deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3133 from j0rt3g4/Issue#3053

Browse Source 
Adding the way to add the SCP for ADFS
This commit is contained in:
Andrea Barr 2019-04-29 08:44:13 -07:00 committed by GitHub
commit b8ba72cc8a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -275,6 +275,7 @@ Sign-in a certificate authority or management workstations with _domain administ
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
>[!NOTE] >[!NOTE]
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
@ -360,6 +361,30 @@ Active Directory Federation Server used for Windows Hello for Business certifica
Approximately 60 days prior to enrollment agent certificates expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. Approximately 60 days prior to enrollment agent certificates expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
>[!TIP]
> Make sure to change the $enrollmentService and $configNC variables before running the script.
```Powershell
# Replace this with your Device Registration Service endpoint
$enrollmentService = "enterpriseregistration.contoso.com"
# Replace this with your Active Directory configuration naming context
$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=org"
$de = New-Object System.DirectoryServices.DirectoryEntry
$de.Path = "LDAP://CN=Device Registration Configuration,CN=Services," + $configNC
$deSCP = $de.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
$deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService)
$deSCP.CommitChanges()
```
>[!NOTE]
> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1.
>
## Additional Federation Servers ## Additional Federation Servers
Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.