Difference between revisions of "Windows Federated Services"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) (Created page with "==General Notes== This service is easy enough to get up and running using server manager. In my case I have Server 2016 Core running in AWS on a private subnet.<br> You do nee...") |
Michael.mast (talk | contribs) |
||
| Line 14: | Line 14: | ||
</pre> | </pre> | ||
Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm | Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm | ||
| + | ==AD FS Proxy== | ||
| + | In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. | ||
| + | *To manage the headless server using Server Manager | ||
| + | **Give the server a fqdn and manually add the DNS entry. | ||
| + | **Add the server to the trusted hosts for management<ref>https://www.jorgebernhardt.com/how-to-managing-non-domain-joined-server-using-server-manager/</re> | ||
| + | Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable. | ||
| + | <pre> | ||
| + | $CurrentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value | ||
| + | Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList" | ||
| + | </pre> | ||
Revision as of 11:11, 25 October 2019
General Notes
This service is easy enough to get up and running using server manager. In my case I have Server 2016 Core running in AWS on a private subnet.
You do need to ensure you have the following
- A certificate for the publicly accessible fqdn. i.e. sts.yourdomain.tld. This does NOT need to match your internal domain.
- A CSR can be created using Windows MMC[1] and is easy to do.
- Make sure to import the acquired cert back into the same system that created the CSR, then export the whole thing with key.
- Have a dedicated service account created in AD.
- Firewall issues will get you if you are not careful
Enable test page
[2]This is used to test sign in.
I was able to log in from both the native domain as well as a trusted domain without further configuration.
Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm
AD FS Proxy
In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me.
- To manage the headless server using Server Manager
- Give the server a fqdn and manually add the DNS entry.
- Add the server to the trusted hosts for management<ref>https://www.jorgebernhardt.com/how-to-managing-non-domain-joined-server-using-server-manager/</re>
Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable.
$CurrentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList"
