Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Configuration’ Category

(2018-10-09) Changing AD CP Trust Display Name And Order In ADFS 2016 Farm Level And Higher

Posted by Jorge on 2018-10-09


You are currently running ADFS 2012 R2 and you are planning on upgrading (yes, you can upgrade!) to ADFS 2016. Your Home Realm Discovery (HRD) page is looking similar to the one in figure 1, meaning that the AD CP trust is listed at the top and that it inherits the Display Name of the federation service. So far so good , right?

image

Figure 1: A Home Realm Discovery Web Page In ADFS 2012 R2 Or ADFS 2016 When At ADFS 2012 R2 Farm Level

After adding ADFS 2016 servers and removing the ADFS 2012 R2 servers, it is time to increase the farm level to the highest farm level possible.

You “throw the switch” and suddenly your HRD page looks similar to the one as displayed in figure 2. Damn!

image

Figure 2: A Home Realm Discovery Web Page In ADFS 2016 When At, At Least ADFS 2016 Farm Level

From a user perspective, that can be quite some impact as user to not expect “their default selection” to have moved to the bottom. Worse yet, the users might not even recognize it because the trust display name does not inherit the display name of the federation service anymore. It just shows as “Active Directory”, which is a technical name. You might think in changing the display name of the “Active Directory” CP trust to match whatever you need. Let me save you the trouble of trying that, because, it is not allowed to change much including the display name.

So, one simple change (farm level increase) results in an unfortunate functional impact for users.

What can you do about this? The solution to this problem is to implement some extra javascript code in the ONLOAD.JS.

To make sure your current web theme is not broken while making this change, make sure to first create a new web theme and implement the changes in that new web theme. So let’s get started!

Retrieve the name of your CURRENT web theme

Get-AdfsWebConfig

In the property called “ActiveThemeName” you will find the name of the current theme that is active and in use by everyone.

Make a copy of that theme and give the copy a new name:

New-AdfsWebTheme -Name <New WebTheme Name> -SourceName <Current Active WebTheme Name>

Export the new web theme to be able to edit it:

MD <Path To Export The Theme To>

Export-AdfsWebTheme -Name <New WebTheme Name> -DirectoryPath <Path To Export The Theme To>

Open the ONLOAD.JS file

NOTEPAD "<Path To Export The Theme To>\script\onload.js"

Edit the ONLOAD.JS file by adding a piece of javascript code at the end of it. It will put the AD CP trust at the top again and it will rename it to the display name of your choosing. It has been tested with the following browsers: IE, Edge, Chrome, Firefox, Safari.
REMARK: Make sure to follow guidelines as available in
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

The javascript code is available at: https://github.com/microsoft/adfsWebCustomization/tree/master/communityCustomizations/RenameAndReorderADCPTrust

Save the ONLOAD.JS file

Import the new ONLOAD.JS into the new web theme

Set-AdfsWebTheme -TargetName <New WebTheme Name> -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="<Path To Export The Theme To>\script\onload.js"}

Now it is time to activate the new web theme and check it has been activated

Set-AdfsWebConfig -ActiveThemeName <New WebTheme Name>

Get-AdfsWebConfig

Now make sure to clear your cookies, and navigate to an application connected to ADFS for which more than one CP trust is allowed to use. In that case, assuming you have cleared your cookies, the HRD page should appear and it should again be similar to what you see in figure 1.

If you need to revert back to your previous current web theme, you new to activate it as such and check it has been activated

Set-AdfsWebConfig -ActiveThemeName <Current Active WebTheme Name>

Get-AdfsWebConfig

PS: make sure to test this first in a test environment!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Active Directory Federation Services (ADFS), Configuration, Federation Trusts, Home Realm Discovery (HRD), Migration, onload.js | Leave a Comment »

(2016-07-02) The Export Script “Export-FederationConfiguration.ps1” Throws An Error in ADFS v3

Posted by Jorge on 2016-07-02


With ADFS v3.0 (ADFS in Windows Server 2012 R2), Microsoft has provided an export script (“Export-FederationConfiguration.ps1”) and an import script (“Import-FederationConfiguration.ps1”). Both scripts can be found in the folder “C:\Windows\ADFS”. The scripts are to be used to support the migration from ADFS v2.x to ADFS v3.0. The export script should be used on ADFS v2.x and the import script should be used on ADFS 3.0

As you may have read in this blog post you need to export and import the configuration when moving from SQL-based ADFS to WID-based ADFS.

However, when running the export script on ADFS v3.0, you will see the following error

image

Figure 1: Error When Running The Export Script “Export-FederationConfiguration.ps1” On ADFS v3.0

Unable to find type [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyTrust]. Make sure that the assembly that contains this type
is loaded.
At C:\Windows\ADFS\Export-FederationConfiguration.ps1:1220 char:9
+         $rpTrusts = [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyT …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Ident…lyingPartyTrust:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

Unable to find type [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyTrust]. Make sure that the assembly that contains this type
is loaded.
At C:\Windows\ADFS\Export-FederationConfiguration.ps1:1220 char:9
+         $rpTrusts = [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyT …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Ident…lyingPartyTrust:TypeName) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TypeNotFound

The reason for not working?

The reason the export script does not work in ADFS v3 has to do with a reference to an assembly that does not exist in ADFS 3.0, but only ADFS v2.x

The solution?

A guy named Jeff Patton, already published a fixed version of the script. You can find it on Github: https://gist.github.com/jeffpatton1971/12f9e00dbca27abf8b59

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Configuration, PowerShell, Tooling/Scripting | Leave a Comment »

 
%d bloggers like this: