-
Notifications
You must be signed in to change notification settings - Fork 54
01 Installation
All installation operations must be run by a user who have Local Administration rights on each ADFS server
Starting with ADFS 2016, this user must be in the ADFS administration group
- If you are using ADDS Configuration mode (default), Interactive account (installation, MMC console, PowerShell) and the ADFS service account mus have read/write rights on all users properties (or ensure correct acces to the properties described in ADDS configuration)
if you have ADDS trust relationships, these accounts must also have the same rights on other forest
ADDS Schema must be conform to the ADFS prerequisites (FL 2008) - Il you are using SQL Configuration, the interactive account (installation, MMC, PowerShell) and the ADFS service account must be dbCreator and dbsecurityadmin on your SQL Server instance
SQL Version must be 2008 and up. some features require SQL Server 2016 (columns always encrypted)
- Download adfsmfa.msi from github : https://github.com/neos-sdi/adfsmfa/releases
- Log on each ADFS server (2012r2, 2016 or 2019) as administrator
- Launch installation of the adfsmfa.msi file on each ADFS server.
msi installation does not configure adfsmfa,
The installation process deploy the components on the system, binaries in the GAC and in Program Files, and correctly register services, PowerShell Cmdlets and MMC snapin, and finally create a shortcut on the desktop.
this step don’t require that you unconfigure a prior configuration of adfsmfa.
For example when patching or deploying a new version. You can patch each server at time (disabling the node in NLB). in this case no more actions are required, the system must be “operational”.
Sometime after an major upgrade, registry key are not well updated
Lauch Regedit as administrator Select HKEY_LOCAL_MACHINE Search for : FX:{9627f1f3-a6d2-4cf8-90a2-10f85a7a4ee7} In the right pane look at the Type attribute and modify the version with 2.4.0.0 if needed.
This task registers the adfsmfa product in your ADFS Farm, when completed adfsmfa became a new MFA provider for your ADFS Farm.
You must execute these task only on one primary ADFS Server
If you are using ADFS WID configuration, your actions will be replicated on others servers within 5 minutes or when restarting ADFS Services
If you are using ADFS SQL Configuration, everything is immediately available to all other servers, they share the same ADFS Databases
Component registration can only be done with a PS Cmdlet Register-MFASystem. The registration process create component Registration with ADFS Farm, and optionally activate the component as an active MFA provider in your ADFS Farm. You can also decide to set the security configuration (default RNG or RSA or RSA per user).
This is the configuration you are using, whether it is a first installation or a new ADFS farm.
- Log on the Primary ADFS server of your farm as administrator
- Launch a new PowerShell session as administrator
- type get-help Register-MFASystem –detailed to get information.
- Enter your command
Register-MFASystem –Activate –RestartFarm –VerboseCreate a new default configuration using ADDS and RSA 2048 bytes for users keys generation. duration of certificate is set to 10 years (default is 5)
Register-MFASystem –Activate –RestartFarm –KeyFormat RSA –RSACertificatDuration 10 –VerboseThis configuration (RSA) require additional configuration if you have multiple ADFS servers in your Farm. You must export the generated certificate with the private key (.pfx), and install it on all others ADFS Servers. On export , when asked let the password blank
Create a new default configuration using ADDS and RSA 2048 bytes for users keys generation, one key for each user. duration of certificate is set to 2 years (default is 5)
Register-MFASystem –Activate –RestartFarm –KeyFormat CUSTOM –RSACertificatDuration 2 –VerboseThis configuration (CUSTOM) require additional configuration, a custom database for storing al users keys and certificates (see New-MFASecretKeysDatabase)
This operation is required if you have multiple ADFS servers running Windows 2012r2.
With that version (2012r2) the different servers are not automatically referenced.
For all versions of ADFS (2012r2, 2016, and 2019) you will need to use this command when adding a server to an existing farm.
- Log on a primary ADFS server as administrator
- Launch a new PowerShell session as administrator
- type get-help Register-MFAComputer –detailed to get information.
- Enter your command
Register-MFAComputer -ServerName servernametoaddWhen you add an ADFS Server to your farm, you must execute Register-MFACompter to add this computer to the MFA servers list (used by notification system).
This operation is also needed if your ADFS farm servers are 2012 R2, for 2016 Register-MFASystem can do the job without need to register the computer with Register-MFAComputer
- Log on a primary ADFS server as administrator
- Launch a new PowerShell session as administrator
- type get-help Get-MFAFarmInformation –detailed to get information.
- Enter your command
Get-MFAFarmInformation(Get-MFAFarmInformation).Servers
Once the configuration is set you can Backup your configuration in a xml file and of course you can restore it later
- Log on the ADFS server you want to add to your farm for MFA as administrator
- Launch a new PowerShell session as administrator
- type get-help Export-MFAConfiguration –detailed to get information.
- type get-help Import-MFAConfiguration –detailed to get information.
- Enter your command>
Export-MFAConfiguration -ExportFilePath 'c\temp\config.xml'Import-MFAConfiguration -ImportFilePath 'c\temp\config.xml'