directories
  • AD Access Control Namespaces
  • MFA Providers

…or configure Azure AD components as you were able to do so in the Classic Portal under the “Configure” tab.

For that, unfortunately, you still need the classic portal.

image

Figure 1: The New Azure Portal Allowing Management Of Azure AD

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Portals, Windows Azure Active Directory | Leave a Comment »

(2016-09-26) Upgrading To MIM 2016 SP1

Posted by Jorge on 2016-09-26


Microsoft has released Microsoft Identity Manager (MIM) 2016 Service Pack 1 (build 4.4.1237.0).

You are running FIM 2010 (R2) or MIM 2016 and you want to upgrade to MIM 2016 SP1? Then read all about it here!

First check if you can simply upgrade to the newer version. If you cannot upgrade, you will see the message as displayed in figure 1. If you see that message you will have to uninstall the current version before installing the newer version. However, before uninstalling create a backup using the scripts mentioned in this blog post to create a backup FIRST!!!!

After having created the backup, you can uninstall all components one by one and reinstall the new version. For the required values use the values in the backups/exports if you do not know them anymore.

image

Figure 1: Message To Uninstall The Current Version First

Upgrading to MIM PCNS

This must be executed on a per writable DC basis!

First uninstall PCNS through Programs and Features

Then install PCNS by executing the MSI (attend) or using the command line with all the options defined (unattended)

Upgrading to MIM SYNC

This must be executed on a per FIM/MIM Sync Server basis!

First uninstall MIM Sync through Programs and Features

Then install MIM Sync by executing the MSI (attend) or using the command line with all the options defined (unattended)

image

Figure 2: Welcome Screen

image

Figure 3: License Agreement

image

Figure 4: Component Selection

image

Figure 5: Specifying SQL Server And SQL Instance

image

Figure 6: Specifying FIM/MIM Sync Service Account Credentials

image

Figure 7: Specifying FIM/MIM Sync Service Security Groups

image

Figure 8: Enabling Firewall Rules For RPC Connections

image

Figure 9: Last Screen Before The Actual Installation

image

Figure 10: Message About Finding The Existing Database And The It Will Be Upgraded

image

Figure 11: Installation Completed

image

Figure 12: The Build Of The FIM/MIM Sync Service

Now after installing the product:

  • Check and compare the config files and reconfigure as needed;
  • Check and compare the registry settings and reconfigure as needed;
  • Recompile any code you have (e.g. Rules Extensions) to use it in the new version;

Upgrading to MIM Service And Portal

REMARK: In my case as you can see below I had the MIM Service, the MIM Portal, the MIM Password Registration Portal and the MIM Password Reset Portal on one server running. If you have distributed the components amongst multiple servers, use the following order:

  • MIM Service
  • MIM Portal
  • MIM Password Registration Portal
  • MIM Password Reset Portal

This must be executed on a per FIM/MIM Server basis that hosts a specific component!

First uninstall MIM Service and Portal through Programs and Features

Then install MIM Service and Portal by executing the MSI (attend) or using the command line with all the options defined (unattended)

image

Figure 13: Welcome Screen

image

Figure 14: License Agreement

image

Figure 15: Joining CEIP

image

Figure 16: Component Selection

image

Figure 17: Specifying The SQL Server, The Database Name And Whether Or Not You Want To Reuse The Database

image

Figure 18: Warning About creating A Backup Before Continuing With The Upgrade

image

Figure 18: Specifying The Mail Server And Other Related Settings

REMARK: Have you noticed the option “Use Exchange Online”? As soon as you check that all the other options are greyed out.

image

Figure 19: Configuring The Service Certificate

image

Figure 20: Configuring The FIM/MIM Service Service Account Credentials And Mail Address

image

Figure 21: Specifying The FIM/MIM Sync Server And The Account For The FIM/MIM MA

image

Figure 22: Warning About Not Being Able To Contact The FIM/MIM Sync Service

image

Figure 23: Specifying The FIM/MIM Service FQDN

image

Figure 24: Specifying The Sharepoint Collection URL To Install The Portal In

image

Figure 25: Specifying The Password Registration Portal URL

image

Figure 26: Enabling Firewall Rules And Configuring Permissions

image

Figure 27: Specifying The Credentials, The Hostname And The Port For The Password Registration Portal

image

Figure 28: Warning About Not Using SSL Due To Custom Port

REMARK: SSL will be configured afterwards

image

Figure 29: Specifying The FIM/MIM Service FQDN And The Accessibility Of The Password Registration Portal

image

Figure 30: Specifying The Credentials, The Hostname And The Port For The Password Registration Portal

image

Figure 31: Warning About Not Using SSL Due To Custom Port

REMARK: SSL will be configured afterwards

image

Figure 32: Specifying The FIM/MIM Service FQDN And The Accessibility Of The Password Reset Portal

image

Figure 33: Last Screen Before The Actual Installation

image

Figure 34: Installation Completed

Now after installing the product:

  • Check and compare the IIS configuration and reconfigure as needed;
  • Check and compare the config files and reconfigure as needed;
  • Check our customizations for the Password Registration and Reset Portal still exist;
  • Check and compare the registry settings and reconfigure as needed;
  • Recompile any code you have (e.g. Rules Extensions) to use it in the new version;

Upgrading to MIM Add-In Extensions

This must be executed on every client running the FIM/MIM Add-In Extensions!

First uninstall MIM Add-In Extensions through Programs and Features

Then install MIM Add-In Extensions by executing the MSI (attend) or using the command line with all the options defined (unattended)

image

Figure 35: Welcome Screen

image

Figure 36: License Agreement

image

Figure 37: Joining CEIP

image

Figure 38: Component Selection

image

Figure 39: Specifying The MIM Portal Server Address And The MIM Service E-mail Address

REMARK: The MIM Portal Server Address should be entered as <FQDN> or <FQDN>:<PORT> when in the last case the port is a custom port. The screenshot shows the MIM Portal URL but that is not correct

image

Figure 40: Specifying The FIM/MIM Service FQDN

image

Figure 41: Specifying The Password Registration URL

image

Figure 42: Last Screen Before The Actual Installation

image

Figure 43: Installation Completed

Now after installing the product:

  • Check and compare the registry settings and reconfigure as needed;

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Microsoft Identity Manager (MIM) | Leave a Comment »

(2016-09-26) Microsoft Identity Manager (MIM) 2016 Service Pack 1 Has Been Released

Posted by Jorge on 2016-09-26


Microsoft has released Microsoft Identity Manager (MIM) 2016 Service Pack 1 (build 4.4.1237.0)!

What does it bring you?

  • In addition to Internet Explorer, it now also supports Edge, Chrome, FireFox, and Safari;
  • The MIM service now supports a mailbox in Exchange Online for approvals and notifications;
  • Image file format validation on upload;
  • PowerShell deployment scripts for Privileged Access Management (PAM) infrastructure components;
  • Privileged Access Management (PAM) Just-In-Time (JIT) administration also works for the privileged AD forest in addition to the corporate AD forest;
  • MIM now also supports Windows Server 2016 and SQL Server 2016 (Supported platforms for MIM 2016);
  • PAM deployment automatically uses PowerShell to create and configure Authentication Policies and Authentication Policy Silos to harden security;
  • … and a few fixes

Read more about it:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Microsoft Identity Manager (MIM), Updates | Leave a Comment »

(2016-09-26) Windows Server 2016 Has Been Released

Posted by Jorge on 2016-09-26


Microsoft has released Windows Server 2016!

An evaluation version of Windows Server 2016 is available through Microsoft downloads. Somewhere in October, Windows Server 2016 will be generally available (GA).

Read more about it:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Updates, Windows Server | Leave a Comment »

(2016-09-25) FIM/MIM Configuration Export Scripts

Posted by Jorge on 2016-09-25


When upgrading FIM or MIM to a newer version, you may need to uninstall the previous version first before installing the newer version. During the installation of the new version you need to reenter all the required information. But where do you get that data from? Either you have some installation/configuration guide or you make sure you make a copy (copy, export, backup) of the previous configuration so that you can look it up easily.

Making a copy of the previous configuration manually can take quite some time to finish and if unlucky you might even forget something!

Yes, you guessed it, PowerShell to the rescue! Smile

With the upcoming SP1 for MIM 2016 you may need this script.

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version and/or FIM/MIM version and/or SQL version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

<PoSH Script File> [-allConfig] [-mainConfig] [-fimSyncConfig] [-fimSvcConfig] [-fimPortalConfig] [-fimPwdRegPortalConfig] [-fimPwdResetPortalConfig] [-backupDBs] [-mainBackupFolder <Folder To Backup/Export To>]

This PoSH script exports FIM/MIM configuration as a quick backup method. If applicabel, the following configuration components are exported:

  • FIM/MIM Main Configuration;
  • FIM/MIM Sync Configuration;
  • FIM/MIM Service Configuration;
  • FIM/MIM Portal Configuration;
  • FIM/MIM Registration Portal Configuration;
  • FIM/MIM Reset Portal Configuration;
  • SQL Server Database

I have NOT added support for:

  • FIM/MIM PCNS Configuration;
  • FIM/MIM CM Configuration;
  • FIM/MIM Reporting Configuration

Currently there is no import script. You will have to do it manually

Get the export script from HERE

When upgrading, you only need to the [-mainConfig option on every FIM server and the [-backupDBs] option on the SQL server! For example:

  • Everything on one server (incl. SQL server)? –> <PoSH Script File> -mainConfig -backupDBs -mainBackupFolder <Folder To Backup/Export To>
  • FIM/MIM servers without SQL –> <PoSH Script File> -mainConfig -mainBackupFolder <Folder To Backup/Export To>
  • SQL server without FIM/SQL –> <PoSH Script File> –backupDBs -mainBackupFolder <Folder To Backup/Export To>

REMARK: the installation of a newer version against an existing database WILL upgrade the database. Make sure to have a backup of your FIM/MIM DBs!!!

PARAMETER allConfig

Exports All The Configuration Of FIM/MIM. This is basically all the options combined.

PARAMETER mainConfig

Exports Only The Main Configuration Of FIM/MIM. This should be the option to use when upgrading FIM/MIM.

PARAMETER fimSyncConfig

Exports Only The FIM Sync Specific Configuration

PARAMETER fimSvcConfig

Exports Only The FIM Service Specific Configuration

WARNING: This export might take some considerabel amount of time!!!

PARAMETER fimPortalConfig

Exports Only The FIM Portal Specific Configuration

PARAMETER fimPwdRegPortalConfig

Exports Only The FIM Password Registration Portal Specific Configuration

PARAMETER fimPwdResetPortalConfig

Exports Only The FIM Password Reset Portal Specific Configuration

PARAMETER backupDBs

Backup Only The Databases In Use By FIM

PARAMETER mainBackupFolder

Main Backup Folder To Store The Backup

image

Figure 1: Exporting The FIM/MIM Configuration Before The Upgrade

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Backup/Export, Backup/Export, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM) | Leave a Comment »

(2016-09-17) Publishing Azure AD MFA Mobile App Web Service To The Outside

Posted by Jorge on 2016-09-17


For ADFS or any other application (Windows, Radius, IIS or LDAP) you have implemented the on-premises Azure AD MFA server to be able to use phone-based and/or sms-based phone authentication with or without a secret PIN code. During the installation/configuration of the Azure AD MFA server you used an internal URL instead of an external URL that is also available on the inside. Now somebody asked you to use the mobile app as the second factor and with that  request you must publish the Mobile App Web Service to the outside so that mobile phones can use when requiring to activate the mobile app on the mobile phone.

Let’s make the following assumptions:

First you need to publish the mobile app web service to the outside. For that I’ll assume you are using ADFS and WAP, so we’ll publish it through WAP.

On the WAP execute the following PowerShell CMDlet to publish the mobile app webs service through the WAP using pass through authentication:

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://mfa.company.local/MultiFactorAuthMobileAppWebService/ -ExternalCertificateThumbprint ‘62012C6DAFE7AE35ABD7D8A10896A1D427C0E6F4’ -ExternalUrl ‘https://mfa.company.com/MultiFactorAuthMobileAppWebService/ -Name ‘Azure AD MFA Mobile App Web Service’ -ExternalPreAuthentication PassThrough

After you logon to the Azure AD MFA User Portal, and assuming you already have configured the Azure AD MFA server so that users can use the mobile app, and choose to activate the mobile app, you see something like…

image_thumb[31]

Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

However, the URL displayed is not the external URL, but rather the internal URL that is not reachable my mobile devices. You could ignore that and still enter the information (the activation code and the external URL!) manually on your mobile phone, but of course you want it to display the external URL so that you can scan the QR-code.

To make it happen the Azure AD MFA User Portal displays the external URL instead of the internal URL, you need to edit the “web.config” of the MultiFactorAuth application. In that file look for “OVERRIDE_PHONE_APP_WEB_SERVICE_URL” and as the value provide the external URL. The only difference is the hostname in the URL, while the path remains unchanged.

image

Figure 2: The “web.config” Of The MultiFactorAuth Application Now With An External Web Service URL

After making this changing you should be able to activate the mobile app on your mobile phone through the WAP.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »

(2016-09-16) Azure AD Connect v1.1.281.0 Has Been Released

Posted by Jorge on 2016-09-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.281.0

Released: 2016 August

New features:

  • N.A.

Fixed issues:

  • Changes to sync interval does not take place until after next sync cycle completes.
  • Azure AD Connect wizard does not accept Azure AD account whose username starts with an underscore (_).
  • Azure AD Connect wizard fails to authenticate Azure AD account provided if account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned.
  • Uninstalling staging server disables password synchronization in Azure AD tenant and causes password synchronization to fail with active server.
  • Password synchronization fails in uncommon cases when there is no password hash stored on the user.
  • When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled.
  • Azure AD Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled.
  • Configuration changes to password synchronization and password writeback are not persisted by Azure AD Connect wizard when server is in staging mode.

Improvements:

  • Updated Start-ADSyncSyncCycle cmdlet to indicate whether it is able to successfully start a new sync cycle or not.
  • Added Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation which are currently in progress.
  • Updated Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation which are currently in progress.
  • When configuring Directory Extensions in Azure AD Connect wizard, AD attribute of type "Teletex string" can now be selected.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-09-13) Failing To Activate Mobile App Against The On-Premises Azure AD MFA Server

Posted by Jorge on 2016-09-13


You have setup the Azure AD MFA server, the Azure AD MFA User Portal, the Azure AD MFA MFA Mobile App Web Service and the Azure AD MFA Web Service.

You logon to the Azure AD MFA User Portal and then click on “Activate Mobile App” on the left side of the screen. In addition you click on [Generate New Activation Code] and you will see a screen similar to the one below

image

Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

On your mobile phone, you can now either choose specify the information yourself or you can just scan de QR-code. Whichever method you choose, you will see a similar message on your mobile phone as the one shown below. You can try as many times as you want, but unfortunately that will not help.

image

Figure 2: Activation Error On Your Mobile Phone

Activation failed. Please verify you have network connectivity and check the URL to ensure it is correct.

Error details: The operation couldn’t be completed. (Fault error –1.)

This error basically tells you something is wrong with the URL displayed previously on screen. The rest of the error is rather useless.

As the authenticator app will hit the mobile app web service URL, it is a good idea to put that URL in a browser to see what happens.

As soon as you do you might see the following error.

image

Figure 3: IIS Server Error For The MultiFactorAuthMobileAppWebService Application

Now this is something you can work with! Something appears to be wrong in the “web.config” of the MultiFactorAuthMobileAppWebService Application, so that is where you should look

image

Figure 4: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITHOUT The Required Key

So just before “</appSettings>”, add the following line

<add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_THUMBPRINT" value=""/>

…so that it looks like the following

image

Figure 5: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITH The Required Key

When done, save the “web.config” of the MultiFactorAuthMobileAppWebService

Now you retry the URL in the browser and you should see something like…

image

Figure 6: The MultiFactorAuthMobileAppWebService Application Now Working Correctly

On your mobile phone, you can now retry the activation by either choosing to specify the information yourself or by just scanning de QR-code. Whichever method you choose, you should not succeed in activating the mobile app.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »

(2016-08-08) Configuring Custom Logos For Your Identity Providers/Claim Providers Trusts

Posted by Jorge on 2016-08-08


As the page “Customizing the AD FS Sign-in Pages” already explains, use configure custom logos for your HRD page, being

  • The Illustration (in figure 1 – on the left)
  • The Logo (in figure 1 – upper right)
  • The Local STS Icon (in figure 1 – IdP called “IAM Technologies”)
  • The Remote IdP Icon for which no suffixes have been configured (in figure 1 – last 3 IdPs)

That then looks like it is displayed in figure 1

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Other Remote IdPs

However, have you ever wanted to see it like it is displayed in figure 2?

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Every Individual Remote IdP

Yes, that is possible!

To configure the logo execute the following command:

Set-AdfsWebTheme –TargetName <Web Theme> -Logo @{path="<Path To Logo JPG/PNG>"}

To configure the illustration execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -Illustration @{path="<Path To Illustration JPG/PNG>"}

To configure the logo for the local STS execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/localsts.png’;path="<Path To Local STS Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which no suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/idp.png’;path="<Path To General IdP Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which at least one suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/otherorganizations.png’;path="<Path To Other Organizations Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS with a custom (company) logo, execute the following command

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{uri="/adfs/portal/images/idp/<CP Trust Name>.png";path="<Path To Custom IdP Logo JPG/PNG>"}

REMARK: If you rename a CP trust, you also need to rename the web file in the URL! If you do not, the general IdP logo is displayed

REMARK: Instead of using PNG files, you can also use JPG files! Whatever extension you use, the extension of the file being imported must match the extension of the web file in the URL!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD), Web Themes | Leave a Comment »

 
%d bloggers like this: