Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Some ADFS snippets
# Turn off Certificate Rollover
Set-AdfsProperties -AutoCertificateRollover $false
# Allow Login via Mail (And UPN)
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests $ADDom
<#
Enable SNI (Might be needed)
I have no idea why I need to go to the NetSH Shell to execute that, but the command line does NOT work
I need to do this to use the existing load balancer instead of the WAP/WIP for ADFS
If not, the LB marks the ADFS Back ends as down. Has something to do with the lag of SNI support in ADFS
Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert
#>
netsh
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
<#
Enable the Group Managed Service Account
#>
# Replace the DOMAIN.TLD - Mind the single slash :)
New-ADServiceAccount -name MSAadfs -DNSHostName adfs.DOMAIN.TLD -AccountExpirationDate $null -ServicePrincipalNames http/adfs.DOMAIN.TLD
Set-ADServiceAccount -Identity MSAadfs -PrincipalsAllowedToDelegateToAccount "Domain Admins"
<#
Enable the ADFS Device registration feature (With our Group managed service account)
#>
# Enter Domain Admin credentials now!
$Credential = (Get-Credential)
# Mind the $ (Try a single quote next time) - Replace the DOMAIN.TLD and DOMAIN and ACCOUNT
Initialize-ADDeviceRegistration -ServiceAccountName "DOMAIN\ACCOUNT`$" -DeviceLocation 'DOMAIN.TLD' -RegistrationQuota 10 -MaximumRegistrationInactivityPeriod 90 -Credential $Credential -Force
Enable-AdfsDeviceRegistration -Credential $Credential -Force
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.