Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-09-25) FIM/MIM Configuration Export Scripts

Posted by Jorge on 2016-09-25


When upgrading FIM or MIM to a newer version, you may need to uninstall the previous version first before installing the newer version. During the installation of the new version you need to reenter all the required information. But where do you get that data from? Either you have some installation/configuration guide or you make sure you make a copy (copy, export, backup) of the previous configuration so that you can look it up easily.

Making a copy of the previous configuration manually can take quite some time to finish and if unlucky you might even forget something!

Yes, you guessed it, PowerShell to the rescue! Smile

With the upcoming SP1 for MIM 2016 you may need this script.

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version and/or FIM/MIM version and/or SQL version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

<PoSH Script File> [-allConfig] [-mainConfig] [-fimSyncConfig] [-fimSvcConfig] [-fimPortalConfig] [-fimPwdRegPortalConfig] [-fimPwdResetPortalConfig] [-backupDBs] [-mainBackupFolder <Folder To Backup/Export To>]

This PoSH script exports FIM/MIM configuration as a quick backup method. If applicabel, the following configuration components are exported:

  • FIM/MIM Main Configuration;
  • FIM/MIM Sync Configuration;
  • FIM/MIM Service Configuration;
  • FIM/MIM Portal Configuration;
  • FIM/MIM Registration Portal Configuration;
  • FIM/MIM Reset Portal Configuration;
  • SQL Server Database

I have NOT added support for:

  • FIM/MIM PCNS Configuration;
  • FIM/MIM CM Configuration;
  • FIM/MIM Reporting Configuration

Currently there is no import script. You will have to do it manually

Get the export script from HERE

When upgrading, you only need to the [-mainConfig option on every FIM server and the [-backupDBs] option on the SQL server! For example:

  • Everything on one server (incl. SQL server)? –> <PoSH Script File> -mainConfig -backupDBs -mainBackupFolder <Folder To Backup/Export To>
  • FIM/MIM servers without SQL –> <PoSH Script File> -mainConfig -mainBackupFolder <Folder To Backup/Export To>
  • SQL server without FIM/SQL –> <PoSH Script File> –backupDBs -mainBackupFolder <Folder To Backup/Export To>

REMARK: the installation of a newer version against an existing database WILL upgrade the database. Make sure to have a backup of your FIM/MIM DBs!!!

PARAMETER allConfig

Exports All The Configuration Of FIM/MIM. This is basically all the options combined.

PARAMETER mainConfig

Exports Only The Main Configuration Of FIM/MIM. This should be the option to use when upgrading FIM/MIM.

PARAMETER fimSyncConfig

Exports Only The FIM Sync Specific Configuration

PARAMETER fimSvcConfig

Exports Only The FIM Service Specific Configuration

WARNING: This export might take some considerabel amount of time!!!

PARAMETER fimPortalConfig

Exports Only The FIM Portal Specific Configuration

PARAMETER fimPwdRegPortalConfig

Exports Only The FIM Password Registration Portal Specific Configuration

PARAMETER fimPwdResetPortalConfig

Exports Only The FIM Password Reset Portal Specific Configuration

PARAMETER backupDBs

Backup Only The Databases In Use By FIM

PARAMETER mainBackupFolder

Main Backup Folder To Store The Backup

image

Figure 1: Exporting The FIM/MIM Configuration Before The Upgrade

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Backup/Export, Backup/Export, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM) | Leave a Comment »

(2016-09-17) Publishing Azure AD MFA Mobile App Web Service To The Outside

Posted by Jorge on 2016-09-17


For ADFS or any other application (Windows, Radius, IIS or LDAP) you have implemented the on-premises Azure AD MFA server to be able to use phone-based and/or sms-based phone authentication with or without a secret PIN code. During the installation/configuration of the Azure AD MFA server you used an internal URL instead of an external URL that is also available on the inside. Now somebody asked you to use the mobile app as the second factor and with that  request you must publish the Mobile App Web Service to the outside so that mobile phones can use when requiring to activate the mobile app on the mobile phone.

Let’s make the following assumptions:

First you need to publish the mobile app web service to the outside. For that I’ll assume you are using ADFS and WAP, so we’ll publish it through WAP.

On the WAP execute the following PowerShell CMDlet to publish the mobile app webs service through the WAP using pass through authentication:

Add-WebApplicationProxyApplication -BackendServerUrl ‘https://mfa.company.local/MultiFactorAuthMobileAppWebService/ -ExternalCertificateThumbprint ‘62012C6DAFE7AE35ABD7D8A10896A1D427C0E6F4’ -ExternalUrl ‘https://mfa.company.com/MultiFactorAuthMobileAppWebService/ -Name ‘Azure AD MFA Mobile App Web Service’ -ExternalPreAuthentication PassThrough

After you logon to the Azure AD MFA User Portal, and assuming you already have configured the Azure AD MFA server so that users can use the mobile app, and choose to activate the mobile app, you see something like…

image_thumb[31]

Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

However, the URL displayed is not the external URL, but rather the internal URL that is not reachable my mobile devices. You could ignore that and still enter the information (the activation code and the external URL!) manually on your mobile phone, but of course you want it to display the external URL so that you can scan the QR-code.

To make it happen the Azure AD MFA User Portal displays the external URL instead of the internal URL, you need to edit the “web.config” of the MultiFactorAuth application. In that file look for “OVERRIDE_PHONE_APP_WEB_SERVICE_URL” and as the value provide the external URL. The only difference is the hostname in the URL, while the path remains unchanged.

image

Figure 2: The “web.config” Of The MultiFactorAuth Application Now With An External Web Service URL

After making this changing you should be able to activate the mobile app on your mobile phone through the WAP.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »

(2016-09-16) Azure AD Connect v1.1.281.0 Has Been Released

Posted by Jorge on 2016-09-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.281.0

Released: 2016 August

New features:

  • N.A.

Fixed issues:

  • Changes to sync interval does not take place until after next sync cycle completes.
  • Azure AD Connect wizard does not accept Azure AD account whose username starts with an underscore (_).
  • Azure AD Connect wizard fails to authenticate Azure AD account provided if account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned.
  • Uninstalling staging server disables password synchronization in Azure AD tenant and causes password synchronization to fail with active server.
  • Password synchronization fails in uncommon cases when there is no password hash stored on the user.
  • When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled.
  • Azure AD Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled.
  • Configuration changes to password synchronization and password writeback are not persisted by Azure AD Connect wizard when server is in staging mode.

Improvements:

  • Updated Start-ADSyncSyncCycle cmdlet to indicate whether it is able to successfully start a new sync cycle or not.
  • Added Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation which are currently in progress.
  • Updated Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation which are currently in progress.
  • When configuring Directory Extensions in Azure AD Connect wizard, AD attribute of type "Teletex string" can now be selected.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-09-13) Failing To Activate Mobile App Against The On-Premises Azure AD MFA Server

Posted by Jorge on 2016-09-13


You have setup the Azure AD MFA server, the Azure AD MFA User Portal, the Azure AD MFA MFA Mobile App Web Service and the Azure AD MFA Web Service.

You logon to the Azure AD MFA User Portal and then click on “Activate Mobile App” on the left side of the screen. In addition you click on [Generate New Activation Code] and you will see a screen similar to the one below

image

Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

On your mobile phone, you can now either choose specify the information yourself or you can just scan de QR-code. Whichever method you choose, you will see a similar message on your mobile phone as the one shown below. You can try as many times as you want, but unfortunately that will not help.

image

Figure 2: Activation Error On Your Mobile Phone

Activation failed. Please verify you have network connectivity and check the URL to ensure it is correct.

Error details: The operation couldn’t be completed. (Fault error –1.)

This error basically tells you something is wrong with the URL displayed previously on screen. The rest of the error is rather useless.

As the authenticator app will hit the mobile app web service URL, it is a good idea to put that URL in a browser to see what happens.

As soon as you do you might see the following error.

image

Figure 3: IIS Server Error For The MultiFactorAuthMobileAppWebService Application

Now this is something you can work with! Something appears to be wrong in the “web.config” of the MultiFactorAuthMobileAppWebService Application, so that is where you should look

image

Figure 4: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITHOUT The Required Key

So just before “</appSettings>”, add the following line

<add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_THUMBPRINT" value=""/>

…so that it looks like the following

image

Figure 5: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITH The Required Key

When done, save the “web.config” of the MultiFactorAuthMobileAppWebService

Now you retry the URL in the browser and you should see something like…

image

Figure 6: The MultiFactorAuthMobileAppWebService Application Now Working Correctly

On your mobile phone, you can now retry the activation by either choosing to specify the information yourself or by just scanning de QR-code. Whichever method you choose, you should not succeed in activating the mobile app.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »

(2016-08-08) Configuring Custom Logos For Your Identity Providers/Claim Providers Trusts

Posted by Jorge on 2016-08-08


As the page “Customizing the AD FS Sign-in Pages” already explains, use configure custom logos for your HRD page, being

  • The Illustration (in figure 1 – on the left)
  • The Logo (in figure 1 – upper right)
  • The Local STS Icon (in figure 1 – IdP called “IAM Technologies”)
  • The Remote IdP Icon for which no suffixes have been configured (in figure 1 – last 3 IdPs)

That then looks like it is displayed in figure 1

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Other Remote IdPs

However, have you ever wanted to see it like it is displayed in figure 2?

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Every Individual Remote IdP

Yes, that is possible!

To configure the logo execute the following command:

Set-AdfsWebTheme –TargetName <Web Theme> -Logo @{path="<Path To Logo JPG/PNG>"}

To configure the illustration execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -Illustration @{path="<Path To Illustration JPG/PNG>"}

To configure the logo for the local STS execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/localsts.png’;path="<Path To Local STS Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which no suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/idp.png’;path="<Path To General IdP Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which at least one suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/otherorganizations.png’;path="<Path To Other Organizations Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS with a custom (company) logo, execute the following command

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{uri="/adfs/portal/images/idp/<CP Trust Name>.png";path="<Path To Custom IdP Logo JPG/PNG>"}

REMARK: If you rename a CP trust, you also need to rename the web file in the URL! If you do not, the general IdP logo is displayed

REMARK: Instead of using PNG files, you can also use JPG files! Whatever extension you use, the extension of the file being imported must match the extension of the web file in the URL!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD), Web Themes | Leave a Comment »

(2016-08-04) Forcing Sync On A Non-Primary ADFS Server When Using WID

Posted by Jorge on 2016-08-04


By default, when using WID, any secondary ADFS server pulls data from the primary ADFS server every 5 minutes (default value). To change the pull interval, it must be changed on all secondary ADFS servers, using the following command:

Set-AdfsSyncProperties -PollDuration <Number In Seconds>

However, if you want to force pull synchronization on any secondary ADFS to source it from the primary ADFS server, there is no default PowerShell cmdlet to do this. You must simply restart the ADFS server on the secondary ADFS server, like for example:

Restart-Service ADFSSRV

Remember that when you restart the ADFS service, you ADFS server temporarily becomes unavailable!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID | Leave a Comment »

(2016-07-31) Configuring ADFS To Use A Custom SQL Port

Posted by Jorge on 2016-07-31


If for whatever reason you need to change the default SQL port and you need to tell ADFS to use it, or if you need to move the DBs to another SQL server, you can use the following procedure:

Retrieving the current connection string for the configuration DB:

Execute the following commands on any ADFS Server:

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTSConfigDBConnectionString = $fedSvcSTS.ConfigurationdatabaseConnectionstring

$fedSvcSTSConfigDBConnectionString

Setting a new connection string for the configuration DB:

Execute the following commands ON EVERY ADFS SERVER!:

$fedSvcSTSConfigDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSConfiguration;Integrated Security=True" <—example values!!!

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTS.ConfigurationdatabaseConnectionstring = $fedSvcSTSConfigDBNewConnectionString

$fedSvcSTS.put()

Restart-Service ADFSSRV

Retrieving the current connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBConnectionString = (Get-ADFSProperties).ArtifactDbConnection

Setting a new connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSArtifactStore;Integrated Security=True" <—example values!!!

Set-ADFSProperties -ArtifactDbConnection $fedSvcSTSArtifactDBNewConnectionString

Restart-Service ADFSSRV

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On SQL, Ports | Leave a Comment »

(2016-07-27) How To Disable Local Authentication In ADFS v2.x, ADFS v3.0 And ADFS v4.0

Posted by Jorge on 2016-07-27


If you do not want to have the local STS (and therefore the local AD and any trusted AD) to be listed on the HRD page, while only allowing remote IdPs (CPs), you need to disable local authentication in ADFS

To disable local authentication in ADFS v2.0, perform the following steps:

  • Navigate to the folder “C:\inetpub\adfs\ls”
  • Edit the file "web.config"
  • Edit the following section as follows, and save afterwards:

<localAuthenticationTypes>
        <!– <add name="Integrated" page="auth/integrated/" /> –>
        <!– <add name="Forms" page="FormsSignIn.aspx" /> –>
        <!– <add name="TlsClient" page="auth/sslclient/" /> –>
        <!– <add name="Basic" page="auth/basic/" /> –>
</localAuthenticationTypes>

To disable local authentication in ADFS v2.1 and ADFS v3.0, perform the following steps:

  • Navigate to “C:\Windows\Adfs”
  • Edit the file "microsoft.IdentityServer.Servicehost.exe.config"
  • Edit the following section as follows, and save afterwards:

<microsoft.identityServer.web> 
       <acceptedFederationProtocols wsFederation="true" saml="true" /> 
       <localAuthenticationTypes enabled="false"> 
</localAuthenticationTypes>

To disable local authentication in ADFS v4.0, perform the following steps:

  • Open a PowerShell command prompt window
  • Execute the following command:

Set-AdfsProperties -EnableLocalAuthenticationTypes $false

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD) | Leave a Comment »

(2016-07-24) Fixing Web Content Data In ADFS 2012 R2 (v3.0) When Leveraging WID As A Database Store

Posted by Jorge on 2016-07-24


This blog post only applies if you are using ADFS v3.0 (ADFS 2012 R2) AND you are using WID as the database store! It does not apply when using SQL, and it does not apply when using ADFS v4.0 (ADFS 2016) with WID!

In ADFS v3.0 (and higher) it is possible to configure custom web content for:

  1. Relying Party Trust Web Content (*)
  2. Global Web Content
  3. Authentication Provider Web Content (*)
  4. Web Config
  5. Web Theme

When using WID, you must execute the configuration on the primary ADFS server. After 5 minutes (default) at a maximum, the secondary ADFS servers, get the changes from the primary ADFS server. Well, with regards to web content, almost right

For the web content stuff marked with a (*), there is bug where the content defined at the primary ADFS server DOES NOT replicate to the secondary ADFS servers. Because of that users may experience inconsistent results

Example configurations for [1]:

Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage "<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access."

Example configurations for [3]:

Set-AdfsAuthenticationProviderWebContent -Name AzureMfaServerAuthentication -DisplayName ‘Azure AD MFA AuthN’ -Description ‘Azure AD MFA Based Upon SMS, Phone Call Or Authenticator App’

The user experience is as follows….

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a relying party trust:

image

Figure 1: Custom Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for a relying party trust:

image

Figure 2: Default Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a authentication provider:

image

Figure 3: Custom Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for an authentication provider:

image

Figure 4: Default Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

So, as you can see the user experience is quite different when hitting either the primary ADFS server or any secondary ADFS server

You might think to also execute the PowerShell commands on any secondary ADFS server. However, that’s not possible because secondary ADFS servers are not writable and therefore the PowerShell commands do not work. It will work however, if you temporarily configure a secondary to be a primary, execute the commands, then reconfigure it back to a secondary. If you have multiple WID based ADFS servers, that can be some extensive work, which is also subject to mistakes ending up in inconsistencies.

So, how to solve this?

I wrote a script, which is available here that helps in configuring the web content on secondary ADFS servers.

WARNING: I do not know if this is supported or not by Microsoft. However, it does solve the problem as currently unfortunately there is no hotfix that fixes this issue in ADFS v3.0. Make sure to test this FIRST in a test lab before using it in production!

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

  • <PoSH Script File> [-adfsServers <FQDN ADFS server 1>,<FQDN ADFS server 2>,etc ] [-scriptBlock <PowerShell Command>] [-scriptFile <Path To Text File Containing PowerShell Commands>] [-showScriptOutput]

This script is well documented (look inside the script) or execute:

Get-help .\Process-Web-Content-On-WID-Based-ADFS-Servers.ps1 -full

….but I’ll explain the parameters that can be used

Parameter “adfsServers”

When this parameter is specified, the XML config file is NOT read and a separated list of FQDNs must be specified through this parameter listing the ADFS servers that must be targeted. This may for example be used when you have just one or more new secondary ADFS server to update after those have been installed in addition to the existing ones

However, if you have a new configuration that must be applied to all ADFS servers, you may still use this parameter, but you can also create an XML file that contains all ADFS servers. This can be handy when you must apply changes to all existing ADFS servers. When you want to use the XML config file, do not use this parameter and the script will look for the XML config file which must be in the same folder as the script itself. By default the script will look for the XML file! It will abort if it does not find the XML config file!

EXAMPLE Contents of “ADFS-STS-SCRIPT-CONFIG.XML”

<?xml version="1.0" encoding="utf-8"?>
<adfsScriptConfig xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <adfsServers>
        <adfsServer serverName="R1FSRWDC1.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC2.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC3.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC4.IAMTEC.NET" />
    </adfsServers>
</adfsScriptConfig>

Parameter “scriptBlock”

With this parameter one PowerShell command can be specified as a value for this parameter. Pay very special attention to the quotes used!

Example value: "Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage `"<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access.`""

Parameter “scriptFile”

With this parameter one or more PowerShell commands can be specified in a text file. The complete path of the text is then used as a value for this parameter.

Example value: "C:\TEMP\ScriptBlock.txt"

Parameter “showScriptOutput”

This parameter tells the script to display the output of the commands on screen, if there is anything to display at all.

Another thing to be aware of is that the script logs everything into an event log called “Custom – Support”. If the event log does not exist it will create it and also register the source. If you do not want this, scan through the script and remove or out comment those parts!

image

Figure 5: Example XML Config File

image

Figure 6: Example Script Block File Containing Multiple PowerShell Commands To Execute

image

Figure 7: Example Output – General Info

image

Figure 8: Example Output – Performing Checks

image

Figure 9: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC1.IAMTEC.NET)

image

Figure 10: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC2.IAMTEC.NET)

image

Figure 11: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC3.IAMTEC.NET)

image

Figure 12: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC4.IAMTEC.NET)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, PowerShell, Tooling/Scripting | Leave a Comment »

 
%d bloggers like this: