How to change your ADFS Service Account
How to change your ADFS Service Account
We had set up our original ADFS farm with a standard user account as the service account. However, we wanted to change the account to a Group Managed Service Account (GMSA) instead.
Unfortunately, there weren't any complete instructions on changing the ADFS account.
Export-AdfsAuthenticationProviderConfigurationData
Import-AdfsAuthenticationProviderConfigurationData
I did manage to find the following great related articles:
http://tunnik.name/changing-adfs-service-account/
https://github.com/Microsoft/adfsToolbox/tree/master/serviceAccountModule
https://social.technet.microsoft.com/Forums/windowsserver/en-US/8f558762-f92c-4803-916c-cc36ecc7c988/adfs-2016-change-service-account-to-gmsa?forum=ADFS
After reading the article from the tunnik.name site, I decided to give the change a shot in my dev environment. Here are the notes I came up with:
The error messages shown in the notes are from the [Event Viewer -> Application and Service Logs -> ADFS -> Admin] event log.
ADFS Service Account Change NOTES:
1)
To change the service account used by ADFS using command prompt (NOT PowerShell):
a.
Sc config adfssrv obj= [gmsaaccount]
2)
Ensure the user is added to the local security
policy -> Allow Logon as a Service
Before changing the service account ensure the following:
3)
Ensure the new service account has access to the
database. It needs to be in the db_genevaservice
role on both ADFS databases and an owner of the IdentityServerPolicy schema.
1)
ISSUE: Error: Specified Directory Service
attribute does not exist.
a.
In AD
Users and Computers with Advanced Settings enabled: Ensure that the new account
has permissions to read, write, create all child objects on Program Data ->
Microsoft -> ADFS -> [GUID]
b.
Using advanced settings, ensure this applies to
all child objects.
c.
You may need to do this for each GUID entry
under Program Data -> Microsoft -> ADFS, as the GUID permissions are not
inherited from parent.
5)
ISSUE:
There was an error in enabling endpoints
of Federation Service. Fix configuration errors using PowerShell cmdlets and
restart the Federation Service.
Additional
Data
Exception
details:
System.ArgumentNullException:
Value cannot be null.
Parameter
name: certificate
at
System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2
certificate, String id, Boolean clone, Boolean disposable)
at
Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean
forSaml, Boolean forPassive)
at
Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()
at
Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
at
Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()
at
Microsoft.IdentityServer.ServiceHost.STSService.StartProxyPolicyStoreService(ServiceHostManager
serviceHostManager)
at
Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean
requestAdditionalTime)
Ensure that the new ADFS account has permissions to all
certificates. You can do this via the Certificates MMC snap in.
Change the service account back to the original (if you changed it already) and then
view the certs in adfs. Ensure that each certificate is in the Trusted Root Authority container and ensure the new service account
has permissions to it. (From the Certificates MMC Snap-in: Right click the cert
-> All tasks -> Manage Private Keys. If it's placed in the Enterprise Trusted Root container and you don't see the Manage Private Keys, you may have read permissions already).
6)
ISSUE: Error: ADMIN0120: The client is not authorized
to access the endpoint net.tcp://localhost:1500/policy. The client process must
be run with service administrative privileges.
a.
Backup your ADFSConfiguration database.
b.
View the previous config data by:
SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings
c.
To modify the config for the new Service
Account:
USE
AdfsConfigurationV4;
UPDATE IdentityServerPolicy.ServiceSettings
SET
ServiceSettingsData=REPLACE((SELECT
ServiceSettingsData from
IdentityServerPolicy.ServiceSettings),'[OLD OBJECT SID]','[NEW OBJECT SID]')
One additional thing to note, regarding the query:
If you run:
SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings
You will get the XML Configuration data. You can copy and paste this from SQL Management Studio and place it in an XML text editor to view the configuration.
You can then search for the SID of your previous ADFS account and you will find the rules that will be edited by the Update query. These are the authorization rules for your ADFS Service Account to access the endpoints.
<PolicyStore>
<AuthorizationPolicy>
@RuleName = "Permit Service Account"
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Permit Local Administrators"
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
</AuthorizationPolicy>
<AuthorizationPolicyReadOnly>
@RuleName = "Permit Service Account"
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
@RuleName = "Permit Local Administrators"
exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
</AuthorizationPolicyReadOnly>
Comments
Post a Comment