Difference between revisions of "Windows Federated Services"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 56: | Line 56: | ||
==Hardening== | ==Hardening== | ||
| + | <ref>https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs</ref> The reference from Microsoft is rather vague. It looks like these settings can be applied to either the proxy or the internal server. Testing is needed. | ||
| + | *Enforce ExtendedProtectionTokenCheck<ref>https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps</ref> | ||
| + | <pre> | ||
| + | set-adfsproperties -ExtendedProtectionTokenCheck Require | ||
| + | </pre> | ||
Revision as of 08:53, 28 October 2019
General Notes
This service is easy enough to get up and running using server manager. In my case I have Server 2016 Core running in AWS on a private subnet.
You do need to ensure you have the following
- A certificate for the publicly accessible fqdn. i.e. sts.yourdomain.tld. This does NOT need to match your internal domain.
- A CSR can be created using Windows MMC[1] and is easy to do.
- Make sure to import the acquired cert back into the same system that created the CSR, then export the whole thing with key.
- Have a dedicated service account created in AD.
- Firewall issues will get you if you are not careful
Enable test page
[2]This is used to test sign in.
I was able to log in from both the native domain as well as a trusted domain without further configuration.
Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm
AD FS Proxy
In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. [3]
- Please make sure that you either used an alternate name in the certificate, or you will need to add a host to the hosts file. i.e.
$newhost='xxx.xxx.xxx sts.yourdomain.tld' $newhost | Out-File -FilePath C:\Windows\System32\drivers\etc\hosts -Append -Encoding ascii
- If you haven't, install the certificate. Copying from another server if needed.
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password belowe' Import-PfxCertificate -FilePath C:\sts.yourdomain.tld.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.password
- Make sure you have the certificate thumbprint/hash as well. The following command should show this to you.
netsh http show ssl
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools Install-WebApplicationProxy -FederationServiceName "sts.yourdomain.tld" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d"
Manage using headless server
This does not work
- To manage the headless server using Server Manager
- Give the server a fqdn and manually add the DNS entry.
- Add the server to the trusted hosts for managementCite error: Closing
</ref>missing for<ref>tag The reference from Microsoft is rather vague. It looks like these settings can be applied to either the proxy or the internal server. Testing is needed.
- Enforce ExtendedProtectionTokenCheck[4]
set-adfsproperties -ExtendedProtectionTokenCheck Require
- ↑ https://knowledge.digicert.com/solution/SO29005.html
- ↑ https://blogs.technet.microsoft.com/rmilne/2017/06/20/how-to-enable-idpinitiatedsignon-page-in-ad-fs-2016/
- ↑ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11)?redirectedfrom=MSDN
- ↑ https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsproperties?view=win10-ps
