Archive for the ‘Security Token Service (STS)’ Category

(2014-10-28) You Have Multiple AD Forests And You Also Need ADFS – What Are The Possibilities?

Posted by Jorge on 2014-10-28

In the following blog posts I explained for which user accounts an ADFS STS was able to issue security tokens: (2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens.

–

Unless your AD forests have a forest-wide two-way trust with the AD forest hosting ADFS, you would need to deploy an additional ADFS instance for every other AD forest and setup federation. In this post let’s have a look at some subtle differences in setup, and also something new that recently became possible.

–

[Scenario 1]

DMZ forest fully trusts the internal forest (forest wide authentication is enabled)
Internal forest DOES NOT trust the DMZ forest
ADFS server is member of the DMZ forest
ADFS service account is part of the internal forest

–

With this setup it is possible for:

Internal users to authenticate against the ADFS STS server
DMZ users to authenticate against the ADFS STS server
The ADFS service account to retrieve attribute info for users part of the internal forest
The ADFS service account to retrieve attribute info for users part of the DMZ forest

–

The biggest downside here is that in this scenario you have a very powerful system, the ADFS STS server, in the DMZ that is allowed to issue security tokens for connected applications on the internal forest or in the cloud. If that ADFS STS server is compromised, everything connected to ADFS (e.g. applications, other federation systems) goes down the drain. In addition, if the service account from the internal forest, which is used on the ADFS STS server in the DMZ forest, is compromised, it can be used to access anything on the internal forest where it has explicit permissions, or through authenticated users. Rule of thumb: NEVER place an ADFS STS in a DMZ forest!

This scenario would also not work when you have multiple forests compared to the DMZ forest. You would still need to implement an ADFS instance in the forests similar to the DMZ forest.

REMARK: I would never suggest this setup as its security is really bad.

–

[Scenario 2]

DMZ forest fully trusts the internal forest (forest wide authentication is enabled)
Internal forest selectively trusts the DMZ forest (selective authentication is enabled)
ADFS server is member of the internal forest
ADFS service account is part of the DMZ forest

–

With this setup it is possible for:

Internal users to authenticate against the ADFS STS server
DMZ users to authenticate against the ADFS STS server
The ADFS service account to retrieve attribute info for users part of the internal forest, but only AFTER it has been given the explicit permission "Allowed To Authenticate" on every DC computer account to be able to perform LDAP queries
The ADFS service account to retrieve attribute info for users part of the DMZ forest

–

The biggest downside here is that in this scenario the ADFS service is able to perform any LDAP query for anything it likes. Besides that you have to configure it in such a way that it does not become a management nightmare when you add new DCs and/or remove existing DCs. The only way to achieve that easily would be to configure the permissions on the "Domain Controllers" OU in every AD domain in the internal forest. This scenario would also not work when you have multiple forests compared to the DMZ forest. You would still need to implement multiple AD service accounts which ADFS does not support.

REMARK: I would never suggest this setup as its security is really bad and I do not like the setup either.

–

[Scenario 3]

DMZ forest fully trusts the internal forest (forest wide authentication is enabled)
Internal forest selectively trusts the DMZ forest (selective authentication is enabled)
ADFS server is member of the internal forest
ADFS service account is part of the internal forest

–

With this setup it is possible for:

Internal users to authenticate against the ADFS STS server
DMZ users to authenticate against the ADFS STS server, but only AFTER those users have been given the explicit permission "Allowed To Authenticate" on the ADFS service account. This can be done through a custom security group, which needs to be managed, or by just using the "Authenticated Users" well-known security principal.
The ADFS service account to retrieve attribute info for users part of the internal forest
The ADFS service account to retrieve attribute info for users part of the DMZ forest

–

This way all important and secure resources are in the internal forest, and DMZ users can only authenticate against the ADFS STS server and nothing else.

REMARK: I would suggest this setup as its security and setup is better than the previous 2 scenarios.

–

[Scenario 4]

DMZ forest DOES NOT trust the internal forest
Internal forest DOES NOT trust the DMZ forest
ADFS server is member of the internal forest
ADFS service account is part of the internal forest

–

With this setup it is possible for:

Internal users to authenticate against the ADFS STS server
DMZ users to authenticate against the ADFS STS server, but only AFTER a so called local claims provider has been configured for every untrusted forest as explained in the following blog post: (2014-10-20) Configuring A New Identity Store As A Claims Provider In ADFS
The ADFS service account to retrieve attribute info for users part of the internal forest
The ADFS service account to retrieve attribute info for users part of the DMZ forest, through the credentials configured for the local claims provider.

–

The biggest downside here is that this scenario is only possible with ADFS v4.0! For more information see: (2014-10-20) Configuring A New Identity Store As A Claims Provider In ADFS. This scenario would also work when you have multiple forests compared to the DMZ forest. You would to configure a local claims provider for every untrusted AD forest.

REMARK: I would suggest this setup as its security and setup is better than the previous scenarios as it does not require Windows trusts at all!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Security Token Service (STS), Security Tokens, Service Account | 11 Comments »

(2014-05-12) Automatic Metadata Exchange From Shibboleth To ADFS Fails With Multiple Encryption Certificates

Posted by Jorge on 2014-05-12

For ADFS I have explained in this blog post, from a process perspective, what you need to do when you need to replace any of the certificates in use by ADFS. Shibboleth is yet another federated identity solution and it is open source. You can read more about it here and here.

–

Like ADFS, Shibboleth (and any other federated identity solution) uses certificates for Token Signing and Token Encryption and you can either just use one certificate for both or use 2 individual certificates, one for each operation.

–

[Scenario 1] If you use just one certificate for both operations, your Shibboleth configuration (in ..\Shibboleth-SP\etc\shibboleth\shibboleth2.xml) regarding certificates may be similar to:

–

[Scenario 2] If you use just one certificate for each operation, your Shibboleth configuration (in ..\Shibboleth-SP\etc\shibboleth\shibboleth2.xml) regarding certificates may be similar to:

–

REMARK: it is not mandatory to specify ‘use’ or keyname. When no ‘use’ is specified explicitly, it is both used for signing and encryption. When no ‘keyname’ is specified it uses the common name of the certificate as the keyname.

–

Based upon the configuration above in Shibboleth, you will the following in ADFS (or something similar)

Figure 1: The Federation Trust With A Token Encryption Certificate

–

Figure 2: The Federation Trust With One Token Signing Certificate

–

Shibboleth supports the publication of information regarding the federated identity solution into the federated identity solution metadata. ADFS in turn supports the consumption of automatic published metadata. So you are good to go and you have no worries when the federation partner using Shibboleth needs to replace the current certificates! Wrong!.

–

After the federation partner using Shibboleth configures Shibboleth using one of the following ways, or something similar:

[Scenario 1] If you use just one certificate for both operations, your Shibboleth configuration (in ..\Shibboleth-SP\etc\shibboleth\shibboleth2.xml) regarding certificates may be similar to:

–

[Scenario 2] If you use just one certificate for each operation, your Shibboleth configuration (in ..\Shibboleth-SP\etc\shibboleth\shibboleth2.xml) regarding certificates may be similar to:

–

…you will start to see the following error in ADFS

[A] the federation trust with a red cross and not updating itself while automatic monitoring and updating is enabled

Figure 3: A Federation Trust In Error

–

Figure 4: An Outdated Federation Trust With Automatic Monitoring/Updating

–

[B] the next time you manually update the metadata through the GUI of the CP or RP Trust representing the Shibboleth federated identity solution

Figure 5: Manually Updating The Metadata Of A Shibboleth Based Federated Identity Solution Using The ADFS GUI Results In Error

–

An unexpected error occurred during an attempt to process the federation metadata. Verify that the federation metadata is correct and try again.
Error message: MSIS7508: The metadata contains unexpected data. Conflicting encryption certificates were found in the RoleDescriptors needed to represent a service provider role.

–

[C] the next time you manually update the metadata through PowerShell of the CP or RP Trust representing the Shibboleth federated identity solution

Figure 6: Manually Updating The Metadata Of A Shibboleth Based Federated Identity Solution Using The ADFS CMDlets Results In Error

–

Update-ADFSRelyingPartyTrust : MSIS7508: The metadata contains unexpected data. Conflicting encryption certificates were found in the RoleDescriptors needed to represent a service provider role.
At line:1 char:29
+ Update-ADFSRelyingPartyTrust <<<< -TargetName "Shibboleth Service Provider (R1FSMBSV4)"
+ CategoryInfo : NotSpecified: (Microsoft.Ident…lyingPartyTrust:RelyingPartyTrust) [Update-ADFSRelyingPartyTrust], MetadataProcessingException
+ FullyQualifiedErrorId : MSIS7508,Microsoft.IdentityServer.PowerShell.Commands.UpdateRelyingPartyTrustCommand

–

The reason this happens is that ADFS does not support (accept) the consumption of (automatic) metadata from another federated identity solution that publishes two Token Encryption certificates. Shibboleth publishes as many Token Encryption certificates as you have configured it with. This may also apply to other federated identity solutions. This is not a problem if multiple Token Signing certificates are published.

–

The first thing you need to do is download the metadata to a file using the federation metadata URL as specified in the federation trust (see figure 2). Save the metadata to a file called "METADATA_<TRUST NAME>_ORG.TXT". Then make a copy of that file and name it "METADATA_<TRUST NAME>_MODIFIED.TXT". Now open and edit the last file.

If "scenario 1" applies, 2 so called CredentialResolvers have been defined in Shibboleth and in the metadata you will find 2 "<md:KeyDescriptor>" sections. Depending on the way it has been configured you may not be able to distinguish between the current certificate(s) and the new certificate(s). For each "<md:KeyDescriptor>" section copy the data/value in the "<ds:X509Certificate>" section into the decoding window on a website such as http://www.sslshopper.com/certificate-decoder.html or http://redkestrel.co.uk/products/decoder/. After doing that for each certificate you will see something such as shown in the pictures below. Now you will be able to determine which certificate is the current certificate and which is the new certificate.

Figure 7: Decoded Data Of A Certificate (This Is The Current/Old Certificate)

–

Figure 8: Decoded Data Of A Certificate(This Is The New Certificate)

–

For the current/oldest certificate configure the <md:KeyDescriptor> (figure 9) as <md:KeyDescriptor use="signing"> (figure 10)

Figure 9: KeyDescriptor Without Use Specification – Old Certificate Used For Both Signing And Encryption (Before)

–

Figure 10: KeyDescriptor With Use Specification – Old Certificate Used For Signing Only (After)

–

For the newest certificate create a full copy of the <md:KeyDescriptor>

For the newest certificate configure the first <md:KeyDescriptor> (figure 11) as <md:KeyDescriptor use="signing"> (figure 12)

Figure 11: KeyDescriptor Without Use Specification – New Certificate Used For Both Signing And Encryption (Before)

–

Figure 12: KeyDescriptor With Use Specification – New Certificate Used For Signing Only (After)

–

For the newest certificate configure the second <md:KeyDescriptor> (figure 13) as <md:KeyDescriptor use="encryption"> (figure 14)

Figure 13: KeyDescriptor Without Use Specification – New Certificate Used For Both Signing And Encryption (Before)

–

Figure 14: KeyDescriptor With Use Specification – New Certificate Used For Encryption Only (After)

–

After performing the changes save "METADATA_<TRUST NAME>_MODIFIED.TXT"

–

Now it is time to manually update the CP or RP trust with the new metadata.

First execute: Add-PsSnapin microsoft.adfs.powershell (ADFS v2.0) OR Import-Module ADFS (ADFS v2.x and higher)

For CP Trusts execute: Update-ADFSClaimsProviderTrust -TargetName "<CP Trust Name>" -MetadataFile "<Path to file METADATA_<TRUST NAME>_MODIFIED.TXT>"

For RP Trusts execute: Update-ADFSRelyingPartyTrust -TargetName "<RP Trust Name>" -MetadataFile "<Path to file METADATA_<TRUST NAME>_MODIFIED.TXT>"

–

After executing the update command you most likely will see the following. The yellow errors can be ignored.

Figure 15: Manually Updating The Metadata Of The Federation Trust

–

When checking the federation trust you will that the certificates have been updated

Figure 16: The Federation Trust With A New Token Encryption Certificate

–

Figure 17: The Federation Trust With Two Token Signing Certificates (One Old And One New)

–

Be aware that the errors on figure 4, 5 and 6 will continue to occur until the Shibboleth administrator has removed the multiple definitions of a Token Encryption certificate. As soon as that happens, the metadata can be updated again automatically!

When updating the metadata manually you will again see:

Figure 18: Manually Updating The Metadata Of A Shibboleth Based Federated Identity Solution Using The ADFS GUI Results In Messaging Stating Incompatibilities

–

If "scenario 2" applies, 4 so called CredentialResolvers have been defined in Shibboleth and in the metadata you will find 4 "<md:KeyDescriptor>" sections. Depending on the way it has been configured you may not be able to distinguish between the current certificate(s) and the new certificate(s). For each "<md:KeyDescriptor>" section copy the data/value in the "<ds:X509Certificate>" section into the decoding window on a website such as http://www.sslshopper.com/certificate-decoder.html or http://redkestrel.co.uk/products/decoder/. After doing that for each certificate you will see something such as shown in the pictures 7 and 8. Now you will be able to determine which certificate is the current certificate and which is the new certificate.

–

For the current/oldest encryption certificate remove its <md:KeyDescriptor use="encryption"> section. You are now left with three <md:KeyDescriptor> sections where each already has a use defined. Save the file and update the federation trust accordingly as explained above. Be aware that the errors on figure 4, 5 and 6 will continue to occur until the Shibboleth administrator has removed the multiple definitions of a Token Encryption certificate. As soon as that happens, the metadata can be updated again automatically!

–

Posted in Active Directory Federation Services (ADFS), Certificates, Federation Metadata, Security Token Service (STS), Shibboleth | Leave a Comment »

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Posted by Jorge on 2014-04-02

The guys from AskPFE have written an interesting series of building an ADFS lab on W2K12 and then upgrade that to ADFS on W2K12R2 .

–

How to Build Your ADFS Lab on Server 2012 Part 1

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

How to Build Your ADFS Lab on Server 2012 Part 3: ADFS Proxy

How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2

–

With regards to migrating ADFS v2.x to ADFS v3.0, also have a look at (2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

–

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Migration, Proxy Service, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-03-24) ADFS v3.0 In W2K12R2 And Related Features In Summary With Details

Posted by Jorge on 2014-03-24

Mylo has written a number of blog posts focusing on his first impressions regarding ADFS v3.0 in W2K12R2 and related features (e.g. Workplace Join, Device Registration, Web Application Proxy, etc). The blog posts are a perfect summary with lots of interesting details. Wow, my compliments!

–

First Impressions – AD FS and Windows Server 2012 R2 – Part I

First Impressions – AD FS and Windows Server 2012 R2 – Part II

First Impressions – AD FS and Windows Server 2012 R2 – Part III (to be published by Mylo)

–

In addition to this Ramiro Calderon has written great blog posts focusing on MFA in ADFS v3.0. Again, my compliments!

Under the hood tour on Multi-Factor Authentication in ADFS – Part 1: Policy

Under the hood tour on Multi-Factor Authentication in ADFS – Part 2: MFA aware Relying Parties

–

Posted in Active Directory Federation Services (ADFS), Device Registration, Security Token Service (STS), Web Application Proxy, Workplace Join | Leave a Comment »

(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

Posted by Jorge on 2014-03-19

If ADFS was installed in the past by someone else and there is little to no documentation, how do you know, when using WID, which ADFS STS instance is the primary federation server or any other federation server? Keep reading to find out how to determine that!

–

How To Find The Primary Federation Server When Using WID?

The concept of a primary federation server and secondary federation servers only exists when leveraging WID. When using SQL all federation servers are equal. In the case of WID, the primary federation server has a read/write copy of the ADFS configuration database.

–

The primary federation server is always created when you use the ADFS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.

Figure 1: ADFS Leveraging WID – The ADFS MMC On The Primary Federation Server

–

Figure 2: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is The Primary Federation Server

–

The secondary federation servers store a read-only copy of the ADFS configuration database from the primary federation server. Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals (5 minutes) to check whether data has changed. It is also possible to force synchronization. The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment. If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. However, no new changes can be made to the Federation Service until the primary federation server has been brought back online OR you have nominated an existing secondary federation server as the new primary federation server.

Figure 3: ADFS Leveraging WID – The ADFS MMC On Any Secondary Federation Server

–

Figure 4: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is NOT The Primary Federation Server

–

How to transfer the primary computer role to another ADFS STS when using WID?

Unfortunately, it is not like the olf NT4 PDC/BDC model that by moving the primary computer role to another ADFS STS, the other ADFS STSes become aware of that.

On the ADFS STS becoming the new primary computer execute: Set-AdfsSyncProperties -Role PrimaryComputer
On all other ADFS STS execute: Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN new ADFS STS With Primary Computer Role>

–

Posted in Active Directory Federation Services (ADFS), DB On WID, Security Token Service (STS) | 4 Comments »

(2014-03-17) Gathering Architectural Details From Your ADFS Infrastructure – ADFS Config DB On WID Or SQL

Posted by Jorge on 2014-03-17

If ADFS was installed in the past by someone else and there is little to no documentation, how do you know if you are using WID or SQL for the ADFS config database? Keep reading to find out how to determine that!

–

ADFS Configuration Database On WID Or SQL?

This is quite easy to determine by running the following PowerShell commands:

$ADFSSTS = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenService
$ADFSSTS

–

When you see the following connection string, your ADFS installation is using WID. In this case the screen dump was taken from a W2K8R2 server with ADFS v2.0.

Figure 1: Leveraging WID For ADFS v2.0 On W2K8R2

–

When you see the following connection string, your ADFS installation is using SQL. In this case the screen dump was taken from a W2K8R2 server with ADFS v2.0. It is also using the default SQL instance. If a custom SQL instance was used, you would see something like <Server Name>\<Instance Name>.

Figure 2: Leveraging SQL For ADFS v2.0 On W2K8R2

–

When you see the following connection string, your ADFS installation is using WID. In this case the screen dump was taken from a W2K12R2 server with ADFS v3.0.

Figure 3: Leveraging WID For ADFS v3.0 On W2K12R2

–

When you see the following connection string, your ADFS installation is using SQL. In this case the screen dump was taken from a W2K12R2 server with ADFS v3.0. It is also using the default SQL instance. If a custom SQL instance was used, you would see something like <Server Name>\<Instance Name>.

Figure 4: Leveraging SQL For ADFS v3.0 On W2K12R2

–

For differences between ADFS on WID or ADFS on SQL see: The Role of the AD FS Configuration Database.

To migrate the database from WID to SQL see: AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On SQL, DB On WID, Security Token Service (STS) | 2 Comments »

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Posted by Jorge on 2014-03-12

In this article Microsoft explains how to migrate from ADFS v2.x to ADFS v3.0. In this blog post I have added multiple PowerShell scripts to help you migrate as automated as possible.

–

!!! DISCLAIMER/REMARKS !!!

These scripts are freeware, you are free to distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it
These scripts are furnished "AS IS". No warranty is expressed or implied!
Always test first in lab environment to see if it meets your needs!
Use these scripts at your own risk!
I do not warrant these scripts to be fit for any purpose, use or environment
I have tried to check everything that needed to be checked, but I do not guarantee these scripts do not have bugs.
I do not guarantee these scripts will not damage or destroy your system(s), environment or whatever.
I do not accept any liability in any way if you screw up, use the scripts wrong or in any other way where damage is caused to your environment/systems!
If you do not accept these terms do not use the scripts and delete it immediately!

!!! DISCLAIMER/REMARKS !!!

–

All scripts can also be downloaded from here.

+++++++++++++++++++++++++++++++++
++++++++++++++ PREPARE ++++++++++
+++++++++++++++++++++++++++++++++

# +++[P1]+++ Create Migration Folders
#SCRIPT NAME --> "C:\TEMP\Create-Folders.ps1"
New-Item "C:\ADFS-MIG" -ItemType Directory
New-Item "C:\ADFS-MIG\Config" -ItemType Directory
New-Item "C:\ADFS-MIG\Export" -ItemType Directory
New-Item "C:\ADFS-MIG\Service" -ItemType Directory
New-Item "C:\ADFS-MIG\Web" -ItemType Directory

–

++++++++++++++++++++++++++++++++

++++++++++++ EXPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[E1]+++ Output Federation Service Properties (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Output-Federation-Service-Properties.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Add-PSSnapIn Microsoft.ADFS.PowerShell
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Import-Module ADFS
}
# Record ADFS Service Properties
Get-Service -Name ADFSSRV | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt
Get-WmiObject win32_service | ?{$_.name -eq "ADFSSRV"} | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt -Append
# Record All ADFS Properties
Get-ADFSProperties | Out-File C:\ADFS-MIG\Config\ADFSProperties.txt
# Record All ADFS Endpoints
Get-ADFSEndpoint | Out-File C:\ADFS-MIG\Config\ADFSEndpoint.txt
# Record All ADFS Claim Descriptions
Get-ADFSClaimDescription | Out-File C:\ADFS-MIG\Config\ADFSClaimDescription.txt
# Record All ADFS Certificates
Get-ADFSCertificate | Out-File C:\ADFS-MIG\Config\ADFSCertificate.txt
# Record All ADFS Claims Provider Trusts
Get-ADFSClaimsProviderTrust | Out-File C:\ADFS-MIG\Config\ADFSClaimsProviderTrust.txt
# Record All ADFS Relying Party Trusts
Get-ADFSRelyingPartyTrust | Out-File C:\ADFS-MIG\Config\ADFSRelyingPartyTrust.txt
# Record All ADFS Attribute Stores
Get-ADFSAttributeStore | %{
    "##########" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Name. = " + $_.Name | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Class = " + $_.StoreTypeQualifiedName | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Config:" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    $_.Configuration.GetEnumerator() | %{
        "  * " + $_.Name + " = " + $_.Value | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    }
    "" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
}

–

# +++[E2]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-STS.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $ADFSCertificates = Get-ADFSCertificate
    $adfsSvcCommCert = $ADFSCertificates | ?{$_.CertificateType -eq "Service-Communications" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsSvcCommCert | Measure-Object).Count -eq 1) {
        $adfsSvcCommCertThumbprint = $adfsSvcCommCert.Certificate.Thumbprint
        $adfsSvcCommCertName = "ADFS Service Communication Cert (STS)"

        $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
        If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
            $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
            $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
        }
    }
    
    $adfsTokenSignCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Signing" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenSignCert | Measure-Object).Count -ge 1) {
        $i = 1
        $adfsTokenSignCert | %{
            $adfsTokenSignCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenSignCertName = "ADFS Token Signing Cert (STS) (" + $i + ")"

            $adfsTokenSignCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenSignCertThumbprint}
            If ($adfsTokenSignCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenSignCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenSignCertBytesCER = $adfsTokenSignCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".cer"), $adfsTokenSignCertBytesCER)
                $adfsTokenSignCertBytesPFX = $adfsTokenSignCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".pfx"), $adfsTokenSignCertBytesPFX)
            }
            $i += 1
        }
    }

    $adfsTokenEncryptCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Decrypting" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenEncryptCert | Measure-Object).Count -ge 1) {
        $j = 1
        $adfsTokenEncryptCert | %{
            $adfsTokenEncryptCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenEncryptCertName = "ADFS Token Encryption Cert (STS) (" + $j + ")"

            $adfsTokenEncryptCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenEncryptCertThumbprint}
            If ($adfsTokenEncryptCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenEncryptCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenEncryptCertBytesCER = $adfsTokenEncryptCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".cer"), $adfsTokenEncryptCertBytesCER)
                $adfsTokenEncryptCertBytesPFX = $adfsTokenEncryptCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".pfx"), $adfsTokenEncryptCertBytesPFX)
            }
            $j += 1
        }
    }
}

–

# +++[E3]+++ Export The ADFS v2.x Configuration To XML Files (On ADFS STS Only!)
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Export-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

–

# +++[E4]+++ Copy The ADFS v2.x Web Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Server-Configuration-Files.ps1"
Import-Module WebAdministration
$adfsWebPath = (Get-WebApplication "adfs/ls").PhysicalPath
Copy-Item $($adfsWebPath + "\*") "C:\ADFS-MIG\Web" -Recurse

–

# +++[E5]+++ Copy The ADFS v2.x Service Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Service-Configuration-File.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Program Files\Active Directory Federation Services 2.0\*") "C:\ADFS-MIG\Service" -Recurse
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Windows\ADFS\*") "C:\ADFS-MIG\Service" -Recurse
}

–

# +++[E6]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-PRX.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $adfsSvcCommCertThumbprint = (Get-WebBinding "Default Web Site" -protocol https).certificateHash
    $adfsSvcCommCertName = "ADFS Service Communication Cert (PRX)"
    $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
    If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
        $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
        $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
    }
}

–

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++ CREATE/JOIN/CONFIGURE ADFS ++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

# +++[C1]+++ Create ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C2]+++ Create ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

–

# +++[C3]+++ Create ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C4]+++ Create ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
$adfsTokenSignCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Signing Certificate"
$adfsTokenEncryptCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Encryption Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

–

# +++[C5]+++ Join ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C6]+++ Join ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C7]+++ Join ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C8]+++ Join ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C9]+++ Install And Configure Web Application Proxy
#SCRIPT NAME --> "C:\ADFS-MIG\Install-And-Configure-Web-Application-Proxy.ps1"
Add-WindowsFeature Web-Application-Proxy -IncludeManagementTools
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsAdminCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Install-WebApplicationProxy -FederationServiceName $adfsSvcFQDN -FederationServiceTrustCredential $adfsAdminCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C10]+++ Add/Publish Web Applications Through Web Application Proxy
Get-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283413.aspx
Get-WebApplicationProxyAvailableADFSRelyingParty --> http://technet.microsoft.com/en-us/library/dn283412.aspx
Add-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283409.aspx

–

++++++++++++++++++++++++++++++++

++++++++++++ IMPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[I1]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-STS-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (STS).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}
$adfsTokenSignCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Signing Cert (STS)*.pfx'
If (($adfsTokenSignCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenSignCertPFXFile | %{Import-PfxCertificate -FilePath $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}
$adfsTokenEncryptCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Encryption Cert (STS)*.pfx'
If (($adfsTokenEncryptCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenEncryptCertPFXFile | %{Import-PfxCertificate $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}

–

# +++[I2]+++ Import The ADFS v2.x Configuration From The XML Files Into ADFS v3.0
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Import-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

–

# +++[I3]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy/WAP Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-PRX-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (PRX).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}

–

A while back I also found a blog post with PowerShell script to quickly deploy both ADFS v3.0 and WAP. You can find that blog post here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Certificates, Farm, Federation Trusts, Migration, Proxy Service, Security Token Service (STS) | 6 Comments »

(2014-03-10) Changing The Service Account For ADFS v2.x – PowerShell Script

Posted by Jorge on 2014-03-10

Adam Conkle from Microsoft has created a PowerShell script that helps you change the service account in use by ADFS v2.x (ADFS v2.0 on W2K8 and W2K8R2 and ADFS v2.1 on W2K12). The original script can be found here. The original script, and my updated script, do not support ADFS v3.0.

–

My opinion was that the script could be enhanced with better logic. My version of the script also supports the conversion from ADFS in StandAlone mode to ADFS in Farm mode. My version of the script can be found here.

–

Below you can find the changes that I made and of course "why?" Taking the original script into account replace the sections mentioned below, or get the final script using the link above

–

!!! DISCLAIMER/REMARKS !!!:

The script is freeware, you are free to distribute it, but always refer to this website as the location where you got it
This script is really really really dangerous!
This script is furnished "as is". No warranty is expressed or implied!
Always test first in lab environment to see if it meets your needs!
Use this script at your own risk!
I do not warrant this script to be fit for any purpose, use or environment
I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs.
I do not guarantee the script will not damage or destroy your system(s), environment or whatever.
I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
If you do not accept these terms do not use the script and delete it immediately!

!!! DISCLAIMER/REMARKS !!!:

–

REMOVING THE DEPENDENCY OF NTRIGHTS TO CONFIGURE THE REQUIRED USER RIGHTS

REPLACE THE FOLLOWING

Function AddUserRights 
    {     
        $RightsFailed =  $false 
        NTRights.Exe -u $NewName +r SeServiceLogonRight | Out-File $LogPath -Append 
         
        If (!$?) 
            { 
                $RightsFailed =  $true 
                Write-Host "`tFailed to add user rights for $NewName`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY" -ForegroundColor "yellow" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+ "[WARN]      Failed to add user rights for ${NewName}: 'Log on as a service', 'Generate security audits'" | Out-File $LogPath -Append 
                Return $RightsFailed 
            } 
         
        NTRights.Exe -u $NewName +r SeAuditPrivilege | Out-File $LogPath -Append 
        If (!$?) 
            { 
                $RightsFailed =  $true 
                Write-Host "`tFailed to add user rights for $NewName`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY" -ForegroundColor "yellow" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+ "[WARN]      Failed to add user rights for ${NewName}: 'Log on as a service', 'Generate security audits'" | Out-File $LogPath -Append 
                Return $RightsFailed 
            }  
        Else 
            { 
                GPUpdate /Force | Out-File $LogPath -Append 
                $RightsFailed = $false 
                Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [INFO]      User rights 'Log on as a service', 'Generate security audits' added for $NewName" | Out-File $LogPath -Append 
            } 
             
            Return $RightsFailed 
    }

WITH THE FOLLOWING

Function AddUserRights 
    {
        $RightsFailed = $null
        $tempPath = [System.IO.Path]::GetTempPath()
        $import = Join-Path -Path $tempPath -ChildPath "import.inf"
        if(Test-Path $import) {Remove-Item -Path $import -Force}
        $export = Join-Path -Path $tempPath -ChildPath "export.inf"
        if(Test-Path $export) {Remove-Item -Path $export -Force}
        $secedt = Join-Path -Path $tempPath -ChildPath "secedt.sdb"
        if(Test-Path $secedt) {Remove-Item -Path $secedt -Force}

        Write-Host ("        Granting 'Allow Logon As Service' to $NewName")
        Write-Host ("        Granting 'Generate Security Audits' to $NewName")
        ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Grant SeServiceLogonRight to $NewName" | Out-File $LogPath -Append
        ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Grant SeAuditPrivilege to $NewName" | Out-File $LogPath -Append
        
        secedit /export /cfg $export /quiet
        $currentSeServiceLogonRightSIDs = (Select-String $export -Pattern "SeServiceLogonRight").Line
        $newSeServiceLogonRightSIDs = $currentSeServiceLogonRightSIDs
        $currentSeAuditPrivilegeSIDs = (Select-String $export -Pattern "SeAuditPrivilege").Line
        $newSeAuditPrivilegeSIDs = $currentSeAuditPrivilegeSIDs
        $oldSidString = $OldSID.Value
        $newSidString = $NewSID.Value
        # Processing Allow Logon As Service
        If ($newSeServiceLogonRightSIDs -match $oldSidString -And $oldSidString -ne "S-1-5-19" -And $oldSidString -ne "S-1-5-20") {
            $newSeServiceLogonRightSIDs = $newSeServiceLogonRightSIDs.replace(",*$oldSidString","")
            $newSeServiceLogonRightSIDs = $newSeServiceLogonRightSIDs.replace("*$oldSidString,","")
        }
        If ($newSeServiceLogonRightSIDs -notmatch $newSidString) {
            $newSeServiceLogonRightSIDs = $newSeServiceLogonRightSIDs + ",*" + $newSidString
        }
        $newSeServiceLogonRightSIDs = $newSeServiceLogonRightSIDs.replace("Classic .NET AppPool","IIS AppPool\Classic .NET AppPool")
        
        # Processing Allow Generate Security Audits
        If ($newSeAuditPrivilegeSIDs -match $oldSidString -And $oldSidString -ne "S-1-5-19" -And $oldSidString -ne "S-1-5-20") {
            $newSeAuditPrivilegeSIDs = $newSeAuditPrivilegeSIDs.replace(",*$oldSidString","")
            $newSeAuditPrivilegeSIDs = $newSeAuditPrivilegeSIDs.replace("*$oldSidString,","")
        }
        If ($newSeAuditPrivilegeSIDs -notmatch $newSidString) {
            $newSeAuditPrivilegeSIDs = $newSeAuditPrivilegeSIDs + ",*" + $newSidString
        }
        $newSeAuditPrivilegeSIDs = $newSeAuditPrivilegeSIDs.replace("Classic .NET AppPool","IIS AppPool\Classic .NET AppPool")
        
        # Populate the import file
        ForEach ($line in @("[Unicode]", "Unicode=yes", "[System Access]", "[Event Audit]", "[Registry Values]", "[Version]", "signature=`"`$CHICAGO$`"", "Revision=1", "[Profile Description]", "Description=Security Template To Configure Server For ADFS", "[Privilege Rights]", $newSeServiceLogonRightSIDs, $newSeAuditPrivilegeSIDs)){
            Add-Content $import $line
        }

        secedit /import /db $secedt /cfg $import /quiet
        If (!$?) 
            {
                $secEditResult1 = "fail"
            }  
        Else 
            {
                $secEditResult1 = "success"
            }

        secedit /configure /db $secedt /quiet
        If (!$?) 
            {
                $secEditResult2 = "fail"
            }  
        Else 
            {
                $secEditResult2 = "success"
            }
        
        If ($secEditResult1 -eq "fail" -or $secEditResult2 -eq "fail") 
            { 
                $RightsFailed = $true 
                Write-Host "`tFailed to add user rights for $NewName`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY" -ForegroundColor "yellow" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+ " [WARN]      Failed to add user rights for ${NewName}: 'Log on as a service', 'Generate security audits'" | Out-File $LogPath -Append 
            }  
        If ($secEditResult1 -eq "success" -and $secEditResult2 -eq "success")
            { 
                GPUpdate /Force | Out-File $LogPath -Append
                $RightsFailed = $false 
                Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [INFO]      User rights 'Log on as a service', 'Generate security audits' added for $NewName" | Out-File $LogPath -Append 
            }     

        Remove-Item -Path $import -Force
        Remove-Item -Path $export -Force
        Remove-Item -Path $secedt -Force
        Return $RightsFailed
    }

–

WHEN USING ADFS MANAGED SELF-SIGNED CERTIFICATES ALSO REMOVING THE PERMISSIONS FROM THE OLD SERVICE ACCOUNT

REPLACE THE FOLLOWING

Function Set-CertificateSharingContainerSecurity 
    {
        param([String]$NewSID) 
        $FailedLdap = $false 
     
        # Get the new SID as a SID object and create AD Access Rules 
        $objNewSID = [System.Security.Principal.SecurityIdentifier]$NewSID 
        $RuleCreateChild = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'CreateChild','Allow','All') 
        $RuleSelf = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'Self','Allow','All') 
        $RuleWriteProperty = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'WriteProperty','Allow','All') 
        $RuleGenericRead = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'GenericRead','Allow','All') 
 
 
        # Get the LDAP object based on the certificate sharing container and add the AD Access Rules to the object 
        $DN = ($ADFSProperties.CertificateSharingContainer).ToString() 
        $objLDAP = [ADSI] "LDAP://$DN" 
        $objLDAP.get_ObjectSecurity().AddAccessRule($RuleCreateChild) 
        $objLDAP.get_ObjectSecurity().AddAccessRule($RuleSelf) 
        $objLDAP.get_ObjectSecurity().AddAccessRule($RuleWriteProperty) 
        $objLDAP.get_ObjectSecurity().AddAccessRule($RuleGenericRead) 
 
 
        # Commit the AD Access rule changes to the LDAP object 
        $objLDAP.CommitChanges() 
         
        If (!$?) 
            { 
                Write-Host "`tFailed to set permissions on the Certificate Sharing Container.`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY" -ForegroundColor "yellow" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [ERROR]     Failed setting permissions on AD cert sharing container: $DN. $NewName needs 'Create Child', 'Write', 'Read'." | Out-File $LogPath -Append 
                $FailedLdap = $true 
            } 
        Else 
            { 
                Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [INFO]      Set permissions on cert sharing container: $DN" | Out-File $LogPath -Append 
            } 
    }

WITH THE FOLLOWING

Function Set-CertificateSharingContainerSecurity 
    {
        param(
            $OldSID,
            $NewSID
        )
        $FailedLdap = $null
        # Create AD Access Rules 
        $objOldSID = [System.Security.Principal.SecurityIdentifier]$OldSID
        $objNewSID = [System.Security.Principal.SecurityIdentifier]$NewSID
        $accessRuleCreateChild = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'CreateChild','Allow','All') 
        $accessRuleSelf = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'Self','Allow','All') 
        $accessRuleWriteProperty = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'WriteProperty','Allow','All') 
        $accessRuleGenericRead = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($objNewSID,'GenericRead','Allow','All')
        
        # Get the LDAP object based on the certificate sharing container
        # REMOVE the AD Access Rules for the OLD service account 
        # ADD the AD access Rules for the NEW service account
        $certSharingContainer = $ADFSProperties.CertificateSharingContainer
        $DN = $certSharingContainer.ToString() 
        $objLDAPpath = [ADSI] "LDAP://$DN" 
        $objACL = $objLDAPpath.objectSecurity
        $objACL.PurgeAccessRules($objOldSID)
        If (!$?) 
            {
                $objACLresult1 = "fail"
                Write-Host "objACLresult1"
            }  
        Else 
            {
                $objACLresult1 = "success"
            }
        $objACL.AddAccessRule($accessRuleCreateChild)
        If (!$?) 
            {
                $objACLresult2 = "fail"
                Write-Host "objACLresult2"
            }  
        Else 
            {
                $objACLresult2 = "success"
            }
        $objACL.AddAccessRule($accessRuleSelf)
        If (!$?) 
            {
                $objACLresult3 = "fail"
                Write-Host "objACLresult3"
            }  
        Else 
            {
                $objACLresult3 = "success"
            }
        $objACL.AddAccessRule($accessRuleWriteProperty)
        If (!$?) 
            {
                $objACLresult4 = "fail"
                Write-Host "objACLresult4"
            }  
        Else 
            {
                $objACLresult4 = "success"
            }
        $objACL.AddAccessRule($accessRuleGenericRead)
        If (!$?) 
            {
                $objACLresult5 = "fail"
                Write-Host "objACLresult5"
            }  
        Else 
            {
                $objACLresult5 = "success"
            }
        $objLDAPpath.objectSecurity = $objACL
        $objLDAPpath.CommitChanges()
        If (!$?) 
            {
                $objACLresult6 = "fail"
                Write-Host "objACLresult6"
            }  
        Else 
            {
                $objACLresult6 = "success"
            }

        If ($objACLresult1 -eq "fail" -or $objACLresult2 -eq "fail" -or $objACLresult3 -eq "fail" -or $objACLresult4 -eq "fail" -or $objACLresult5 -eq "fail" -or $objACLresult6 -eq "fail") 
            { 
                Write-Host "`tFailed to set permissions on the Certificate Sharing Container.`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY" -ForegroundColor "yellow" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [ERROR]     Failed setting permissions on AD cert sharing container: $DN. $NewName needs 'Create Child', 'Write', 'Read'." | Out-File $LogPath -Append 
                $FailedLdap = $true 
            } 
        If ($objACLresult1 -eq "success" -and $objACLresult2 -eq "success" -and $objACLresult3 -eq "success" -and $objACLresult4 -eq "success" -and $objACLresult5 -eq "success" -and $objACLresult6 -eq "success") 
            { 
                Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [INFO]      Set permissions on cert sharing container: $DN" | Out-File $LogPath -Append
                $FailedLdap = $false
            }
    }

–

WHEN USING ADFS MANAGED SELF-SIGNED CERTIFICATES ALSO REMOVING THE PERMISSIONS FROM THE OLD SERVICE ACCOUNT

REPLACE THE FOLLOWING (2x)

Start sqlcmd.exe -ArgumentList

WITH THE FOLLOWING (2x)

&'Start' $sqlCmdFullPath -ArgumentList

–

WHEN CONVERTING FROM STANDALONE MODE TO FARM MODE THE CERTIFICATE SHARING CONTAINER NEEDS TO BE CREATED FIRST

REPLACE THE FOLLOWING

####STOP THE AD FS WINDOWS SERVICE####

WITH THE FOLLOWING

####CREATE/CONFIGURE CERT SHARING CONTAINER IF STANDALONE####

If ((($OldName).ToString() -eq "NT AUTHORITY\NETWORK SERVICE") -or (($OldName).ToString() -eq "NT AUTHORITY\LOCAL SYSTEM"))
    {
        Write-Host "`n Configuring the Certificate Sharing Container in AD" 
        ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Configuring the Certificate Sharing Container" | Out-File $LogPath -Append
        Set-ADFSCertSharingContainer -ServiceAccount $(($OldName).ToString())
        $ADFSProperties = Get-ADFSProperties
        If (!$?) 
            { 
                Write-Host "`tThe Cert Sharing Container could not be created/configured.`n`tExiting`n" -ForegroundColor "red" 
                ($ElapsedTime.Elapsed.ToString())+" [ERROR]     The Cert Sharing Container could not be created/configured" | Out-File $LogPath -Append 
                exit 
            } 
        Else 
            { 
                Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                ($ElapsedTime.Elapsed.ToString())+" [INFO]      Cert Sharing Container has been created/configured" | Out-File $LogPath -Append 
            } 
    }

####STOP THE AD FS WINDOWS SERVICE####

–

DETECTING THE AVAILABILITY OF SQLCMD.EXE THROUGH THE PATH VARIABLE AND THROUGH A PRE-DEFINED FOLDER

REPLACE THE FOLLOWING

                Write-Host "`n Detecting SQLCmd.exe" 
                ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Detecting SQLCMD.exe" | Out-File $LogPath -Append 
                $SQLCmdPresent = $false 
                sqlcmd.exe /? | Out-Null 
         
                If (!$?) 
                    { 
                        Write-Host "`tSQLCmd.exe was not found`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY." -ForegroundColor "yellow" -NoNewline 
                        ($ElapsedTime.Elapsed.ToString())+" [WARN]      SQLCMD.exe not found. SQL scripts must be manually executed." | Out-File $LogPath -Append 
                    } 
                Else 
                    { 
                        Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                        ($ElapsedTime.Elapsed.ToString())+" [INFO]      SQLCMD.exe found" | Out-File $LogPath -Append 
                        $SQLCmdPresent = $true 
                    }

WITH THE FOLLOWING

                Write-Host "`n Detecting SQLCmd.exe" 
                ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Detecting SQLCMD.exe" | Out-File $LogPath -Append 
                $SQLCmdPresent = $false
                # Let's try to find SQLCMD.EXE the easy way. If that fails, because SQLCMD.EXE is installed, but its path has not been registered in the PATH variable, try to search for it
                $sqlCmdFullPath = $null
                $sqlCmdFullPath = WHERE.EXE SQLCMD.EXE
                If ($sqlCmdFullPath -eq $null) {
                    $enumSQLCMDinstances = Get-ChildItem -path 'C:\Program Files\Microsoft SQL Server' -Recurse -Filter 'SQLCMD.EXE'
                    $sqlCmdCount = ($enumSQLCMDinstances | Measure-Object).Count
                    If ($sqlCmdCount -eq 0) {
                        Write-Host "`tSQLCmd.exe was not found`n`tSee: POST-SAMPLE ITEMS THAT MUST BE EXECUTED MANUALLY." -ForegroundColor "yellow" -NoNewline 
                        ($ElapsedTime.Elapsed.ToString())+" [WARN]      SQLCMD.exe not found. SQL scripts must be manually executed." | Out-File $LogPath -Append 
                    } Else {
                        If ($sqlCmdCount -eq 1) {
                            $sqlCmdFullPath = $enumSQLCMDinstances.FullName
                        }
                        If ($sqlCmdCount -gt 1) {
                            $sqlCmdFullPath = $enumSQLCMDinstances[0].FullName
                        }
                        Write-Host "`tSuccess" -ForegroundColor "green" -NoNewline 
                        ($ElapsedTime.Elapsed.ToString())+" [INFO]      SQLCMD.exe found" | Out-File $LogPath -Append 
                        $SQLCmdPresent = $true 
                    }
                }

–

DETERMINE WHETHER THE CERTIFICATE SHARING CONTAINER IS USED OR NOT BY CHECKING IF AUTOCERTROLLOVER IS ENABLED

REPLACE THE FOLLOWING

####ACL THE CERTIFICATE SHARING CONTAINER FOR THE NEW SERVICE ACCOUNT#### 
 
# Only execute if this is the first federation server 
if ($Mode -eq 2) 
    { 
        # Check if CertificateSharingContainer has a value. If it does, ACL the container for the new service account. 
        If ($ADFSProperties.CertificateSharingContainer -ne $null) 
            { 
                Write-Host "`n Providing $NewName access to the Certificate Sharing Container" 
                ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Providing $NewName access to ($ADFSProperties.CertificateSharingContainer).ToString()" | Out-File $LogPath -Append 
                Set-CertificateSharingContainerSecurity -NewSID $NewSID 
            } 
    }

WITH THE FOLLOWING

####ACL THE CERTIFICATE SHARING CONTAINER FOR THE NEW SERVICE ACCOUNT#### 
 
# Only execute if this is the first federation server 
if ($Mode -eq 2) 
    { 
        # Check if certificate rollover is enabled. If it is, ACL the container for the new service account.
        # The presence of the cert sharing container only proves you are using ADFS managed self-signed certs OR have used them!
        If ($ADFSProperties.AutoCertificateRollover -eq $true) 
            { 
                Write-Host "`n Providing $NewName access to the Certificate Sharing Container" 
                ($ElapsedTime.Elapsed.ToString())+" [WORK ITEM] Providing $NewName access to ($ADFSProperties.CertificateSharingContainer).ToString()" | Out-File $LogPath -Append 
                Set-CertificateSharingContainerSecurity -OldSID $OldSID -NewSID $NewSID 
            } 
    }

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), PowerShell, Security Token Service (STS), Service Account, Tooling/Scripting | 4 Comments »

(2014-02-27) Exchange OWA Through ADFS

Posted by Jorge on 2014-02-27

In following blog posts you can read how you can access OWA through federation and kerberos constrained delegation (KCD):

–

In the scenarios above the Claims To Windows Token Service (C2WTS) was used to perform the KCD part as ADFS itself is not capable of doing that

–

With the release of Exchange 2013 SP1, it is now natively supported and you do not need to perform all kinds of manual steps. Instead of using the C2WTS, you can now use the Web Application Proxy (WAP) to perform the KCD part.

see: Using AD FS claims-based authentication with Outlook Web App and EAC

Although I have not tried this myself, after reading it quickly I noticed a few weird things:

Step 1: Although true what is said, I would like to suggest the following regarding the certificates:

Service Communication Certificate for ADFS –> CA issued from an internal PKI if available, otherwise CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.)
Token Signing Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI
Token Encryption Certificate for ADFS –> CA issued from a well-known external/third-party CA issuer (e.g. DigiCert, Thawte, Verisign, etc.). Although possible, you should not use self-signed certificates or CA issued from an internal PKI

Step 2: If you are using CA issued certs for Token Signing Certificate and the Token Encryption Certificate you need to install ADFS through FSCONFIG.EXE (ADFS v2.0 and ADFS v2.1) or INSTALL-ADFSFARM (ADFS v3.0) and specify the thumbprint of the certificates. You need to make sure those certificates are in the local certificate store first!
Step 2: it is not true you require a group Managed Service Account. Sure that would be preferred, you must have at least one W2K12 DC or higher to be able to support that. However in all cases you can still use a normal service user account.
Step 3: I’m kind of surprised to see the so called require claims rules for both the OWA relying part trust as the EAC relying party trust. Like I said, I have not done this myself yet, but I would expect to only require the pass-through of the UPN claim on both RP trusts. Of course you need to ask yourself "if I pass it through, where do I pass it from then?" Right! You gather the UPN claim by using a claim rule on the claims provider trust. How you do that differs from ADFS v2.x and ADFS v3.0. With ADFS v2.x you need to perform an LDAP query (using the LDAP Claim Rule Template) and in ADFS v3.0 you can pass it through (see: "(2011-09-13) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v2.0" and "(2014-02-10) Bare Minimum Acceptance Transform Rules For The Default Claims Provider Trusts In ADFS v3.0 (Update 1)")
Step 4: No clue WHY the claims rules are being added, again. That was already done in step 3. Again no clue why you need the Primary SID and the Group SID
Step 5: I saw the following line: "Although Web Application Proxy isn’t required" Huh? Who’s going to do the KCD part then? I agree you should use WAP when allowing external access. But for internal access, if WAP is not required, is that the reason why they are sending the "Primary SID" claim and the "Group SID" claim? Hmmmm, interesting. I wonder if ADFS has some hidden feature regarding KCD. To be investigated!

–

Well, have fun!

If you try it yourself, please let me know your findings. Thanks in advance

–

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Exchange Server, OWA, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-02-25) Gathering Architectural Details From Your ADFS Infrastructure – ADFS StandAlone Or ADFS Farm

Posted by Jorge on 2014-02-25

If ADFS was installed in the past by someone else and there is little to no documentation, how do you know if you are running an ADFS Standalone or ADFS Farm installation? Keep reading to find out how to determine that!

–

Is it an ADFS Standalone or ADFS Farm installation?

After installing the ADFS binaries that were downloaded from the internet (W2K8 and W2K8R2) or installing the ADFS server role (W2K12), you have the following options to configure ADFS.

Figure 1: The ADFS Configuration Options

–

Below you find the CLI configuration options when configuring a "StandAlone" ADFS.

When using the parameter "StandAlone", ADFS will be installed in single server mode. Basically that means it will use the "Network Service" as its service account and in addition, it will use WID for the ADFS configuration database. If you use the GUI version of the configuration wizard to configure the federation service it will use ADFS Managed Self-Signed certs for both the Token Signing cert and the Token Encryption cert. However, if you use the CLI version of the configuration wizard to configure the federation service you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name. If you use the GUI version of the configuration wizard to configure the federation service it will use the subject name of the specified Service Communication cert as the federation service name. If you use the CLI version of the configuration wizard to configure the federation service you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

Figure 2: Configuration Options Using The CLI For An ADFS StandAlone Configuration (W2K8, W2K8R2, W2K12)

–

Below you find the CLI configuration options when configuring a "Farm" ADFS that leverages the WID for the ADFS Configuration database

When using the parameter "CreateFarm", ADFS will be installed in multiple server mode while using WID for the ADFS Configuration database. Basically that means it will/must use a custom AD service account. If you use the GUI version of the configuration wizard to configure the federation service it will use ADFS Managed Self-Signed certs for both the Token Signing cert and the Token Encryption cert. However, if you use the CLI version of the configuration wizard to configure the federation service you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name. If you use the GUI version of the configuration wizard to configure the federation service it will use the subject name of the specified Service Communication cert as the federation service name. If you use the CLI version of the configuration wizard to configure the federation service you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

Figure 3: Configuration Options Using The CLI For An ADFS Farm Configuration On WID (W2K8, W2K8R2, W2K12)

–

Below you find the CLI configuration options when configuring a "Farm" ADFS that leverages SQL for the ADFS Configuration database.

When using the parameter "CreateSQLFarm", ADFS will be installed in multiple server mode while using SQL Server for the ADFS Configuration database. Basically that means it will/must use a custom AD service account. It is not possible to use the GUI version of the configuration wizard and create a SQL based ADFS farm. The latter is only possible through the CLI version. With the CLI version of the configuration wizard you have the option of either using ADFS Managed Self-Signed certs or CA Issued certs for both the Token Signing cert and the Token Encryption cert. The same is true for the federation service name, you have the option of either specifying a federation service name or derive it from the subject name of the specified Service Communication cert.

Figure 4: Configuration Options Using The CLI For An ADFS Farm Configuration On SQL (W2K8, W2K8R2, W2K12)

–

Figure 5: Configuration Options Using The GUI For An ADFS StandAlone/Farm Configuration On WID (W2K8, W2K8R2, W2K12)

–

With ADFS v3.0 in W2K12R2 you can only install ADFS in Farm mode, either leveraging WID or SQL Server. ADFS in StandAlone mode is not possible anymore. To be honest, you don’t loose anything with this as you can still install just one ADFS STS server. In either case, when leveraging WID or SQL server for the ADFS configuration database, you can install/configure the ADFS farm through PowerShell or the Server Manager GUI. The capabilities are almost the same. With PowerShell you can use/configure both CA issued certificates and ADFS Managed Self-Signed certificates for the Token Signing and Token Encryption certificate. With the Server Manager you can only use ADFS Managed Self-Signed certificates for the Token Signing and Token Encryption certificate. My suggestion is to use CA issued certificates from an external/third-party and well-known certificate issuer, like DigiCert, Thawte, Verisign, etc.

Figure 6: Configuration Options Using The CLI For An ADFS Farm Configuration On WID Or SQL (W2K12R2)

–

YOU HAVE ADFS IN STANDALONE MODE WHEN:

[1] The ADFS service "ADFSSRV" is running with the Network Service as its service account

Figure 7: The ADFS Service "ADFSSRV"

–

Figure 8: The ADFS Service "ADFSSRV" With The "Network Service" As The Service Account

–

[2] …And the ADFS application pool is running with the "Network Service"

Figure 9: The ADFS Application Pool "ADFSAppPool" With The "Network Service"

–

One important thing to remember is that when you install ADFS in StandAlone mode, you CANNOT add an additional ADFS STS instance. Multiple ADFS STS instances are only possible when installing ADFS in Farm mode! It is possible to "Convert" ADFS in StandAlone mode to ADFS in Farm mode? Yes it is! See this blog post!

When trying to install an additional ADFS STS instance with a custom service account against an ADFS STS in StandAlone mode, which is using the Network Service that also has the SPN configured, you get the error below. This error occurs because the specified service account does not have the SPN configured, but rather the Network Service (the computer account) does.

Figure 10: Error When Installing An Addition ADFS STS Instance Against An ADFS StandAlone Installation (SPN On Wrong Account)

–

When trying to install an additional ADFS STS instance with a custom service account that also has the SPN configured against an ADFS STS in StandAlone mode, which is using the Network Service, you get the error below. This error occurs because the specified service account does not match the service account used by the ADFS StandAlone installation.

Figure 11: Error When Installing An Addition ADFS STS Instance Against An ADFS StandAlone Installation (Service Accounts Do Not Match)

–

YOU HAVE ADFS IN FARM MODE WHEN:

[1] The ADFS service "ADFSSRV" is running with a custom AD service account as its service account

Figure 12: The ADFS Service "ADFSSRV"

–

Figure 13: The ADFS Service "ADFSSRV" With A Custom AD User Account As The Service Account

–

[2] …And the ADFS application pool is running with the custom AD user account

Figure 14: The ADFS Application Pool "ADFSAppPool" With The Custom AD User Account

–

And as soon as you are running in Farm mode, you can add additional ADFS STS instances

Figure 15: No Error When Adding An Additional ADFS STS Instance When Running In Farm Mode (After Conversion From StandAlone Mode)

–

Posted in Active Directory Federation Services (ADFS), Farm, Security Token Service (STS), StandAlone | Leave a Comment »

« Previous Entries

Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Security Token Service (STS)’ Category

(2014-10-28) You Have Multiple AD Forests And You Also Need ADFS – What Are The Possibilities?

(2014-05-12) Automatic Metadata Exchange From Shibboleth To ADFS Fails With Multiple Encryption Certificates

(2014-04-02) Building An ADFS Lab In W2K12(R2)

(2014-03-24) ADFS v3.0 In W2K12R2 And Related Features In Summary With Details

(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

(2014-03-17) Gathering Architectural Details From Your ADFS Infrastructure – ADFS Config DB On WID Or SQL

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

(2014-03-10) Changing The Service Account For ADFS v2.x – PowerShell Script

(2014-02-27) Exchange OWA Through ADFS

(2014-02-25) Gathering Architectural Details From Your ADFS Infrastructure – ADFS StandAlone Or ADFS Farm

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Security Token Service (STS)’ Category

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: