after installing, before configuring, create a gMSA account

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name adfsgMSA -DnsHostName adfs.test.local -ServicePrincipalNames http/adfs.test.local

create and drop a wildcard certificate

can i hit https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml?

to log in, run Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

then hit https://fs.t1.testdom/adfs/ls/idpinitiatedsignon.aspx

ADFS CLAIMS AUTH FOR EXCHANGE

https://www.petenetlive.com/KB/Article/0001546

https://getanadmin.com/exchange-2/claims-authentication-using-adfs-in-exchange-server/

ADFS management ⇒ Relying party trusts ⇒ add relying party trust

Claims aware ⇒ manually enter data ⇒ name it OWA ⇒ leave cert blank ⇒ enable supoprt for ws-federation passive protocol, put the exchange link ⇒ make sure the exchange link is present ⇒ set the acl ⇒ skip the ready to add trust

we can do this for ecp too

now we need to add a claim issuance policy for each (unless we only did owa and not ecp lmao)

relying party trusts ⇒ edit claim issuance policy (on right) ⇒ add rule ⇒ custom rule (AD-SID-ID and UPN)

export adfs token signing cert

AD-SID ID

c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid>"), query = ";objectSID;{0}", param = c.Value);

UPN

c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn>"), query = ";userPrincipalName;{0}", param = c.Value);