As mentioned in Configure Device Registration for Hybrid Windows Hello for Business device registration and authentication must be enabled in ADFS to support Azure AD Device Authentication on-premises against ADFS. It describes the steps on how to achieve this.
You start with:
Initialize-ADDeviceRegistration -ServiceAccountName <Service Account In ADFS> -DeviceLocation <FQDN AD Domain Storing Device Objects From AAD>
Figure 1: Initializing Device Registration In AD
–
This creates the required DRS objects in the configuration NC and in the domain NC specified to host the AAD devices written back to AD.
–
Looking in ADFS in the “Device Registration” node you will see the following, which is weird.
Figure 2: Device registration Overview Mentioning It Still Needs To Be Configured
–
Clicking on “Configure Device Registration” results in the following message. Just click “OK” to continue
Figure 3: Message After Clicking “Configure Device Registration”
–
Waiting until it finishes results in the exact same state as displayed in figure 2. Huh?
–
In PowerShell executing the following command:
Get-AdfsDeviceRegistration
…does not display the DN of the DRS objects that are in AD. It should specify a value for DrsObjectDN and DeviceObjectLocation, but it does not as you can see or even experience yourself. The event logs do not give you information of why not.
Figure 4: Empty Values For DrsObjectDN And DeviceObjectLocation
–
After some digging around, I found that in my ADFSv4 the EnrollmentServer endpoint was disabled and because of that it caused the device registration configuration to not succeed.
Figure 5: EnrollmentServer Endpoint Being Disabled
–
After enabling the EnrollmentServer endpoint through the GUI and restarting the ADFS service on every ADFS server in the ADFS farm (or using the PowerShell commands below)
Get-AdfsEndpoint /EnrollmentServer/
Enable-AdfsEndpoint /EnrollmentServer/
Set-AdfsEndpoint /EnrollmentServer/ -Proxy $True
Get-AdfsEndpoint /EnrollmentServer/
Restart-Service ADFSSRV # Execute On EVERY ADFS Server!
Figure 6: Enabling The EnrollmentServer Endpoint
–
Now you can see that there are values for DrsObjectDN and DeviceObjectLocation
Get-AdfsDeviceRegistration
Figure 7: Values For DrsObjectDN And DeviceObjectLocation
–
Figure 8: Device Registration And Device Authentication Now Being Enabled In ADFS
–
Have fun!
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 