Skip to content

ADFS Configuration

Fabien Gilbert edited this page Jul 22, 2021 · 2 revisions

Manual ADFS and WAP configuration steps

  1. Copy the script below to PowerShell ISE on the Jump Server.
  2. Edit the parameter section with values from your environment.
  3. Run the Get-Credential cmdlets to provide the local and domain admin passwords.
  4. Run the script LINE BY LINE (F8) to catch any error. It will:
    • Request an ADFS (STS) certificate from the CA.
    • Export that certificate to a PFX file.
    • Copy the PFX file to the ADFS servers (domain joined).
    • Copy the PFX file to the WAP servers (non-domain joined so it uses PS drives).
    • Import certificate from PFX file on ADFS and WAP servers.
    • Import Root CA certificate on the WAP servers (since it is not domain joined)
    • Cleanup PFX files.
    • Create ADFS farm on 1st server.
    • Join 2nd ADFS server to farm.
    • Enable IDP initiated sign-on.
    • Join 1st WAP to ADFS farm.
    • Join 2nd WAP to ADFS farm.
  5. Test internal authentication at https://ca.stackadfslab.com/adfs/ls/idpinitiatedsignon
  6. Test external authentication. You may have to create a host record that points to the WAP LB Public IP
##############
# PARAMETERS #
##############
# STS DNS Name
$stsFqdn = "sts.stackadfslab.com"
# WAP Servers IP Addresses
$wapServer1IpAddress = "10.239.98.100"
$wapServer2IpAddress = "10.239.98.101"
# WAP Credentials (local admin user from Key Vault)
$wapCreds = Get-Credential -Message "Enter WAP local admin credentials" -UserName lauser1
# Domain Admin Credentials (from Key Vault)
$domainInfo = Get-ADDomain
$daCreds = Get-Credential -Message "Enter domain admin credentials" -UserName ($domainInfo.DNSRoot + "\dauser1")
###############

# Request custom certificate from 
Get-Certificate -Template "ComputerCustom" -DnsName @($stsFqdn) -CertStoreLocation Cert:\LocalMachine\My -SubjectName ("CN=" + $stsFqdn)
# Get newly generated STS certificate
$stscert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.DnsNameList -like "sts*"}
# Generate random PFX password
$rpwd = [char](Get-Random -Minimum 65 -Maximum 91) + [char](Get-Random -Minimum 97 -Maximum 122) + [char](Get-Random -Minimum 37 -Maximum 47) + (Get-Random -Minimum 100000 -Maximum 999999)
$pfxPwd = ConvertTo-SecureString -AsPlainText -String $rpwd -Force
# Export STS certificate to PFX
Export-PfxCertificate -Cert $stscert -FilePath sts.pfx -Password $pfxPwd
# Get ADFS servers from AD
$adfsServer01 = Get-ADComputer -Filter {name -like "*-ADFS-01"} | Select-Object -ExpandProperty Name
$adfsServer02 = Get-ADComputer -Filter {name -like "*-ADFS-02"} | Select-Object -ExpandProperty Name
# Copy PFX file to ADFS servers
Copy-Item -Path sts.pfx -Destination ("\\" + $adfsServer01 + "\c$\sts.pfx")
Copy-Item -Path sts.pfx -Destination ("\\" + $adfsServer02 + "\c$\sts.pfx")
# Import PFX file on ADFS servers
Invoke-Command -ComputerName $adfsServer01, $adfsServer02 -ArgumentList $pfxPwd -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
# Export CA root certificate
$caCert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Issuer.Replace(" ","") -Like ("*" + $domainInfo.DistinguishedName + "*")}
Export-Certificate -FilePath ca.cer -Cert $caCert
# Mount drives to WAP servers
New-PSDrive -Name "wap1" -PSProvider "FileSystem" -Root ("\\" + $wapServer1IpAddress + "\c$") -Credential $wapCreds
New-PSDrive -Name "wap2" -PSProvider "FileSystem" -Root ("\\" + $wapServer2IpAddress + "\c$") -Credential $wapCreds
# Copy PFX and CA CERT files to WAP servers
Copy-Item -Path sts.pfx -Destination WAP1:\sts.pfx
Copy-Item -Path ca.cer -Destination WAP1:\ca.cer
Copy-Item -Path sts.pfx -Destination WAP2:\sts.pfx
Copy-Item -Path ca.cer -Destination WAP2:\ca.cer
# Import PFX and CA root cert files on WAP servers
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer1IpAddress
Invoke-Command -ComputerName $wapServer1IpAddress -Credential  $wapCreds -ScriptBlock {Import-Certificate -FilePath "C:\ca.cer" -CertStoreLocation Cert:\LocalMachine\Root}
Invoke-Command -ComputerName $wapServer1IpAddress -ArgumentList $pfxPwd -Credential  $wapCreds -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer2IpAddress
Invoke-Command -ComputerName $wapServer2IpAddress -Credential  $wapCreds -ScriptBlock {Import-Certificate -FilePath "C:\ca.cer" -CertStoreLocation Cert:\LocalMachine\Root}
Invoke-Command -ComputerName $wapServer2IpAddress -ArgumentList $pfxPwd -Credential  $wapCreds -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
# Cleanup PFX files
Remove-Item -Path ("\\" + $adfsServer01 + "\c$\sts.pfx") -Force
Remove-Item -Path ("\\" + $adfsServer02 + "\c$\sts.pfx") -Force
Remove-Item WAP1:\sts.pfx
Remove-Item WAP1:\ca.cer
Remove-Item WAP2:\sts.pfx
Remove-Item WAP2:\ca.cer
Remove-Item sts.pfx -Force
$stscert | Remove-Item -Force
# Deploy first master root key to AD (for ADFS group managed service account)
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
# Initialize ADFS farm on 1st ADFS server
$gmsaName = ($domainInfo.Name + "\stsuser1$")
Invoke-Command -ComputerName $adfsServer01 -ArgumentList $stscert.Thumbprint, $stsFqdn, $gmsaName, $daCreds -ScriptBlock {Install-AdfsFarm -CertificateThumbprint $args[0] -FederationServiceName $args[1] -GroupServiceAccountIdentifier $args[2] -Credential $args[3]}
# Add 2nd ADFS server to farm
Invoke-Command -ComputerName $adfsServer02 -ArgumentList $adfsServer01, $gmsaName, $stscert.Thumbprint, $daCreds -ScriptBlock {Add-AdfsFarmNode -PrimaryComputerName $args[0] -GroupServiceAccountIdentifier $args[1] -CertificateThumbprint $args[2] -Credential $args[3]}
# Enable IDP initiated sign on page
Invoke-Command -ComputerName $adfsServer01 -ScriptBlock {Set-AdfsProperties -EnableIdPInitiatedSignonPage $true}
# Configure 1st WAP
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer1IpAddress
Invoke-Command -ComputerName $wapServer1IpAddress -ArgumentList $stsFqdn, $daCreds, $stscert.Thumbprint -Credential $wapCreds -ScriptBlock {Install-WebApplicationProxy -FederationServiceName $args[0] -FederationServiceTrustCredential $args[1] -CertificateThumbprint $args[2]}
# Configure 2nd WAP
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer2IpAddress
Invoke-Command -ComputerName $wapServer2IpAddress -ArgumentList $stsFqdn, $daCreds, $stscert.Thumbprint -Credential $wapCreds -ScriptBlock {Install-WebApplicationProxy -FederationServiceName $args[0] -FederationServiceTrustCredential $args[1] -CertificateThumbprint $args[2]}

Clone this wiki locally