Script to update the Service-Communications SSL certificate

Changing the Service-Communications certificate for the Windows Server 2012 R2 ADFS servers and Windows Server 2012 R2 Web Application Proxy servers is sometimes tricky if you are not familiar with the technology. Basically you need to perform 3 operations: Change the Service-Communications certificate in ADFS. Set the new SSL certificate to be used by the…


Customize the Home Realm Discovery page to ask for UPN right away

DISCLAIMER: This post is a POC written for ADFS on Windows Server 2012 R2 When you have more than one Claim Provider Trust, this is the default user experience: The Piaudonn Yoga is in fact my local Active Directory. The other one, Cabane, is another ADFS deployment that I am trusting. If you don’t want to…


ADFS extranet lockout and PDC requirement

IMPORTANT: This article applies to Windows Server 2012 R2 ADFS (aka ADFS 3). In Windows Server 2016 ADFS (aka ADFS 4), there is an option to remove this dependency: Set-ADFSProperties -ExtranetLockoutRequirePDC $false ( The Extranet Lockout is a new feature available on Windows Server 2012 R2 ADFS when the Web Application Proxy is used. In a nutshell,…


ADFS refuses to start, error 1297

Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it. Then, maybe you’ll be running into this error message when you start your ADFS Server service: It is weird especially that you…


How to export an ADFS custom webtheme and import it to another server

As it is recommended on the following TechNet article: Advanced Customization of AD FS Sign-in Pages "It is strongly recommended to validate your customizations in an alternate environment and test them prior to rolling it out onto production AD FS servers. This reduces the chances of end users being exposed to these customizations prior to…


Accept SAM-account name as a login format on the ADFS form-based password update page

If you want your users to use only their sAMAccountName to login to the ADFS form-based sign-in pages, you can do some JavaScript magic as it is described here on TechNet: Example 2: accept SAM-account name as a login format on an AD FS form-based sign-in page Basically it overrides the submitLoginRequest function and instead…


Customizing the AD FS sign-in pages per relying party trust

UPDATE: Windows Server 2016 allows this out of the box. See here: Customizing user signin for AD FS relying parties The way the Windows Server 2012 R2 ADFS customization works currently does not enable you to modify the graphical end user experience based on the relying party trust (RP) the user is trying to access….


Customizing the IDP images in the Home Realm Discovery page

One of the great benefits of the latest version of ADFS is that you do not need to know HTML or anything fancy to customize the user's graphical experience. Changing the background, the logo, the text, adding some support information, hyperlinks… Pretty much everything is described in the following TechNet article: Customizing the AD FS…