-
Notifications
You must be signed in to change notification settings - Fork 54
01 Installation
- must be run by a user who have Local Administration rights on each Adfs server.
-
must be run by a user who have Local Administration rights or belongs to the ADFS Delegated administration group , depending of your ADFS configuration.
-
Local System Administration must be enabled on your ADFS configuration (can be changed with extended configuration tasks).
-
ADFS 2012 R2 must be run with a user who is in the Local Administrators group of each ADFS server.
- The version of the .Net framework installed on the Adfs servers as well as the proxies must be version 4.7.2 or up with the latest updates. The biometric provider requires this version for the use of CNG encryption functionalities.
-
Adfs service account used to access ADDS forests, must have read/write rights on all users properties (or ensure correct access to the properties described in ADDS configuration).
-
Adfs service account , is a "Domain Administrator" (not recommended)
-
Adfs service account is member of the "Account Operators" group in all forests (suitable), this account cannot create or write attributes of privileged accounts like domain administrators
-
Adfs service account is a "Standard User" (recommended), yous must set privileged account credentials in Security management (Super User).
-
ADDS Data Access User is required to perform PowerShell Remoting on Cmdlets that support it.
-
Selected account must have the same rights on other forests
-
ADDS Schema must be conform to the Adfs prerequisites (FL 2003)
- Adfs service account must be dbCreator and dbSecurityAdmin on your MFA SQL Server Database (done in database Creation/Upgrade)
- Adfs Delegated administration group members must have read/write rights on your MFA SQL Database (done in database Creation/Upgrade)
- Interactive Account (MMC, PowerShell) must have read/write rights on your MFA SQL Database.
- SQL Data Access User is required to perform PowerShell Remoting on Cmdlets that support it. this Account must be an SQL Account (not a Windows account) and must be must be dbCreator and dbSecurityAdmin on your MFA SQL Server Database, with this account there's no need to give SQL rights to Adfs service account, Adfs Delegated administration group, Interactive Account
- SQL version must be 2008 and up. some features require SQL Server 2016 (always encrypted columns)
- Identity claim is by default UPN (common and recommended in federation projects) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
- The identity claim is stored by Adfs at registration
In version 3.1, all administrators and operators rights are governed by the ADFS configuration with :
Local System Accounts (required)
Local Administrators Accounts
ADFS Delegated Administrators Accounts (recommended)
For ADFS 2012 R2 only Local Administrators Accounts are suitable
See How to build a High Trust Configuration in Security Management
- Download adfsmfa.msi from github : https://github.com/neos-sdi/adfsmfa/releases
- Log on each Adfs server (2012r2, 2016 or 2019) as Local administrator user
- Launch installation of the adfsmfa.msi file on each Adfs server.
msi installation does not configure adfsmfa, The installation process deploy the components on the system, binaries in the GAC and in Program Files, and correctly register services, PowerShell Cmdlets and MMC snapin, and finally create a shortcut on the desktop. this step don’t require that you reconfigure a prior configuration of adfsmfa. For example when patching or deploying a new version. You can patch each server at time (disabling the node in NLB). in this case no more actions are required, the system must be “operational”.
This task registers the adfsmfa product in your Adfs Farm. When completed, adfsmfa became a new MFA provider for your Adfs Farm. You must execute these task only on one primary Adfs Server
By default the component is using Upn ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn") as Identity claim.
Alternatively you can use the WindowsAccountName ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname") as Identity claim
You, can change this behavior after installing the msi and before registering the component. to do that you must change a registry key on each adfs server : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\MFA\IdentityClaim -> 0: Upn, 1: WindowsAccountName.
-
Using Adfs WID configuration, your actions will be replicated on others servers within 5 minutes or when restarting Adfs services. For the parameters of ADFSMFA configuration, all parameters are synchronized immediately with all servers (cache file)
-
Using Adfs SQL Configuration, everything is immediately available to all other servers, they share the same Adfs Databases. For the parameters of ADFSMFA configuration, all parameters are synchronized immediately with all servers (cache file)
Component registration can only be done with a PS Cmdlet Register-MFASystem. The registration process create component Registration with ADFS Farm, and activate the component as an active MFA provider in your Adfs Farm with default configuration values.
- Log a Primary ADFS server of your farm as Adfs administrator
- Launch a new PowerShell session as administrator
- type get-help Register-MFASystem –detailed to get information.
- Enter your command
Register-MFASystem
This operation is required if you have multiple Adfs servers running Windows 2012 R2. With that version (2012r2) the different servers are not automatically referenced.
For all versions of Adfs (2012r2, 2016, and 2019) you will need to use this command when adding a server to an existing farm.
- Log on a Primary Adfs server as Adfs administrator
- Launch a new PowerShell session as administrator
- type get-help Register-MFAComputer –detailed to get information.
- Enter your command
Register-MFAComputer -ServerName "servername_to_add"
When you add an Adfs Server to your farm, you must execute Register-MFAComputer to add this computer to the MFA servers list (used by notification system). This operation is also needed if your Adfs farm servers are 2012 r2.
For Adfs 2016/2019 Register-MFASystem can do the job without need to register the computer with Register-MFAComputer.
- Log on a any Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Get-MFAFarmInformation –detailed to get information.
- Enter your command
Get-MFAFarmInformation(Get-MFAFarmInformation).Servers
Sometime after an major upgrade, registry key are not well updated by windows installer
Lauch Regedit as administrator Select HKEY_LOCAL_MACHINE Search for : FX:{9627f1f3-a6d2-4cf8-90a2-10f85a7a4ee7} In the right pane look at the Type attribute and modify the version with 3.0.0.0 if needed.
Once the configuration is set you can Backup your configuration in a xml file and of course you can restore it later
- Log on a Primary Adfs server as Adfs administrator
- Launch a new PowerShell session as administrator
- type get-help Export-MFAConfiguration –detailed to get information.
- type get-help Import-MFAConfiguration –detailed to get information.
- Enter your command>
Export-MFAConfiguration -ExportFilePath 'c\temp\config.xml'Import-MFAConfiguration -ImportFilePath 'c\temp\config.xml'
To allow proper informations exchange in real time (Notifications, Anti Replay, etc) between Adfs servers (farm configuration), you must run a PowerShell command on each Adfs Server
- Log on each Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Set-MFAFirewallRules –detailed to get information.
- Enter your command
Set-MFAFirewallRules // Using MFA configuration servers list Set-MFAFirewallRules -ComputersAllowed '172.16.100.1, 172.16.100.2'
This command opens 3 port in your server Firewall (Scope Domain)
- MFA Notification Hub Service (tcp) : 5987
If you have created MFA certificates (RSA) in previous installations, you must update Access Control List, to give the good rights on the certificates private keys for the Adfs service and the Adfs account
- Log on a Primary Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Update-MFACertificatesAcessControlList –detailed to get information.
- Enter your command
Update-MFACertificatesAcessControlList Update-MFACertificatesAcessControlList -CertsKind (AllCerts | MFACerts | ADFSCerts | SSLCerts)
This cmdlet only add or update ACL, by default all certificates private keys are updated (AllCerts)