Active directory federation server, Active directory

pramod1
pramod1 used Ask the Experts™
on
I have to configure ADFS server for chrome

Can you share any good article

I think WIA agents need to be configured
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
thanks, let  me look at the article,so basically we are allowing ADFS to allow application that uses chrome browser  for its authentication

if u can explain a little bit, would really appreciate

thanks
yo_beeDirector of Information Technology

Commented:
What are you trying to authenticate in Chrome?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

yo_beeDirector of Information Technology

Commented:
There is a link a bit down from the link listed above that outlines a lab setup.  This will be the same for production.  Note if you are just using it internally you do not need to setup a WAP (Web Application Proxy).  You will just need to setup the proper DNS name you are using.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/set-up-an-ad-fs-lab-environment

Author

Commented:
for making change in registry, do we need downtime for server to reboot, as then i need to propose a change

will we need server to reboot?
Jeff GloverSr. Systems Administrator

Commented:
On the ADFS server, Open Powershell and run
Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

(you may have to run Import-module adfs first)

This should enable WIA for both Chrome and Edge browsers. You probably should reboot the ADFS server after or at least restart the service.

It worked for us.

Author

Commented:
Technically what is function of WIA doing here my last question

But I don’t see chrome in the command
Jeff GloverSr. Systems Administrator

Commented:
Mozilla 5.0 is Chrome. WIA is Windows Integrated Authentication. It is what makes ADFS do SSO inside your network. As long as your ADFS server URL is in the Intranet zone, Windows (and by extension Chrome) will automatically supply your current username and password. This can be configured in IE. Unfortunately, like many things Microsoft, ADFS does not support Chrome or Edge Browser for WIA out of the box. You have to add them to the allowed Agents string.
 If you have older Chrome on the network, you may also have to Allow NTLM for Chrome..Set-ADFSProperties –ExtendedProtectionTokenCheck None

Author

Commented:
Chrome is google owned u mean UA is Mozilla for chrome
Jeff GloverSr. Systems Administrator

Commented:
Yes. The Chrome Browser was built on the Mozilla framework. the UserAgent is still called Mozilla

Author

Commented:
Can u please answer
Jeff GloverSr. Systems Administrator

Commented:
Thought I did,

Author

Commented:
Thanks

Author

Commented:
don't have to do anything on workstations?
Jeff GloverSr. Systems Administrator

Commented:
No. But if your ADFS server URL is not in the Intranet zone for IE, then WIA will not work. We normally do this via GPO.

Author

Commented:
so how will I know that it is not, we use ADFS to authenticate users against 365  as we have on premise AD.

we have single sign on enabled.

Author

Commented:
we need to configure ADFS so that employees can use Chrome to SSO into Workday

Author

Commented:
so this will work , am I right
Jeff GloverSr. Systems Administrator

Commented:
Well, what I gave you was how to get IWA working for Chrome. As long as your ADFS Relying Party trust and the SSO settings for Workday are setup correctly, it should. Can you access it via Internet Explorer?
  The way to see if your ADFS server is in the Intranet zone is to go to a client, open IE, go to Internet Options, Security. Highlight Local Intranet and click on sites. Then click Advanced. You should see a list of sites there. Your ADFS server should be one of them.

Author

Commented:
thanks . I will get back to you tomorrow
sincerely appreciate all help

Author

Commented:
I very much appreciate for constantly following up with my questions

I need to create change to do this
I have to give back up plan

If something’s goes wrong

Should icreate snapshot of server first
 Will be doing tomorrow

Author

Commented:
What does the sentence mean

Chrome to SSO I into work day?
Jeff GloverSr. Systems Administrator

Commented:
So, to address your next to last questions (I think they are questions), sure, make a snapshot if it is a VM. If something goes wrong, you can just restore the VM. It is easier than trying to tell you how to back out the changes in Powershell.

For the last question, you're the one who asked about Chrome SSO into Workday. Since the only Workday I know of is a Cloud based CRM solution, I assume you have a subscription and have setup SAML authentication in Workday itself (I have never worked with it so I cannot help there). If you are asking about Chrome SSOing into the application, I would assume you are talking about accessing the Application with a Chrome Browser, it redirects you to ADFS for SAML authentication and you are seamlessly authenticated with your Currently logged in username and password. Since you only asked about Chrome, I also assume you already have this working with Internet Explorer.

Author

Commented:
need to keep thread open till Saturday..

Author

Commented:
I need to on Saturday morning

Will you be available

Author

Commented:
I havev2 adfs server I need to do on both I suppose  I can webex if u are available
Jeff GloverSr. Systems Administrator

Commented:
Sorry but no, I am not available on the weekends. Having 2 ADFS servers is called a farm and no, you only have to do the config on the Primary server. Set-ADFSProperties is changing the settings for the Farm. Does not matter how many servers you have in that farm. Just need to do it on the Primary one.

Author

Commented:
so step by step - steps

1) Import-module adfs  ( by opening windows powershell and not azure windows power shell

2)Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

3) reboot

how will i know i am on primary server, as they are named as AD1 and AD2 , so i presume AD1 must be primary
any step i am missing?
Jeff GloverSr. Systems Administrator

Commented:
Yes. Seems correct. And you run Get-adfssyncproperties from powershell. It will tell you if you are on the primary. I image AD1 would be it.

Author

Commented:
Yes ran above command it is primary

Author

Commented:
But the guy here is saying the other one is in data center

And why I can’t run the command in secondary one he is asking reason request to let me know as u won’t be available tomorrow
Jeff GloverSr. Systems Administrator

Commented:
Not sure I understand the question. You seem to have access to the primary server. Who cares where the secondary is. As long as it is one farm, it will just get the settings from the Primary. If you are one of those setups that has a separate ADFS server for each application, then sorry. You would probably have to RDP to the other server.
  Maybe it would help if you described your ADFS setup. How many servers? How many farms (a farm will use the same URL to access  all servers in the farm like... sts.company.com) What version of ADFS are you running?

Author

Commented:
Np so I will be using active directory module for windows powershell and not not powershell x86 or ISE

Author

Commented:
I am trying to run get-adfsfarminfirmation not getting any answer
Jeff GloverSr. Systems Administrator

Commented:
What version of ADFS are you running? And you misspelled the command. it is get-adfsfarminformation

Author

Commented:
It says adfs management version 6.3.0.0

Author

Commented:
On windows server 2012

Author

Commented:
I asked where to run command

Author

Commented:
I ran command on ad  module for windows powershell

It says the term get- adfs farm information is s not recognized

Author

Commented:
I logged into secondADFS  server  it says to connect to primary server to edit adfs  configuration settings

I don’t see any replying party trust or any same configuration as primary server



I can see the farm name also under adfs overview
So what is this server doing
Jeff GloverSr. Systems Administrator

Commented:
OK, you are running ADFS 3.0 then (Server 2012). You really do not do any configuration on the secondary server. It is basically read only. If you open the ADFS management console, it will tell you to connect to primary server. For Powershell, you don't need the AD module, you simply run Powershell and then run import-module adfs to load the powershell commands. If you were using Server 2016, you would not need to load the module. All configuration commands are run on the Primary server since they will affect the configuration of the farm.
  Since I do not know your setup other than you seem to have 2 ADFS servers running 2012 (not sure if it is R2 or not), I can only give suggestions. If you open the ADFS management Console on the Primary server, you should be able to see any Relying Party Trusts in the Tree.
  A second server in a farm is there just for Fault tolerance. It should be behind a Load Balancer although you could use WNLB for it (not my favorite but... works). You also should have a proxy server or two in your DMZ to handle external requests.

Author

Commented:
you are 100% correct and my utmost thanks to you for patiently answering my questions

it will be windows powershell x86?
Sr. Systems Administrator
Commented:
Your 2012 server should be 64 bit but if it is 32 bit, then probably. We just use Windows Powershell and import the module. Going by your past responses, If you see a Windows Azure AD Module for Powershell, it is a normal Powershell Environment that runs a script automatically to load the Azure AD module for you. Same with the Active Directory Module for Powershell. It loads the Active Directory Module automatically. Nothing stopping you from loading other modules in those if you want. ISE is Integrated Scripting Environment. It would work if you had to but has a lot of extras you don't need here.

Author

Commented:
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)

Author

Commented:
will this work
Jeff GloverSr. Systems Administrator

Commented:
Does Pretty much the same thing the first command I sent you does. The first one simply overwrites what is there with a new string, adding the extra agents. this one appends on the existing agents. Never tried it but it should work.

Author

Commented:
Excellent answer proud to have Jeff in experts exchange

Jeff script worked

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial