This blog post only applies if you are using ADFS v3.0 (ADFS 2012 R2) AND you are using WID as the database store! It does not apply when using SQL, and it does not apply when using ADFS v4.0 (ADFS 2016) with WID!
In ADFS v3.0 (and higher) it is possible to configure custom web content for:
- Relying Party Trust Web Content (*)
- Global Web Content
- Authentication Provider Web Content (*)
- Web Config
- Web Theme
When using WID, you must execute the configuration on the primary ADFS server. After 5 minutes (default) at a maximum, the secondary ADFS servers, get the changes from the primary ADFS server. Well, with regards to web content, almost right
For the web content stuff marked with a (*), there is bug where the content defined at the primary ADFS server DOES NOT replicate to the secondary ADFS servers. Because of that users may experience inconsistent results
Example configurations for :
Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage "<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access."
Example configurations for :
Set-AdfsAuthenticationProviderWebContent -Name AzureMfaServerAuthentication -DisplayName ‘Azure AD MFA AuthN’ -Description ‘Azure AD MFA Based Upon SMS, Phone Call Or Authenticator App’
The user experience is as follows….
When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a relying party trust:
Figure 1: Custom Web Content For A Relying Party Trust On The Primary ADFS Server
When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for a relying party trust:
Figure 2: Default Web Content For A Relying Party Trust On The Primary ADFS Server
When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a authentication provider:
Figure 3: Custom Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server
When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for an authentication provider:
Figure 4: Default Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server
So, as you can see the user experience is quite different when hitting either the primary ADFS server or any secondary ADFS server
You might think to also execute the PowerShell commands on any secondary ADFS server. However, that’s not possible because secondary ADFS servers are not writable and therefore the PowerShell commands do not work. It will work however, if you temporarily configure a secondary to be a primary, execute the commands, then reconfigure it back to a secondary. If you have multiple WID based ADFS servers, that can be some extensive work, which is also subject to mistakes ending up in inconsistencies.
So, how to solve this?
I wrote a script, which is available here that helps in configuring the web content on secondary ADFS servers.
WARNING: I do not know if this is supported or not by Microsoft. However, it does solve the problem as currently unfortunately there is no hotfix that fixes this issue in ADFS v3.0. Make sure to test this FIRST in a test lab before using it in production!
Please provide feedback through the comments section OR you the contact page
DISCLAIMER (READ THIS!):
- I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
- The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
- This script is furnished "AS IS". No warranty is expressed or implied!
- I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
- Always test first in lab environment to see if it meets your needs!
- Use this script at your own risk!
- I do not warrant this script to be fit for any purpose, use or environment!
- I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
- I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
- I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
- If you do not accept these terms do not use the script in any way and delete it immediately!
- <PoSH Script File> [-adfsServers <FQDN ADFS server 1>,<FQDN ADFS server 2>,etc ] [-scriptBlock <PowerShell Command>] [-scriptFile <Path To Text File Containing PowerShell Commands>] [-showScriptOutput]
This script is well documented (look inside the script) or execute:
Get-help .\Process-Web-Content-On-WID-Based-ADFS-Servers.ps1 -full
….but I’ll explain the parameters that can be used
When this parameter is specified, the XML config file is NOT read and a separated list of FQDNs must be specified through this parameter listing the ADFS servers that must be targeted. This may for example be used when you have just one or more new secondary ADFS server to update after those have been installed in addition to the existing ones
However, if you have a new configuration that must be applied to all ADFS servers, you may still use this parameter, but you can also create an XML file that contains all ADFS servers. This can be handy when you must apply changes to all existing ADFS servers. When you want to use the XML config file, do not use this parameter and the script will look for the XML config file which must be in the same folder as the script itself. By default the script will look for the XML file! It will abort if it does not find the XML config file!
EXAMPLE Contents of “ADFS-STS-SCRIPT-CONFIG.XML”
<?xml version="1.0" encoding="utf-8"?>
<adfsScriptConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<adfsServer serverName="R1FSRWDC1.IAMTEC.NET" />
<adfsServer serverName="R1FSRWDC2.IAMTEC.NET" />
<adfsServer serverName="R1FSRWDC3.IAMTEC.NET" />
<adfsServer serverName="R1FSRWDC4.IAMTEC.NET" />
With this parameter one PowerShell command can be specified as a value for this parameter. Pay very special attention to the quotes used!
Example value: "Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage `"<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access.`""
With this parameter one or more PowerShell commands can be specified in a text file. The complete path of the text is then used as a value for this parameter.
Example value: "C:\TEMP\ScriptBlock.txt"
This parameter tells the script to display the output of the commands on screen, if there is anything to display at all.
Another thing to be aware of is that the script logs everything into an event log called “Custom – Support”. If the event log does not exist it will create it and also register the source. If you do not want this, scan through the script and remove or out comment those parts!
Figure 5: Example XML Config File
Figure 6: Example Script Block File Containing Multiple PowerShell Commands To Execute
Figure 7: Example Output – General Info
Figure 8: Example Output – Performing Checks
Figure 9: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC1.IAMTEC.NET)
Figure 10: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC2.IAMTEC.NET)
Figure 11: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC3.IAMTEC.NET)
Figure 12: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC4.IAMTEC.NET)
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########