How to change your ADFS Service Account

 How to change your ADFS Service Account

We had set up our original ADFS farm with a standard user account as the service account.   However, we wanted to change the account to a Group Managed Service Account (GMSA) instead.

Unfortunately, there weren't any complete instructions on changing the ADFS account.

Export-AdfsAuthenticationProviderConfigurationData

Import-AdfsAuthenticationProviderConfigurationData


I did manage to find the following great related articles:

http://tunnik.name/changing-adfs-service-account/

https://github.com/Microsoft/adfsToolbox/tree/master/serviceAccountModule

https://social.technet.microsoft.com/Forums/windowsserver/en-US/8f558762-f92c-4803-916c-cc36ecc7c988/adfs-2016-change-service-account-to-gmsa?forum=ADFS


After reading the article from the tunnik.name site, I decided to give the change a shot in my dev environment.  Here are the notes I came up with:

The error messages shown in the notes are from the [Event Viewer -> Application and Service Logs -> ADFS -> Admin] event log.

ADFS Service Account Change NOTES:

1)      To change the service account used by ADFS using command prompt (NOT PowerShell):

a.       Sc config adfssrv obj= [gmsaaccount]

2)      Ensure the user is added to the local security policy -> Allow Logon as a Service

Before changing the service account ensure the following: 

3)      Ensure the new service account has access to the database.  It needs to be in the db_genevaservice role on both ADFS databases and an owner of the IdentityServerPolicy schema.   


1)      ISSUE: Error: Specified Directory Service attribute does not exist.

a.       In  AD Users and Computers with Advanced Settings enabled: Ensure that the new account has permissions to read, write, create all child objects on Program Data -> Microsoft -> ADFS -> [GUID]

b.       Using advanced settings, ensure this applies to all child objects.

c.       You may need to do this for each GUID entry under Program Data -> Microsoft -> ADFS, as the GUID permissions are not inherited from parent.

5)     ISSUE:  There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data

Exception details:

System.ArgumentNullException: Value cannot be null.

Parameter name: certificate

   at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)

   at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml, Boolean forPassive)

   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()

   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()

   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()

   at Microsoft.IdentityServer.ServiceHost.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)

   at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

 

Ensure that the new ADFS account has permissions to all certificates.  You can do this via the Certificates MMC snap in.

Change the service account back to the original (if you changed it already) and then view the certs in adfs.  Ensure that each certificate is in the Trusted Root Authority container and ensure the new service account has permissions to it.  (From the Certificates MMC Snap-in: Right click the cert -> All tasks -> Manage Private Keys.  If it's placed in the Enterprise Trusted Root container and you don't see the Manage Private Keys, you may have read permissions already).

6)      ISSUE: Error: ADMIN0120: The client is not authorized to access the endpoint net.tcp://localhost:1500/policy. The client process must be run with service administrative privileges.

 

a.       Backup your ADFSConfiguration database.

b.       View the previous config data by:

SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings

 

c.       To modify the config for the new Service Account:

USE AdfsConfigurationV4;

 

UPDATE IdentityServerPolicy.ServiceSettings

SET ServiceSettingsData=REPLACE((SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings),'[OLD OBJECT SID]','[NEW OBJECT SID]')


One additional thing to note, regarding the query:

If you run:

SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings


You will get the XML Configuration data.  You can copy and paste this from SQL Management Studio and place it in an XML text editor to view the configuration.  


You can then search for the SID of your previous ADFS account and you will find the rules that will be edited by the Update query.  These are the authorization rules for your ADFS Service Account to access the endpoints.


 <PolicyStore>

    <AuthorizationPolicy>

      @RuleName = "Permit Service Account"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


      @RuleName = "Permit Local Administrators"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


    </AuthorizationPolicy>

    <AuthorizationPolicyReadOnly>

      @RuleName = "Permit Service Account"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "S-1-5-21-328311718-1234567890-1234567890-2107"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


      @RuleName = "Permit Local Administrators"

      exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544"])

      =&gt; issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");


    </AuthorizationPolicyReadOnly>


 

 

 







Comments

Popular posts from this blog

How To use ASPNET_SetReg to store encrypted data in the registry and then decrypt the data for use in your app

Nostalgia for SNL's Il Returno De Hercules

PowerShell Script to Clean the Windows Installer Directory