AD Fun Services – List all the members of an ADFS farm

In Windows Server 2012 R2, the ADFS database actually does not keep track of the servers member of the farm. It is a stateless farm were every node happen to share the same database (if a SQL server is used) or the same copy of the database (if it is WID). The only thing stored…

1

Q&D – Backup/Restore your ADFS claim rules for Office 365

When it comes to try and fail fast, nothing better than to be able to restore things the way it used to be before you broke everything 🙂 Here are some examples of PowerShell cmdLets you can rule to export your claim rules for the Azure AD Relying Party Trust into files and re-import them…

1

AD Fun Services – Track down the source of ADFS lockouts

Tracking down the devices locking out accounts on an ADFS deployment is quite challenging. From an ADDS perspective, lockouts coming from a WAP server will look like they’re come from an ADFS server: Lockouts coming from internal client using Form Based authentication also look like they are coming from the ADFS server itself and not…

26

Script to update the Service-Communications SSL certificate

Changing the Service-Communications certificate for the Windows Server 2012 R2 ADFS servers and Windows Server 2012 R2 Web Application Proxy servers is sometimes tricky if you are not familiar with the technology. Basically you need to perform 3 operations: Change the Service-Communications certificate in ADFS. Set the new SSL certificate to be used by the…

2

Customize the Home Realm Discovery page to ask for UPN right away

When you have more than one Claim Provider Trust, this is the default user experience: The Piaudonn Yoga is in fact my local Active Directory. The other one, Cabane, is another ADFS deployment that I am trusting. If you don't want to have to list all your trusts, or just rather have the user type its…

3

ADFS extranet lockout and PDC requirement

The Extranet Lockout is a new feature available on Windows Server 2012 R2 ADFS when the Web Application Proxy is used. In a nutshell, it protects against password discovery attacks coming from the Internet… If you have no idea what I am talking about, here is an excellent article explaining how it works and how to…

3

ADFS refuses to start, error 1297

Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it. Then, maybe you’ll be running into this error message when you start your ADFS Server service: It is weird especially that you…

11

How to export an ADFS custom webtheme and import it to another server

As it is recommended on the following TechNet article: Advanced Customization of AD FS Sign-in Pages "It is strongly recommended to validate your customizations in an alternate environment and test them prior to rolling it out onto production AD FS servers. This reduces the chances of end users being exposed to these customizations prior to…

4

Accept SAM-account name as a login format on the ADFS form-based password update page

If you want your users to use only their sAMAccountName to login to the ADFS form-based sign-in pages, you can do some JavaScript magic as it is described here on TechNet: Example 2: accept SAM-account name as a login format on an AD FS form-based sign-in page Basically it overrides the submitLoginRequest function and instead…

3