Powershell To Install ADFS for D365 FFO On Prem

Powershell To Install ADFS for D365 FFO On Prem

07/25/18

Setting up ADFS for D365 On Prem? Easy! 

Setting up ADFS for D365 on Prem is now a little easier (hopefully). Below is a script that can be used to configure ADFS for D365. It is assumed that the this is running from the ADFS box from inside the InfrastructureScript folder as a domain adminst in an elevated powershell.

 

Step 1

Simply run this as is

# Run the following PowerShell script on the machine where AD FS will be deployed, run as domain administrator in  an elevated administrator console

Add-Type -AssemblyName System.Net

$fqdn = ([System.Net.Dns]::GetHostEntry('localhost').HostName).ToLower()

$domainName = $fqdn.Substring($fqdn.IndexOf('.')+1)

 

$null = Add-WindowsFeature RSAT-AD-PowerShell

 

# If a Kds root key hasn't been setup in AD DS, please run this:

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

 

# Create a managed service account for AD FS:

New-ADServiceAccount ADFS -DNSHostName $fqdn -AccountExpirationDate $null -ServicePrincipalNames "http/$fqdn"

 

# Create SSL certificate for AD FS

$adfsCert = New-SelfSignedCertificate -CertStoreLocation 'cert:\LocalMachine\My' -DnsName $fqdn, "enterpriseregistration.$domainName", "certauth.$fqdn" -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Type SSLServerAuthentication

$adfsSslPfxFilePath = Join-Path -Path ([Environment]::GetFolderPath('Desktop')) -ChildPath "$($adfsCert.Thumbprint).pfx"

$sslCertPassword = Read-Host -Prompt 'Enter AD FS SSL PFX Password' -AsSecureString   

Enter a password and store it for safe keeping or use later. This is the password for the certificate.

Step 2

execute the following in the same powershell instance

# Import this certificate into trusted root certification authorities on client machines using GPO, certificate services, or any method you choose

Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$($adfsCert.Thumbprint)" -FilePath $adfsSslPfxFilePath -Password $sslCertPassword

Import-PfxCertificate -FilePath $adfsSslPfxFilePath -Password $sslCertPassword -CertStoreLocation 'cert:\LocalMachine\Root'

 

# Install AD FS feature

$null = Install-WindowsFeature -Name 'Windows-Internal-Database'

$null = Install-WindowsFeature -IncludeManagementTools -Name 'ADFS-Federation'

 

Import-Module ADFS -ErrorAction Stop

 

$subDomain = $domainName.Substring(0, $domainName.IndexOf('.'))

$gmasAccount = "$subDomain\ADFS" + '$'

# Deploy AD FS

Install-AdfsFarm -CertificateThumbprint $adfsCert.Thumbprint -FederationServiceName $fqdn -FederationServiceDisplayName $domainName -GroupServiceAccountIdentifier $gmasAccount

 

# Allow e-mail as authentication input

Set-AdfsClaimsProviderTrust -TargetIdentifier 'AD AUTHORITY' -AlternateLoginID mail -LookupForests $domainName

 

# Enable user Import 
$adfsProperties = Get-AdfsProperties
Set-AdfsProperties -Identifier $adfsProperties.IdTokenIssuer

 

# Disable Windows Integrated Authentication
Set-AdfsGlobalAuthenticationPolicy -PrimaryIntranetAuthenticationProvider FormsAuthentication, MicrosoftPassportAuthentication
 

# Restart computer to take effect

Restart-Computer