Active directory federation server, Active directory

I have to configure ADFS server for chrome

Can you share any good article

I think WIA agents need to be configured
pramod1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jess DodsonWindows System AdministratorCommented:
0
pramod1Author Commented:
thanks, let  me look at the article,so basically we are allowing ADFS to allow application that uses chrome browser  for its authentication

if u can explain a little bit, would really appreciate

thanks
0
yo_beeDirector of Information TechnologyCommented:
What are you trying to authenticate in Chrome?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

yo_beeDirector of Information TechnologyCommented:
There is a link a bit down from the link listed above that outlines a lab setup.  This will be the same for production.  Note if you are just using it internally you do not need to setup a WAP (Web Application Proxy).  You will just need to setup the proper DNS name you are using.

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/set-up-an-ad-fs-lab-environment
0
pramod1Author Commented:
for making change in registry, do we need downtime for server to reboot, as then i need to propose a change

will we need server to reboot?
0
Jeff GloverSr. Systems AdministratorCommented:
On the ADFS server, Open Powershell and run
Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

(you may have to run Import-module adfs first)

This should enable WIA for both Chrome and Edge browsers. You probably should reboot the ADFS server after or at least restart the service.

It worked for us.
0
pramod1Author Commented:
Technically what is function of WIA doing here my last question

But I don’t see chrome in the command
0
Jeff GloverSr. Systems AdministratorCommented:
Mozilla 5.0 is Chrome. WIA is Windows Integrated Authentication. It is what makes ADFS do SSO inside your network. As long as your ADFS server URL is in the Intranet zone, Windows (and by extension Chrome) will automatically supply your current username and password. This can be configured in IE. Unfortunately, like many things Microsoft, ADFS does not support Chrome or Edge Browser for WIA out of the box. You have to add them to the allowed Agents string.
 If you have older Chrome on the network, you may also have to Allow NTLM for Chrome..Set-ADFSProperties –ExtendedProtectionTokenCheck None
0
pramod1Author Commented:
Chrome is google owned u mean UA is Mozilla for chrome
0
Jeff GloverSr. Systems AdministratorCommented:
Yes. The Chrome Browser was built on the Mozilla framework. the UserAgent is still called Mozilla
0
pramod1Author Commented:
Can u please answer
0
Jeff GloverSr. Systems AdministratorCommented:
Thought I did,
0
pramod1Author Commented:
Thanks
0
pramod1Author Commented:
don't have to do anything on workstations?
0
Jeff GloverSr. Systems AdministratorCommented:
No. But if your ADFS server URL is not in the Intranet zone for IE, then WIA will not work. We normally do this via GPO.
0
pramod1Author Commented:
so how will I know that it is not, we use ADFS to authenticate users against 365  as we have on premise AD.

we have single sign on enabled.
0
pramod1Author Commented:
we need to configure ADFS so that employees can use Chrome to SSO into Workday
0
pramod1Author Commented:
so this will work , am I right
0
Jeff GloverSr. Systems AdministratorCommented:
Well, what I gave you was how to get IWA working for Chrome. As long as your ADFS Relying Party trust and the SSO settings for Workday are setup correctly, it should. Can you access it via Internet Explorer?
  The way to see if your ADFS server is in the Intranet zone is to go to a client, open IE, go to Internet Options, Security. Highlight Local Intranet and click on sites. Then click Advanced. You should see a list of sites there. Your ADFS server should be one of them.
0
pramod1Author Commented:
thanks . I will get back to you tomorrow
sincerely appreciate all help
0
pramod1Author Commented:
I very much appreciate for constantly following up with my questions

I need to create change to do this
I have to give back up plan

If something’s goes wrong

Should icreate snapshot of server first
 Will be doing tomorrow
0
pramod1Author Commented:
What does the sentence mean

Chrome to SSO I into work day?
0
Jeff GloverSr. Systems AdministratorCommented:
So, to address your next to last questions (I think they are questions), sure, make a snapshot if it is a VM. If something goes wrong, you can just restore the VM. It is easier than trying to tell you how to back out the changes in Powershell.

For the last question, you're the one who asked about Chrome SSO into Workday. Since the only Workday I know of is a Cloud based CRM solution, I assume you have a subscription and have setup SAML authentication in Workday itself (I have never worked with it so I cannot help there). If you are asking about Chrome SSOing into the application, I would assume you are talking about accessing the Application with a Chrome Browser, it redirects you to ADFS for SAML authentication and you are seamlessly authenticated with your Currently logged in username and password. Since you only asked about Chrome, I also assume you already have this working with Internet Explorer.
0
pramod1Author Commented:
need to keep thread open till Saturday..
0
pramod1Author Commented:
I need to on Saturday morning

Will you be available
0
pramod1Author Commented:
I havev2 adfs server I need to do on both I suppose  I can webex if u are available
0
Jeff GloverSr. Systems AdministratorCommented:
Sorry but no, I am not available on the weekends. Having 2 ADFS servers is called a farm and no, you only have to do the config on the Primary server. Set-ADFSProperties is changing the settings for the Farm. Does not matter how many servers you have in that farm. Just need to do it on the Primary one.
0
pramod1Author Commented:
so step by step - steps

1) Import-module adfs  ( by opening windows powershell and not azure windows power shell

2)Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","MS_WorkFoldersClient","=~Windows\s*NT.*Edge","Mozilla/5.0","Edge/12")

3) reboot

how will i know i am on primary server, as they are named as AD1 and AD2 , so i presume AD1 must be primary
any step i am missing?
0
Jeff GloverSr. Systems AdministratorCommented:
Yes. Seems correct. And you run Get-adfssyncproperties from powershell. It will tell you if you are on the primary. I image AD1 would be it.
0
pramod1Author Commented:
Yes ran above command it is primary
0
pramod1Author Commented:
But the guy here is saying the other one is in data center

And why I can’t run the command in secondary one he is asking reason request to let me know as u won’t be available tomorrow
0
Jeff GloverSr. Systems AdministratorCommented:
Not sure I understand the question. You seem to have access to the primary server. Who cares where the secondary is. As long as it is one farm, it will just get the settings from the Primary. If you are one of those setups that has a separate ADFS server for each application, then sorry. You would probably have to RDP to the other server.
  Maybe it would help if you described your ADFS setup. How many servers? How many farms (a farm will use the same URL to access  all servers in the farm like... sts.company.com) What version of ADFS are you running?
0
pramod1Author Commented:
Np so I will be using active directory module for windows powershell and not not powershell x86 or ISE
0
pramod1Author Commented:
I am trying to run get-adfsfarminfirmation not getting any answer
0
Jeff GloverSr. Systems AdministratorCommented:
What version of ADFS are you running? And you misspelled the command. it is get-adfsfarminformation
0
pramod1Author Commented:
It says adfs management version 6.3.0.0
0
pramod1Author Commented:
On windows server 2012
0
pramod1Author Commented:
I asked where to run command
0
pramod1Author Commented:
I ran command on ad  module for windows powershell

It says the term get- adfs farm information is s not recognized
0
pramod1Author Commented:
I logged into secondADFS  server  it says to connect to primary server to edit adfs  configuration settings

I don’t see any replying party trust or any same configuration as primary server



I can see the farm name also under adfs overview
So what is this server doing
0
Jeff GloverSr. Systems AdministratorCommented:
OK, you are running ADFS 3.0 then (Server 2012). You really do not do any configuration on the secondary server. It is basically read only. If you open the ADFS management console, it will tell you to connect to primary server. For Powershell, you don't need the AD module, you simply run Powershell and then run import-module adfs to load the powershell commands. If you were using Server 2016, you would not need to load the module. All configuration commands are run on the Primary server since they will affect the configuration of the farm.
  Since I do not know your setup other than you seem to have 2 ADFS servers running 2012 (not sure if it is R2 or not), I can only give suggestions. If you open the ADFS management Console on the Primary server, you should be able to see any Relying Party Trusts in the Tree.
  A second server in a farm is there just for Fault tolerance. It should be behind a Load Balancer although you could use WNLB for it (not my favorite but... works). You also should have a proxy server or two in your DMZ to handle external requests.
0
pramod1Author Commented:
you are 100% correct and my utmost thanks to you for patiently answering my questions

it will be windows powershell x86?
0
Jeff GloverSr. Systems AdministratorCommented:
Your 2012 server should be 64 bit but if it is 32 bit, then probably. We just use Windows Powershell and import the module. Going by your past responses, If you see a Windows Azure AD Module for Powershell, it is a normal Powershell Environment that runs a script automatically to load the Azure AD module for you. Same with the Active Directory Module for Powershell. It loads the Active Directory Module automatically. Nothing stopping you from loading other modules in those if you want. ISE is Integrated Scripting Environment. It would work if you had to but has a lot of extras you don't need here.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pramod1Author Commented:
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)
0
pramod1Author Commented:
will this work
0
Jeff GloverSr. Systems AdministratorCommented:
Does Pretty much the same thing the first command I sent you does. The first one simply overwrites what is there with a new string, adding the extra agents. this one appends on the existing agents. Never tried it but it should work.
0
pramod1Author Commented:
Excellent answer proud to have Jeff in experts exchange

Jeff script worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Chrome

From novice to tech pro — start learning today.