Created
January 16, 2017 10:43
-
-
Save jhochwald/fc3b00a411c94cd9098c85b090f7d1d6 to your computer and use it in GitHub Desktop.
Some ADFS snippets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Turn off Certificate Rollover | |
Set-AdfsProperties -AutoCertificateRollover $false | |
# Allow Login via Mail (And UPN) | |
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests $ADDom | |
<# | |
Enable SNI (Might be needed) | |
I have no idea why I need to go to the NetSH Shell to execute that, but the command line does NOT work | |
I need to do this to use the existing load balancer instead of the WAP/WIP for ADFS | |
If not, the LB marks the ADFS Back ends as down. Has something to do with the lag of SNI support in ADFS | |
Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert | |
#> | |
netsh | |
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY | |
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY | |
<# | |
Enable the Group Managed Service Account | |
#> | |
# Replace the DOMAIN.TLD - Mind the single slash :) | |
New-ADServiceAccount -name MSAadfs -DNSHostName adfs.DOMAIN.TLD -AccountExpirationDate $null -ServicePrincipalNames http/adfs.DOMAIN.TLD | |
Set-ADServiceAccount -Identity MSAadfs -PrincipalsAllowedToDelegateToAccount "Domain Admins" | |
<# | |
Enable the ADFS Device registration feature (With our Group managed service account) | |
#> | |
# Enter Domain Admin credentials now! | |
$Credential = (Get-Credential) | |
# Mind the $ (Try a single quote next time) - Replace the DOMAIN.TLD and DOMAIN and ACCOUNT | |
Initialize-ADDeviceRegistration -ServiceAccountName "DOMAIN\ACCOUNT`$" -DeviceLocation 'DOMAIN.TLD' -RegistrationQuota 10 -MaximumRegistrationInactivityPeriod 90 -Credential $Credential -Force | |
Enable-AdfsDeviceRegistration -Credential $Credential -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment