How to change your ADFS Service Account

 How to change your ADFS Service Account

We had set up our original ADFS farm with a standard user account as the service account.   However, we wanted to change the account to a Group Managed Service Account (GMSA) instead.

Unfortunately, there weren't any complete instructions on changing the ADFS account.

Export-AdfsAuthenticationProviderConfigurationData

Import-AdfsAuthenticationProviderConfigurationData


I did manage to find the following great related articles:

http://tunnik.name/changing-adfs-service-account/

https://github.com/Microsoft/adfsToolbox/tree/master/serviceAccountModule

https://social.technet.microsoft.com/Forums/windowsserver/en-US/8f558762-f92c-4803-916c-cc36ecc7c988/adfs-2016-change-service-account-to-gmsa?forum=ADFS


After reading the article from the tunnik.name site, I decided to give the change a shot in my dev environment.  Here are the notes I came up with:

The error messages shown in the notes are from the [Event Viewer -> Application and Service Logs -> ADFS -> Admin] event log.

ADFS Service Account Change NOTES:

1)      To change the service account used by ADFS using command prompt (NOT PowerShell):

a.       Sc config adfssrv obj= [gmsaaccount]

2)      Ensure the user is added to the local security policy -> Allow Logon as a Service

Before changing the service account ensure the following: 

3)      Ensure the new service account has access to the database.  It needs to be in the db_genevaservice role on both ADFS databases and an owner of the IdentityServerPolicy schema.   


1)      ISSUE: Error: Specified Directory Service attribute does not exist.

a.       In  AD Users and Computers with Advanced Settings enabled: Ensure that the new account has permissions to read, write, create all child objects on Program Data -> Microsoft -> ADFS -> [GUID]

b.       Using advanced settings, ensure this applies to all child objects.

c.       You may need to do this for each GUID entry under Program Data -> Microsoft -> ADFS, as the GUID permissions are not inherited from parent.

5)     ISSUE:  There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data

Exception details:

System.ArgumentNullException: Value cannot be null.

Parameter name: certificate

   at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)

   at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml, Boolean forPassive)

   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()

   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()

   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()

   at Microsoft.IdentityServer.ServiceHost.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)

   at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

 

Ensure that the new ADFS account has permissions to all certificates.  You can do this via the Certificates MMC snap in.

Change the service account back to the original (if you changed it already) and then view the certs in adfs.  Ensure that each certificate is in the Trusted Root Authority container and ensure the new service account has permissions to it.  (From the Certificates MMC Snap-in: Right click the cert -> All tasks -> Manage Private Keys.  If it's placed in the Enterprise Trusted Root container and you don't see the Manage Private Keys, you may have read permissions already).

6)      ISSUE: Error: ADMIN0120: The client is not authorized to access the endpoint net.tcp://localhost:1500/policy. The client process must be run with service administrative privileges.

 

a.       Backup your ADFSConfiguration database.

b.       View the previous config data by:

SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings

 

c.       To modify the config for the new Service Account:

USE AdfsConfigurationV4;

 

UPDATE IdentityServerPolicy.ServiceSettings

SET ServiceSettingsData=REPLACE((SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings),'[OLD OBJECT SID]','[NEW OBJECT SID]')


One additional thing to note, regarding the query:

If you run:

SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings


You will get the XML Configuration data.  You can copy and paste this from SQL Management Studio and place it in an XML text editor to view the configuration.  


You can then search for the SID of your previous ADFS account and you will find the rules that will be edited by the Update query.  These are the authorization rules for your ADFS Service Account to access the endpoints.


 <PolicyStore>

    <AuthorizationPolicy>

      @RuleName = "Permit Service Account"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


      @RuleName = "Permit Local Administrators"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


    </AuthorizationPolicy>

    <AuthorizationPolicyReadOnly>

      @RuleName = "Permit Service Account"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


      @RuleName = "Permit Local Administrators"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


    </AuthorizationPolicyReadOnly>


 

 

 







Comments

Post a Comment

Popular posts from this blog

How To use ASPNET_SetReg to store encrypted data in the registry and then decrypt the data for use in your app

1) You may find it a bit unsecure storing usernames and passwords inside your web.config.  As an alternative to doing this, Microsoft has established a standard way to store that type of info in the registry of your server instead.  Yes, you can encrypt portions of the web.config using aspnet_regiis, but it can become quite a hassle if you need to make changes to some of your appSettings keys or change the account password over a number of different applications.   ( http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx ) 2) You can use a simple command line tool called aspnet_setreg.exe to create your registry entries.     You can find the tool here:              http://support.microsoft.com/kb/329290     The tool will use CryptProtectData to encrypt the values you put in the registry. The example in the article uses the following example: Run the following command...
Read more

Nostalgia for SNL's Il Returno De Hercules

Image
Source: http://snltranscripts.jt.org/86/86nhercules.phtml Now that SNL has an official YouTube channel, I had hoped SNL would add the "Il Returno de Hercules" skit to the channel.  The skit was from from SNL Season 12 Episode 14. I was able to find the script for the skit at snltranscripts.jt.org.  And here it is for your viewing pleasure.  If SNL doesn't put this on YouTube, maybe someone can remake it and put it up. Il Returno de Hercules King Laetes.....Dana Carvey/Tom Davis (voice) Helena.....Nora Dunn/Jan Hooks (voice) Hercules.....Bill Murray Guard.....A Whitney Brown Announcer : [ over SCROLL ] "In the time known as the Heroic Age, many centuries before the birth of Christ, Greece was still a savage and uncivilized land. In these dark times, one man alone defended the helpless - the Mighty Hercules. For many years the mighty Hercules fought for the common people, until at length his rich diet and increasingly sedentary lifesty...
Read more

PowerShell Script to Clean the Windows Installer Directory

Yesterday, I had a case of the Windows folder filling up the OS drive on a server. I already have scripts to archive the event log files in c:\windows\system32\winevt, as well as c:\inetpub\logs for web servers.  So I ran those again, but found the OS drive still down to less than 5 GB in space. Using a program called WinDirStat, I discovered that the Windows Installer directory had gotten pretty big, like over 40GB in size. I began my quest to Google for a solution. I saw one article talking about using DISM to clean up the winsxs directory.  https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder However, that didn't clean up the c:\windows\installer directory at all.  Also, installing the Desktop Experience Feature and using the cleanmgr.exe (Disk Clean up) utility didn't clean up the Installer directory either. Many blogs pointed towards a tool called Patch Cleaner. https://www.winhelponline.com/blog/windows-inst...
Read more