after installing, before configuring, create a gMSA account
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name adfsgMSA -DnsHostName adfs.test.local -ServicePrincipalNames http/adfs.test.local
create and drop a wildcard certificate
can i hit https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml?
to log in, run Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
then hit https://fs.t1.testdom/adfs/ls/idpinitiatedsignon.aspx
https://www.petenetlive.com/KB/Article/0001546
https://getanadmin.com/exchange-2/claims-authentication-using-adfs-in-exchange-server/
ADFS management ⇒ Relying party trusts ⇒ add relying party trust
Claims aware ⇒ manually enter data ⇒ name it OWA ⇒ leave cert blank ⇒ enable supoprt for ws-federation passive protocol, put the exchange link ⇒ make sure the exchange link is present ⇒ set the acl ⇒ skip the ready to add trust
we can do this for ecp too
now we need to add a claim issuance policy for each (unless we only did owa and not ecp lmao)
relying party trusts ⇒ edit claim issuance policy (on right) ⇒ add rule ⇒ custom rule (AD-SID-ID and UPN)
export adfs token signing cert
c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid>"), query = ";objectSID;{0}", param = c.Value);
c:[Type == "<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname>", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn>"), query = ";userPrincipalName;{0}", param = c.Value);