Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Device Registration’ Category

(2019-02-14) Enabling Device Registration/Authentication In ADFSv4 Fails

Posted by Jorge on 2019-02-14


As mentioned in Configure Device Registration for Hybrid Windows Hello for Business device registration and authentication must be enabled in ADFS to support Azure AD Device Authentication on-premises against ADFS. It describes the steps on how to achieve this.

You start with:

Initialize-ADDeviceRegistration -ServiceAccountName <Service Account In ADFS> -DeviceLocation <FQDN AD Domain Storing Device Objects From AAD>

image

Figure 1: Initializing Device Registration In AD

This creates the required DRS objects in the configuration NC and in the domain NC specified to host the AAD devices written back to AD.

Looking in ADFS in the “Device Registration” node you will see the following, which is weird.

image

Figure 2: Device registration Overview Mentioning It Still Needs To Be Configured

Clicking on “Configure Device Registration” results in the following message. Just click “OK” to continue

image

Figure 3: Message After Clicking “Configure Device Registration”

Waiting until it finishes results in the exact same state as displayed in figure 2. Huh?

In PowerShell executing the following command:

Get-AdfsDeviceRegistration

…does not display the DN of the DRS objects that are in AD. It should specify a value for DrsObjectDN and DeviceObjectLocation, but it does not as you can see or even experience yourself. The event logs do not give you information of why not.

image

Figure 4: Empty Values For DrsObjectDN And DeviceObjectLocation

After some digging around, I found that in my ADFSv4 the EnrollmentServer endpoint was disabled and because of that it caused the device registration configuration to not succeed.

image

Figure 5: EnrollmentServer Endpoint Being Disabled

After enabling the EnrollmentServer endpoint through the GUI and restarting the ADFS service on every ADFS server in the ADFS farm (or using the PowerShell commands below)

Get-AdfsEndpoint /EnrollmentServer/

Enable-AdfsEndpoint /EnrollmentServer/

Set-AdfsEndpoint /EnrollmentServer/ -Proxy $True

Get-AdfsEndpoint /EnrollmentServer/

Restart-Service ADFSSRV # Execute On EVERY ADFS Server!

image

Figure 6: Enabling The EnrollmentServer Endpoint

Now you can see that there are values for DrsObjectDN and DeviceObjectLocation

Get-AdfsDeviceRegistration

image

Figure 7: Values For DrsObjectDN And DeviceObjectLocation

image

Figure 8: Device Registration And Device Authentication Now Being Enabled In ADFS

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Active Directory Federation Services (ADFS), Device Registration | Leave a Comment »

(2014-03-24) ADFS v3.0 In W2K12R2 And Related Features In Summary With Details

Posted by Jorge on 2014-03-24


Mylo has written a number of blog posts focusing on his first impressions regarding ADFS v3.0 in W2K12R2 and related features (e.g. Workplace Join, Device Registration, Web Application Proxy, etc). The blog posts are a perfect summary with lots of interesting details. Wow, my compliments!

First Impressions – AD FS and Windows Server 2012 R2 – Part I

First Impressions – AD FS and Windows Server 2012 R2 – Part II

First Impressions – AD FS and Windows Server 2012 R2 – Part III (to be published by Mylo)

In addition to this Ramiro Calderon has written great blog posts focusing on MFA in ADFS v3.0. Again, my compliments!

Under the hood tour on Multi-Factor Authentication in ADFS – Part 1: Policy

Under the hood tour on Multi-Factor Authentication in ADFS – Part 2: MFA aware Relying Parties

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Device Registration, Security Token Service (STS), Web Application Proxy, Workplace Join | Leave a Comment »

 
%d bloggers like this: