ADFS: Configure your password change

Users are always allowed or forced to change their passwords, and sometimes this actions increment the amount of work to IT. However, in ADFS 3.0 include a feature that enable a self-service portal password change available for your end-users.

So this post tries to follow the steps to configure it:

• First, enable the Password Change Portal:Open your AD FS Management tool on the primary server, navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy.
• Test change password portal: browse to https://sts.domain.com/adfs/portal/updatepassword you will similar to the adfs login page where you can update your password
• Enable password expiry notification: You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. To do this it is necessary to configure a Claim Rule:

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”%5D => issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays”, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl”), query = “{0};”, param = c1.Value);

• Finally: you can tweak your ADFS login page to show a link to the change password portal

That’s all!

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization

 

Advertisement

Enable ADFS automatic certificate rollover

Hi!

After the summer holidays, I realised that the token decripting and token signing certificates from the ADFS, were about to expire. I tried to execute the following command to update immediately the certificates:

Update-ADFSCertificate -Urgent

but I received the following message error:

To enable the ADFS automatic certificate rollover, use the below Powershell script command, this will help if you want to add a token signing certificate when the automatic certificate rollover is enabled.

Set-ADFSProperties -Autocertificaterollover $true

After doing that, I was able to update the ADFS certificates from the certificate store.

Hope it helps!

Backup rules in ADFS

If you need to back up the rules of claim provider trusts and relying-party trusts in ADFS to store version control or to migrate rules to a new federation server, this is your post.

And here is the code I used:

# Guidance for this was found here: http://social.technet.microsoft.com/wiki/contents/articles/4869.ad-fs-2-0-how-to-migrate-claim-rules-between-trusts.aspx
#
#  If you want the files saved somewhere other than C:Temp, you need to change the "$RulePath" lines below.

Import-Module ADFS

# Export the Acceptance Transform Rules for each Claim Provider Trust (except the AD one)
$claimTrusts = Get-AdfsClaimsProviderTrust | ?{$_.Name -ne "Active Directory"}
foreach ($CT in $claimTrusts) {
    $RulePath = "C:Temp" + $CT.Name.Replace(" ","") + "-AcceptanceRules.txt"
    (Get-AdfsClaimsProviderTrust -Name $CT.Name).AcceptanceTransformRules | Out-File $RulePath
    $RulePath = $null
    }

# Export all three types of rules for each Relying-Party Trust
$RPTrusts = Get-AdfsRelyingPartyTrust
foreach ($RP in $RPTrusts) {
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceTransformRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceTransformRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceAuthorizationRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-DelegationAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).DelegationAuthorizationRules | Out-File $RulePath
    }

Hope it helps!

Windows Internal Database not starting

Hi!,

Today I received a weird problem from my ADFS test environment, when I tried to navigate to the main SharePoint page it throws an error from the ADFS, so I decided to check the ADFS server to see what was the problem. To my surprise the ADFS service was stopped and when I tried to start the service it won’t fire up, things starting weird…

So after checking some things, I remember that this installation was made with the Windows Internal Database, so I decided to check the service, but it was also stopped, and when I tried to start it again it throws the following error message:

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICEMSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

I don’t know if anyone of my company changed the policies or included the server in the policies overwritting all the policies previously configured by myself, but I had to solve this issue, otherwise I cannot continue with my tasks in the project.

To solve this thing, it was needed to change the Group Policy Management in the local computer, so enter to the local policy and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments.  Edit Log on as a service and add the following groups:

IIS_WPG
NETWORK
NETWORK SERVICE
SERVICE

After this groups were added, run gpupdate/force on the server and then try to start the WID, in my case it was succesful so I was able to start again the adfs service and continue with my tests.

Hope it helps!

 

ADFS 3.0: Chrome users repeteadly prompted for credentials

This error is related with the error in ADFS 2.0 in the post: https://sharepointrescue.wordpress.com/2015/11/05/adfs-2-0-chrome-users-repeteadly-prompted-for-credentials/

But in this case we are working with ADFS 3.0 so we don’t use IIS anymore, but there are other default settings working against Our Chrome users, so lets have a look at what we need to change.

Chrome only uses NTLM Authentication, so first we need to allow this by setting the ExtendedProtectionTokenCheck to None.

Set-ADFSProperties –ExtendedProtectionTokenCheck None

Then we need to alter the current list of supported user-agents for NTLM, which basicly means we need to allow Chrome within the list of browser we want to support. Get the list over allready supported browsers:

Get-ADFSProperties | Select  -ExpandProperty WIASupportedUserAgents

It will show a list of supported browser which by default is:

Then we add all these and Chrome, or to be Clear, we add what ADFS think Chrome is:

Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0″, “MSIE 7.0″, “MSIE 8.0″, “MSIE 9.0″, “MSIE 10.0″, “Trident/7.0″, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0“)

Which is Mozilla v5.0, then restart the Active Directory Federation Service to use the changes.

Customizing the ADFS forms based login page

By default the login page for the ADFS is very ugly, so this post will talk about how to customize it. This post will be divided into ADFS 2.0 and ADFS 3.0

Customize login page for ADFS 2.0

First of all, we have to do this modifications in the ADFS Proxy Server, so let’s begin:

Adding a Logo
Logo image file should be 600×100
Save image file to c:inetpubadfslslogo.jpg (or logo.png)
Open c:inetpubadfslsweb.config in notepad
Locate text
<!–
<add key=”logo” value=”logo.jpg” />
–>
Remove the “<!–” and “–>” to uncomment the section. Change filename to match the logo you saved.
Save file and close

Change the “Example” Instructions

• Go to C:inetpubadfslsApp_GlobalResources
• Edit file CommonResources.en.resx in Notepad (replace the “en” with your localization code if not English)
• Locate text:
  <data name=”UsernameExample” xml:space=”preserve”>
  <value>Example: DomainUsername</value>
  </data>
• Edit this text to be what you want
• Save File and close

Change the Instruction Text

• Edit CommonResources.en.resx in Notepad as per item above
• Locate text:

  <data name=”FormsSignInHeader” xml:space=”preserve”>

  <value>Type your user name and password.</value>

  </data>

• Edit this text to be what you want
• Save file and close

Change the Page Title

• Go to C:inetpubadfslsApp_GlobalResources
• Edit file CommonResources.en.resx in Notepad
• Locate text:
  <data name=”FormsSignInPageTitle” xml:space=”preserve”>
  <value>Sign In</value>
  </data>
• Edit this text to be what you want
• Save File and close
  

Remove or Change the Hostname Header Above the Login Box

• Go to C:inetpubadfslsMasterPages
• Edit MasterPage.master.cs in Notepad
• Locate text:
  {
  PageTitleLabel.Text = Page.Title;
  STSLabel.Text = FriendlyName;
  }
• Change this text to what you want. Your text MUST BE IN QUOTES. Like this
  STSLabel.Text = “Contoso Limited Single Sign On”;
• Save File and close

More information: Here

Customize login page for ADFS 3.0

To make this changes is pretty easy, and we will done them by Powershell!!

So, we need to enter into ADFS and open a Powershell CMD as Administrator, and type the following:

 
Import-Module ADFS
#This simply adds the ADFS commands to PowerShell. It’s necessary so the rest can run.</
SetAdfsGlobalWebContent CompanyName "Your company name
#This sets the name that is listed above the logon form
Set-AdfsWebTheme -TargetName default -Logo @{path=”c:Contosologo.png”}
#To set a logo
Set-AdfsWebTheme -TargetName default -Illustration @{path="c:background.png"}
#This sets the “illustration” – the image to the right of the sign-in form. Just change the path from “c:background.png” to the path to your image. Microsoft recommends the dimensions for the illustration to be 1420×1080 pixels @ 96 DPI with a file size of no greater than 200 KB
Set-AdfsGlobalWebContent -SignInPageDescriptionText "<P><B>Sign-in requires format yourdomainusername.</B></P>" 
#This inserts the text right below the sign-in screen – it uses basic HTML for formatting. Simply type whatever text you want between the quotation marks.

And that’s it! Just a few simple changes and you have your custom ADFS 3.0 logon page! If you want other ways to change this, visit https://technet.microsoft.com/en-us/library/dn280950.aspx

Cheers!