jhochwald/ADFS_Snippets.ps1

## ADFS_Snippets.ps1
# Turn off Certificate Rollover
Set-AdfsProperties -AutoCertificateRollover $false

# Allow Login via Mail (And UPN)
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests $ADDom


<#
	Enable SNI (Might be needed)

	I have no idea why I need to go to the NetSH Shell to execute that, but the command line does NOT work

	I need to do this to use the existing load balancer instead of the WAP/WIP for ADFS
	If not, the LB marks the ADFS Back ends as down. Has something to do with the lag of SNI support in ADFS

	Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert
#>

netsh
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY


<#
	Enable the Group Managed Service Account
#>
# Replace the DOMAIN.TLD - Mind the single slash :)
New-ADServiceAccount -name MSAadfs -DNSHostName adfs.DOMAIN.TLD -AccountExpirationDate $null -ServicePrincipalNames http/adfs.DOMAIN.TLD
Set-ADServiceAccount -Identity MSAadfs -PrincipalsAllowedToDelegateToAccount "Domain Admins"

<#
	Enable the ADFS Device registration feature (With our Group managed service account)
#>

# Enter Domain Admin credentials now!
$Credential = (Get-Credential)

# Mind the $ (Try a single quote next time) - Replace the DOMAIN.TLD and DOMAIN and ACCOUNT
Initialize-ADDeviceRegistration -ServiceAccountName "DOMAIN\ACCOUNT`$" -DeviceLocation 'DOMAIN.TLD' -RegistrationQuota 10 -MaximumRegistrationInactivityPeriod 90 -Credential $Credential -Force
Enable-AdfsDeviceRegistration -Credential $Credential -Force
	# Turn off Certificate Rollover
	Set-AdfsProperties -AutoCertificateRollover $false

	# Allow Login via Mail (And UPN)
	Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests $ADDom


	<#
	Enable SNI (Might be needed)

	I have no idea why I need to go to the NetSH Shell to execute that, but the command line does NOT work

	I need to do this to use the existing load balancer instead of the WAP/WIP for ADFS
	If not, the LB marks the ADFS Back ends as down. Has something to do with the lag of SNI support in ADFS

	Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert
	#>

	netsh
	http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
	http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY


	<#
	Enable the Group Managed Service Account
	#>
	# Replace the DOMAIN.TLD - Mind the single slash :)
	New-ADServiceAccount -name MSAadfs -DNSHostName adfs.DOMAIN.TLD -AccountExpirationDate $null -ServicePrincipalNames http/adfs.DOMAIN.TLD
	Set-ADServiceAccount -Identity MSAadfs -PrincipalsAllowedToDelegateToAccount "Domain Admins"

	<#
	Enable the ADFS Device registration feature (With our Group managed service account)
	#>

	# Enter Domain Admin credentials now!
	$Credential = (Get-Credential)

	# Mind the $ (Try a single quote next time) - Replace the DOMAIN.TLD and DOMAIN and ACCOUNT
	Initialize-ADDeviceRegistration -ServiceAccountName "DOMAIN\ACCOUNT`$" -DeviceLocation 'DOMAIN.TLD' -RegistrationQuota 10 -MaximumRegistrationInactivityPeriod 90 -Credential $Credential -Force
	Enable-AdfsDeviceRegistration -Credential $Credential -Force