Friday, October 04, 2013

ADFS : Some musings on Server 2012 R2

Having been through the exercise of installing the latest invocation of both ADFS and the Web Application Proxy:

Don't use CNG certificates. And guess what?

The command

New-SelfSignedCertificate 

which is available on Windows 8 and Windows Server 2012 produces (you guessed it) CNG certificates.

So you need to indulge in some time travel to create older version of self-signed certificates.

And the certificate needs SAN's as per the lab.

Massive change in that neither ADFS nor the proxy is based on IIS. Rather I gather it's built on HTTP.SYS.

So how do you now find the SSL binding?

Use:

netsh http show sslcert 

So how do you customise the screens? Even something as simple as branding?

It now uses GMSA instead of service accounts which take time to replicate.

You need to plan to do this:

Add-KdsRootKey 

the day before. There is a hack as per the lab for test environments:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

The WAP is behind the "Remote Access Management" tile.

And once you have published a web application you can't edit it. Seriously?

Also, you need to import the certificate that matches the application URL for it to appear in the drop down box.

Documentation (to be polite) is somewhat lacking. C'mon people!

Enjoy!



No comments: