Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Migration’ Category

(2019-03-06) Will WAP v3.0 Work With ADFS v4.0 Or Later?

Posted by Jorge on 2019-03-06


Will it work to have WAP v3.0 (WAP in Windows Server 2012 R2) in an ADFS v4.0 Farm (ADFS in Windows Server 2016) during an upgrade/migration scenario?

Yes, it will, even if you increase the ADFS Farm Level! There is a “BUT”, and that is it will depend on what you are using!

Some examples

If you are just publishing applications and doing your thing as you were with the ADFS v3.0 Farm, you are OK to go.   

image

Figure 1: WAP v3.0 Successfully Retrieving Its Config From An ADFS v4.0 Farm

The federation server proxy successfully retrieved its configuration from the Federation Service ‘FS.IAMTEC.NL’.

image

Figure 2: WAP v3.0 Successfully Added/Removed The Listed Endpoints

The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service.

Endpoints added:
https://+:443/FederationMetadata/2007-06/
https://+:443/adfs/ls/
https://+:49443/adfs/ls/
https://+:443/adfs/oauth2/token/
https://+:443/adfs/oauth2/logout/
https://+:443/adfs/oauth2/authorize/
https://+:49443/adfs/oauth2/authorize/
https://+:443/adfs/oauth2/devicecode/
https://+:443/adfs/oauth2/deviceauth/
https://+:443/adfs/.well-known/openid-configuration/
https://+:443/adfs/discovery/keys/
https://+:443/EnrollmentServer/
https://+:443/adfs/portal/
https://+:49443/adfs/portal/
https://+:443/adfs/portal/updatepassword/
https://+:443/adfs/userinfo/
https://+:443/adfs/services/trust/2005/windowstransport/
https://+:443/adfs/services/trust/2005/certificatemixed/
https://+:49443/adfs/services/trust/2005/certificatetransport/
https://+:443/adfs/services/trust/2005/usernamemixed/
https://+:443/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256/
https://+:443/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256/
https://+:443/adfs/services/trust/13/certificatemixed/
https://+:443/adfs/services/trust/13/usernamemixed/
https://+:443/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256/
https://+:443/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256/
https://+:443/adfs/services/trust/mex/
 

Endpoints removed:

Remember though that ADFS v4.0 supports other endpoints. And that’s were the WAP v3.0 may not understand everything published by ADFS v4.0. For the following endpoint you will see the following error when WAP v3.0 retrieves its config from the ADFS v4.0 farm.

image

Figure 3: WAP v3.0 Fails To Add A Listener For A Specific Endpoint Published By ADFDS v4.0

AD FS proxy service failed to start a listener for the endpoint ‘Endpoint details:
     Prefix : /.well-known/webfinger
     PortType : HttpsDevicePort
     ClientCertificateQueryMode : None
     CertificateValidation : None
     AuthenticationSchemes : Anonymous
     ServicePath : /.well-known/webfinger
     ServicePortType : HttpsDevicePort
     SupportsNtlm : False

Exceptiondetails:
System.Net.HttpListenerException (0x80004005): Access is denied
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
   at Microsoft.IdentityServer.ProxyService.ProxyHttpListener.Start()
   at Microsoft.IdentityServer.ProxyService.EndpointManager.ApplyConfiguration(ProxyEndpointConfiguration proxyEndpointConfiguration)

User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.

Now, a good way to make sure your WAP v3.0 stops functioning in an ADFS v4.0 farm, is to enable “Alternate Host Name Binding” as explanined in (2019-03-05) Certificate Based Authentication In ADFS (Legacy And New) – The Complete Information To Get This Working

As soon as you enable “Alternate Host Name Binding” you will see the following error when WAP v3.0 tries to retrieve its config from the ADFS v4.0 farm. Also pay attention to what it suggests you should do! Smile

image

Figure 4: WAP v3.0 Fails To Retrieve Its Config From The ADFS v4.0 Farm After Enabling Alternate Host Name Binding

Unable to retrieve proxy configuration data from the Federation Service.

Additional Data

Trust Certificate Thumbprint:
7EB5B6A48B7273468ECC5EB67E05E62DDD04D145

Status Code:
UpgradeRequired

Exception details:
System.Net.WebException: The remote server returned an error: (426) Upgrade Required.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

If you want to make your WAP v3.0 again in this scenario you really need to disable Alternate Host Name Binding!

So before enabling “Alternate Host Name Binding” make sure to upgrade your WAP v3.0 to the latest version, it deserves it!

To disable “Alternate Host Name Binding” and start using legacy mode again for Certificate Based AuthN, just execute the following command on one ADFS server:

Set-AdfsProperties -TlsClientPort 49443

Then restart the ADFS service on all nodes:

Restart-Service ADFSSRV

Now, is this a complete list of what can go wrong? Probably not, therefore be careful!

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisement

Posted in Active Directory Federation Services (ADFS), Migration, Web Application Proxy | Leave a Comment »

(2018-10-09) Changing AD CP Trust Display Name And Order In ADFS 2016 Farm Level And Higher

Posted by Jorge on 2018-10-09


You are currently running ADFS 2012 R2 and you are planning on upgrading (yes, you can upgrade!) to ADFS 2016. Your Home Realm Discovery (HRD) page is looking similar to the one in figure 1, meaning that the AD CP trust is listed at the top and that it inherits the Display Name of the federation service. So far so good , right?

image

Figure 1: A Home Realm Discovery Web Page In ADFS 2012 R2 Or ADFS 2016 When At ADFS 2012 R2 Farm Level

After adding ADFS 2016 servers and removing the ADFS 2012 R2 servers, it is time to increase the farm level to the highest farm level possible.

You “throw the switch” and suddenly your HRD page looks similar to the one as displayed in figure 2. Damn!

image

Figure 2: A Home Realm Discovery Web Page In ADFS 2016 When At, At Least ADFS 2016 Farm Level

From a user perspective, that can be quite some impact as user to not expect “their default selection” to have moved to the bottom. Worse yet, the users might not even recognize it because the trust display name does not inherit the display name of the federation service anymore. It just shows as “Active Directory”, which is a technical name. You might think in changing the display name of the “Active Directory” CP trust to match whatever you need. Let me save you the trouble of trying that, because, it is not allowed to change much including the display name.

So, one simple change (farm level increase) results in an unfortunate functional impact for users.

What can you do about this? The solution to this problem is to implement some extra javascript code in the ONLOAD.JS.

To make sure your current web theme is not broken while making this change, make sure to first create a new web theme and implement the changes in that new web theme. So let’s get started!

Retrieve the name of your CURRENT web theme

Get-AdfsWebConfig

In the property called “ActiveThemeName” you will find the name of the current theme that is active and in use by everyone.

Make a copy of that theme and give the copy a new name:

New-AdfsWebTheme -Name <New WebTheme Name> -SourceName <Current Active WebTheme Name>

Export the new web theme to be able to edit it:

MD <Path To Export The Theme To>

Export-AdfsWebTheme -Name <New WebTheme Name> -DirectoryPath <Path To Export The Theme To>

Open the ONLOAD.JS file

NOTEPAD "<Path To Export The Theme To>\script\onload.js"

Edit the ONLOAD.JS file by adding a piece of javascript code at the end of it. It will put the AD CP trust at the top again and it will rename it to the display name of your choosing. It has been tested with the following browsers: IE, Edge, Chrome, Firefox, Safari.
REMARK: Make sure to follow guidelines as available in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

The javascript code is available at: https://github.com/microsoft/adfsWebCustomization/tree/master/communityCustomizations/RenameAndReorderADCPTrust

Save the ONLOAD.JS file

Import the new ONLOAD.JS into the new web theme

Set-AdfsWebTheme -TargetName <New WebTheme Name> -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="<Path To Export The Theme To>\script\onload.js"}

Now it is time to activate the new web theme and check it has been activated

Set-AdfsWebConfig -ActiveThemeName <New WebTheme Name>

Get-AdfsWebConfig

Now make sure to clear your cookies, and navigate to an application connected to ADFS for which more than one CP trust is allowed to use. In that case, assuming you have cleared your cookies, the HRD page should appear and it should again be similar to what you see in figure 1.

If you need to revert back to your previous current web theme, you new to activate it as such and check it has been activated

Set-AdfsWebConfig -ActiveThemeName <Current Active WebTheme Name>

Get-AdfsWebConfig

PS: make sure to test this first in a test environment!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Federation Services (ADFS), Configuration, Federation Trusts, Home Realm Discovery (HRD), Migration, onload.js | Leave a Comment »

(2014-10-12) Migrating Or Upgrading To A New ADFS Version

Posted by Jorge on 2014-10-12


Currently at the time of writing the following ADFS versions are available:

  • ADFS v1.0 as a server role in Windows Server 2003 R2
  • ADFS v1.1 as a server role in Windows Server 2008
  • ADFS v1.1 as a server role in Windows Server 2008 R2
  • ADFS v2.0 as a separate download for both Windows Server 2008 and Windows Server 2008 R2
  • ADFS v2.1 as a server role in Windows Server 2012
  • ADFS v3.0 as a server role in Windows Server 2012 R2
  • ADFS v4.0 (?) as a server role in Windows Server vNext

With regards to the terms used here I mean the following with:

  • Upgrading: adding an new ADFS STS to an existing ADFS farm. This is only possible if the "old" version can interoperate with the "new" version at farm level
  • Migration: exporting all configuration from the existing ADFS farm and importing it into a new ADFS farm. This is always possible, either manually or (semi-) automated

Both ADFS v1.0 and ADFS v1.1 are almost the same, so upgrading from ADFS v1.0 to ADFS v1.1 is possible.

When comparing ADFS v1.x with any ADFS version starting from ADFS v2.0 you will understand, they are far from the same/similar. Therefore the only way is to migrate, and you will have to do everything manually.

Both ADFS v2.0 and ADFS v2.1 are almost the same, so upgrading from ADFS v2.0 to ADFS v2.1 is possible. While having an existing farm consisting of only ADFS v2.0 STS servers, you can add ADFS v2.1 STS servers to that farm and remove the ADFS v2.0 STS servers. Be sure to check for any custom code that you implemented and see if it still works. One thing is certain and that is you will have to recompile any DLL used by any custom attribute with the correct .NET version.

Although ADFS v2.x looks very similar to ADFS v3.0 and ADFS v4.0, under the hood they are quite different. Because of that, it is NOT possible to upgrade from ADFS v2.x to ADFS v3.0 or ADFS v4.0. The only way is to migrate everything. Be sure to check for any custom code that you implemented and see if it still works or if it needs to be implemented differently. One thing is certain and that is you will have to recompile any DLL used by any custom attribute with the correct .NET version.

For more information about this have a look at the info through the following links:

The links above provide information when migrating from ADFS v2.x to ADFS v3.0. That information also applies when migrating from ADFS v2.x to ADFS v4.0. However, you need to take some subtle differences into account.

For example:

  • Enabling RelayState in ADFS v2.0 is done by editing the file "C:\inetpub\adfs\ls\web.config"
  • Enabling RelayState in ADFS v2.1 and ADFS v3.0 is done by editing the file "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config"
  • Enabling RelayState in ADFS v4.0 done by configuring an ADFS property

REMARK: Regarding enabling RelayState in ADFS, see: (2014-10-16) Enabling RelayState In ADFS Versions

What I’m trying to say is that in ADFS v2.x and ADFS v3.0, some configuration needed to take place in configuration files and many of those configuration have moved to become ADFS properties. So when migrating from ADFS v2.x to ADFS v4.0 and you are using the guide above, check if a property in a configuration file in ADFS v2.x has become a property in ADFS v4.0

Although ADFS v4.0 contains some interesting enhancements (see: (2014-10-03) ADFS In vNext To Support Other Identity Stores Than AD Only), compared to ADFS v3.0, both ADFS v3.0 and ADFS v4.0 are almost the same, so upgrading from ADFS v3.0 to ADFS v4.0 is possible. While having an existing farm consisting of only ADFS v3.0 STS servers, you can add ADFS v4.0 STS servers to that farm and remove the ADFS v3.0 STS servers. Be sure to check for any custom code that you implemented and see if it still works. One thing is certain and that is you will have to recompile any DLL used by any custom attribute with the correct .NET version. Now when looking at the enhancements in ADFS v4.0 how is it possible to have those and still interoperate between ADFS v3.0 and ADFS v4.0 in the same farm, while ADFS v3.0 does not support those enhancements? That’s where an ADFS farm enters the world of functional levels. Yes, you are reading it right.  ADFS v4.0 introduces the so called Farm Behavior/Level. When mixing ADFS v3.0 and ADFS v4.0 in the same ADFS farm, any ADFS v4.0 STS will tell you the following about the farm.

image

Figure 1: Viewing The Farm Behavior/Level Through An ADFS v4.0 STS When Upgrading From ADFS v3.0 To ADFS v4.0

So, how can you change the farm level? Well, first introduce at least one ADFS v4.0 STS server into the existing ADFS farm. When using WID configure the new ADFS v4.0 STS to become the primary farm member. Follow the steps as mentioned in (2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not. When using SQL, no need to transfer the primary member role as that only exist when using WID. Now introduce as many ADFS v4.0 STS members as needed. Make sure have implemented all certificates with private keys in the certificate store, and all (recompiled) attribute store DLLs on every new ADFS v4.0 STS member. After doing that get rid of the old ADFS v3.0 members.

image

Figure 2: ADFS MMC On An ADFS v4.0 STS Before The Increased Of the Farm Behavior/Level (The Same As The ADFS MMC On An ADFS v3.0 STS)

Now at this point in time you can increase the farm behavior/level. To do that, make sure that every ADFS v4.0 STS farm member has Remote Management enabled, which is enabled by default. That can be done on every ADFS v4.0 STS farm member through Server Manager or by executing the following command line: quickconfig winrm

# Import The ADFS PowerShell Module
Import-Module ADFS

# Get The Current Farm Behavior/Level
(Get-ADFSProperties).CurrentFarmBehavior

# Define The Admin Credentials For ADFS When Connecting
$adfsAdminUserName = '<DOMAIN\ADFSADMINACCOUNT>'
$adfsAdminPassword = '<ADFSADMINACCOUNTPASSWORD>' | ConvertTo-SecureString -asPlainText -Force
$adfsAdminCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adfsAdminUserName,$adfsAdminPassword

# Increase The Farm Behavior/Level
Invoke-AdfsFarmBehaviorLevelRaise -Member <Comma-Separated list of the FQDN of each farm member> -Credential $adfsAdminCreds

# Get The New Farm Behavior/Level
(Get-ADFSProperties).CurrentFarmBehavior

 

image

Figure 3: Increasing The ADFS Farm Level

As you can see the Farm Behavior/Level was increased to "Threshold", whatever that may mean!

During the Farm Behavior/Level increase a new database "AdfsConfigurationV2" is created, using the old database "AdfsConfiguration" as input. After the upgrade the old database is not removed. On every farm member the connection string is adjusted to point to the new database.

image

Figure 4: Increasing Farm Behavior/Level Results In New Configuration Database "AdfsConfigurationV2"

REMARK: Remember that currently you may have features enabled that can only be enabled after the Farm Behavior/Level increase!

REMARK: I have not tested this, but one thing to keep in mind, AFTER the Farm Behavior/Level when performing an upgrade, is that any new ADFS STS member most likely needs to be configured through PowerShell as you need to specify a custom connection string for SQL.

image

Figure 5: ADFS MMC On An ADFS v4.0 STS After The Increased Of the Farm Behavior/Level (Also Applies When Installing A Brand New ADFS Farm)

image

Figure 6: Viewing The Farm Behavior/Level Through An ADFS v4.0 STS When Installing A New Farm

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Migration, Upgrading | 3 Comments »

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Posted by Jorge on 2014-04-02


The guys from AskPFE have written an interesting series of building an ADFS lab on W2K12 and then upgrade that to ADFS on W2K12R2 .

How to Build Your ADFS Lab on Server 2012 Part 1

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

How to Build Your ADFS Lab on Server 2012 Part 3: ADFS Proxy

How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2

With regards to migrating ADFS v2.x to ADFS v3.0, also have a look at (2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Migration, Proxy Service, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Posted by Jorge on 2014-03-12


In this article Microsoft explains how to migrate from ADFS v2.x to ADFS v3.0. In this blog post I have added multiple PowerShell scripts to help you migrate as automated as possible.

!!! DISCLAIMER/REMARKS !!!

  • These scripts are freeware, you are free to distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it
  • These scripts are furnished "AS IS". No warranty is expressed or implied!
  • Always test first in lab environment to see if it meets your needs!
  • Use these scripts at your own risk!
  • I do not warrant these scripts to be fit for any purpose, use or environment
  • I have tried to check everything that needed to be checked, but I do not guarantee these scripts do not have bugs.
  • I do not guarantee these scripts will not damage or destroy your system(s), environment or whatever.
  • I do not accept any liability in any way if you screw up, use the scripts wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the scripts and delete it immediately!

!!! DISCLAIMER/REMARKS !!!

All scripts can also be downloaded from here.

+++++++++++++++++++++++++++++++++
++++++++++++++ PREPARE ++++++++++
+++++++++++++++++++++++++++++++++

# +++[P1]+++ Create Migration Folders
#SCRIPT NAME --> "C:\TEMP\Create-Folders.ps1"
New-Item "C:\ADFS-MIG" -ItemType Directory
New-Item "C:\ADFS-MIG\Config" -ItemType Directory
New-Item "C:\ADFS-MIG\Export" -ItemType Directory
New-Item "C:\ADFS-MIG\Service" -ItemType Directory
New-Item "C:\ADFS-MIG\Web" -ItemType Directory

++++++++++++++++++++++++++++++++

++++++++++++ EXPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[E1]+++ Output Federation Service Properties (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Output-Federation-Service-Properties.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Add-PSSnapIn Microsoft.ADFS.PowerShell
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Import-Module ADFS
}
# Record ADFS Service Properties
Get-Service -Name ADFSSRV | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt
Get-WmiObject win32_service | ?{$_.name -eq "ADFSSRV"} | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt -Append
# Record All ADFS Properties
Get-ADFSProperties | Out-File C:\ADFS-MIG\Config\ADFSProperties.txt
# Record All ADFS Endpoints
Get-ADFSEndpoint | Out-File C:\ADFS-MIG\Config\ADFSEndpoint.txt
# Record All ADFS Claim Descriptions
Get-ADFSClaimDescription | Out-File C:\ADFS-MIG\Config\ADFSClaimDescription.txt
# Record All ADFS Certificates
Get-ADFSCertificate | Out-File C:\ADFS-MIG\Config\ADFSCertificate.txt
# Record All ADFS Claims Provider Trusts
Get-ADFSClaimsProviderTrust | Out-File C:\ADFS-MIG\Config\ADFSClaimsProviderTrust.txt
# Record All ADFS Relying Party Trusts
Get-ADFSRelyingPartyTrust | Out-File C:\ADFS-MIG\Config\ADFSRelyingPartyTrust.txt
# Record All ADFS Attribute Stores
Get-ADFSAttributeStore | %{
    "##########" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Name. = " + $_.Name | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Class = " + $_.StoreTypeQualifiedName | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Config:" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    $_.Configuration.GetEnumerator() | %{
        "  * " + $_.Name + " = " + $_.Value | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    }
    "" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
}

# +++[E2]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-STS.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $ADFSCertificates = Get-ADFSCertificate
    $adfsSvcCommCert = $ADFSCertificates | ?{$_.CertificateType -eq "Service-Communications" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsSvcCommCert | Measure-Object).Count -eq 1) {
        $adfsSvcCommCertThumbprint = $adfsSvcCommCert.Certificate.Thumbprint
        $adfsSvcCommCertName = "ADFS Service Communication Cert (STS)"

        $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
        If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
            $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
            $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
        }
    }
    
    $adfsTokenSignCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Signing" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenSignCert | Measure-Object).Count -ge 1) {
        $i = 1
        $adfsTokenSignCert | %{
            $adfsTokenSignCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenSignCertName = "ADFS Token Signing Cert (STS) (" + $i + ")"

            $adfsTokenSignCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenSignCertThumbprint}
            If ($adfsTokenSignCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenSignCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenSignCertBytesCER = $adfsTokenSignCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".cer"), $adfsTokenSignCertBytesCER)
                $adfsTokenSignCertBytesPFX = $adfsTokenSignCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".pfx"), $adfsTokenSignCertBytesPFX)
            }
            $i += 1
        }
    }

    $adfsTokenEncryptCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Decrypting" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenEncryptCert | Measure-Object).Count -ge 1) {
        $j = 1
        $adfsTokenEncryptCert | %{
            $adfsTokenEncryptCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenEncryptCertName = "ADFS Token Encryption Cert (STS) (" + $j + ")"

            $adfsTokenEncryptCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenEncryptCertThumbprint}
            If ($adfsTokenEncryptCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenEncryptCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenEncryptCertBytesCER = $adfsTokenEncryptCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".cer"), $adfsTokenEncryptCertBytesCER)
                $adfsTokenEncryptCertBytesPFX = $adfsTokenEncryptCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".pfx"), $adfsTokenEncryptCertBytesPFX)
            }
            $j += 1
        }
    }
}

# +++[E3]+++ Export The ADFS v2.x Configuration To XML Files (On ADFS STS Only!)
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Export-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

# +++[E4]+++ Copy The ADFS v2.x Web Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Server-Configuration-Files.ps1"
Import-Module WebAdministration
$adfsWebPath = (Get-WebApplication "adfs/ls").PhysicalPath
Copy-Item $($adfsWebPath + "\*") "C:\ADFS-MIG\Web" -Recurse 

# +++[E5]+++ Copy The ADFS v2.x Service Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Service-Configuration-File.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Program Files\Active Directory Federation Services 2.0\*") "C:\ADFS-MIG\Service" -Recurse
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Windows\ADFS\*") "C:\ADFS-MIG\Service" -Recurse
}

# +++[E6]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-PRX.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $adfsSvcCommCertThumbprint = (Get-WebBinding "Default Web Site" -protocol https).certificateHash
    $adfsSvcCommCertName = "ADFS Service Communication Cert (PRX)"
    $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
    If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
        $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
        $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
    }
}

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++ CREATE/JOIN/CONFIGURE ADFS ++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

# +++[C1]+++ Create ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C2]+++ Create ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

# +++[C3]+++ Create ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C4]+++ Create ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
$adfsTokenSignCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Signing Certificate"
$adfsTokenEncryptCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Encryption Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

# +++[C5]+++ Join ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C6]+++ Join ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C7]+++ Join ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C8]+++ Join ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C9]+++ Install And Configure Web Application Proxy
#SCRIPT NAME --> "C:\ADFS-MIG\Install-And-Configure-Web-Application-Proxy.ps1"
Add-WindowsFeature Web-Application-Proxy -IncludeManagementTools
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsAdminCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Install-WebApplicationProxy -FederationServiceName $adfsSvcFQDN -FederationServiceTrustCredential $adfsAdminCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C10]+++ Add/Publish Web Applications Through Web Application Proxy
Get-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283413.aspx
Get-WebApplicationProxyAvailableADFSRelyingParty --> http://technet.microsoft.com/en-us/library/dn283412.aspx
Add-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283409.aspx

++++++++++++++++++++++++++++++++

++++++++++++ IMPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[I1]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-STS-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (STS).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}
$adfsTokenSignCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Signing Cert (STS)*.pfx'
If (($adfsTokenSignCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenSignCertPFXFile | %{Import-PfxCertificate -FilePath $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}
$adfsTokenEncryptCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Encryption Cert (STS)*.pfx'
If (($adfsTokenEncryptCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenEncryptCertPFXFile | %{Import-PfxCertificate $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}

# +++[I2]+++ Import The ADFS v2.x Configuration From The XML Files Into ADFS v3.0
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Import-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

# +++[I3]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy/WAP Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-PRX-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (PRX).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}

A while back I also found a blog post with PowerShell script to quickly deploy both ADFS v3.0 and WAP. You can find that blog post here.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Certificates, Farm, Federation Trusts, Migration, Proxy Service, Security Token Service (STS) | 6 Comments »

 
%d bloggers like this: