-
Notifications
You must be signed in to change notification settings - Fork 0
ADFS Configuration
Fabien Gilbert edited this page Jul 22, 2021
·
2 revisions
- Copy the script below to PowerShell ISE on the Jump Server.
- Edit the parameter section with values from your environment.
- Run the Get-Credential cmdlets to provide the local and domain admin passwords.
- Run the script LINE BY LINE (F8) to catch any error. It will:
- Request an ADFS (STS) certificate from the CA.
- Export that certificate to a PFX file.
- Copy the PFX file to the ADFS servers (domain joined).
- Copy the PFX file to the WAP servers (non-domain joined so it uses PS drives).
- Import certificate from PFX file on ADFS and WAP servers.
- Import Root CA certificate on the WAP servers (since it is not domain joined)
- Cleanup PFX files.
- Create ADFS farm on 1st server.
- Join 2nd ADFS server to farm.
- Enable IDP initiated sign-on.
- Join 1st WAP to ADFS farm.
- Join 2nd WAP to ADFS farm.
- Test internal authentication at https://ca.stackadfslab.com/adfs/ls/idpinitiatedsignon
- Test external authentication. You may have to create a host record that points to the WAP LB Public IP
##############
# PARAMETERS #
##############
# STS DNS Name
$stsFqdn = "sts.stackadfslab.com"
# WAP Servers IP Addresses
$wapServer1IpAddress = "10.239.98.100"
$wapServer2IpAddress = "10.239.98.101"
# WAP Credentials (local admin user from Key Vault)
$wapCreds = Get-Credential -Message "Enter WAP local admin credentials" -UserName lauser1
# Domain Admin Credentials (from Key Vault)
$domainInfo = Get-ADDomain
$daCreds = Get-Credential -Message "Enter domain admin credentials" -UserName ($domainInfo.DNSRoot + "\dauser1")
###############
# Request custom certificate from
Get-Certificate -Template "ComputerCustom" -DnsName @($stsFqdn) -CertStoreLocation Cert:\LocalMachine\My -SubjectName ("CN=" + $stsFqdn)
# Get newly generated STS certificate
$stscert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.DnsNameList -like "sts*"}
# Generate random PFX password
$rpwd = [char](Get-Random -Minimum 65 -Maximum 91) + [char](Get-Random -Minimum 97 -Maximum 122) + [char](Get-Random -Minimum 37 -Maximum 47) + (Get-Random -Minimum 100000 -Maximum 999999)
$pfxPwd = ConvertTo-SecureString -AsPlainText -String $rpwd -Force
# Export STS certificate to PFX
Export-PfxCertificate -Cert $stscert -FilePath sts.pfx -Password $pfxPwd
# Get ADFS servers from AD
$adfsServer01 = Get-ADComputer -Filter {name -like "*-ADFS-01"} | Select-Object -ExpandProperty Name
$adfsServer02 = Get-ADComputer -Filter {name -like "*-ADFS-02"} | Select-Object -ExpandProperty Name
# Copy PFX file to ADFS servers
Copy-Item -Path sts.pfx -Destination ("\\" + $adfsServer01 + "\c$\sts.pfx")
Copy-Item -Path sts.pfx -Destination ("\\" + $adfsServer02 + "\c$\sts.pfx")
# Import PFX file on ADFS servers
Invoke-Command -ComputerName $adfsServer01, $adfsServer02 -ArgumentList $pfxPwd -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
# Export CA root certificate
$caCert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Issuer.Replace(" ","") -Like ("*" + $domainInfo.DistinguishedName + "*")}
Export-Certificate -FilePath ca.cer -Cert $caCert
# Mount drives to WAP servers
New-PSDrive -Name "wap1" -PSProvider "FileSystem" -Root ("\\" + $wapServer1IpAddress + "\c$") -Credential $wapCreds
New-PSDrive -Name "wap2" -PSProvider "FileSystem" -Root ("\\" + $wapServer2IpAddress + "\c$") -Credential $wapCreds
# Copy PFX and CA CERT files to WAP servers
Copy-Item -Path sts.pfx -Destination WAP1:\sts.pfx
Copy-Item -Path ca.cer -Destination WAP1:\ca.cer
Copy-Item -Path sts.pfx -Destination WAP2:\sts.pfx
Copy-Item -Path ca.cer -Destination WAP2:\ca.cer
# Import PFX and CA root cert files on WAP servers
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer1IpAddress
Invoke-Command -ComputerName $wapServer1IpAddress -Credential $wapCreds -ScriptBlock {Import-Certificate -FilePath "C:\ca.cer" -CertStoreLocation Cert:\LocalMachine\Root}
Invoke-Command -ComputerName $wapServer1IpAddress -ArgumentList $pfxPwd -Credential $wapCreds -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer2IpAddress
Invoke-Command -ComputerName $wapServer2IpAddress -Credential $wapCreds -ScriptBlock {Import-Certificate -FilePath "C:\ca.cer" -CertStoreLocation Cert:\LocalMachine\Root}
Invoke-Command -ComputerName $wapServer2IpAddress -ArgumentList $pfxPwd -Credential $wapCreds -ScriptBlock {Import-PfxCertificate -FilePath "C:\sts.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $args[0]}
# Cleanup PFX files
Remove-Item -Path ("\\" + $adfsServer01 + "\c$\sts.pfx") -Force
Remove-Item -Path ("\\" + $adfsServer02 + "\c$\sts.pfx") -Force
Remove-Item WAP1:\sts.pfx
Remove-Item WAP1:\ca.cer
Remove-Item WAP2:\sts.pfx
Remove-Item WAP2:\ca.cer
Remove-Item sts.pfx -Force
$stscert | Remove-Item -Force
# Deploy first master root key to AD (for ADFS group managed service account)
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
# Initialize ADFS farm on 1st ADFS server
$gmsaName = ($domainInfo.Name + "\stsuser1$")
Invoke-Command -ComputerName $adfsServer01 -ArgumentList $stscert.Thumbprint, $stsFqdn, $gmsaName, $daCreds -ScriptBlock {Install-AdfsFarm -CertificateThumbprint $args[0] -FederationServiceName $args[1] -GroupServiceAccountIdentifier $args[2] -Credential $args[3]}
# Add 2nd ADFS server to farm
Invoke-Command -ComputerName $adfsServer02 -ArgumentList $adfsServer01, $gmsaName, $stscert.Thumbprint, $daCreds -ScriptBlock {Add-AdfsFarmNode -PrimaryComputerName $args[0] -GroupServiceAccountIdentifier $args[1] -CertificateThumbprint $args[2] -Credential $args[3]}
# Enable IDP initiated sign on page
Invoke-Command -ComputerName $adfsServer01 -ScriptBlock {Set-AdfsProperties -EnableIdPInitiatedSignonPage $true}
# Configure 1st WAP
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer1IpAddress
Invoke-Command -ComputerName $wapServer1IpAddress -ArgumentList $stsFqdn, $daCreds, $stscert.Thumbprint -Credential $wapCreds -ScriptBlock {Install-WebApplicationProxy -FederationServiceName $args[0] -FederationServiceTrustCredential $args[1] -CertificateThumbprint $args[2]}
# Configure 2nd WAP
Set-Item WSMan:\localhost\Client\TrustedHosts -Value $wapServer2IpAddress
Invoke-Command -ComputerName $wapServer2IpAddress -ArgumentList $stsFqdn, $daCreds, $stscert.Thumbprint -Credential $wapCreds -ScriptBlock {Install-WebApplicationProxy -FederationServiceName $args[0] -FederationServiceTrustCredential $args[1] -CertificateThumbprint $args[2]}