locked
Find ADFS Proxy server name from ADFS server. RRS feed

  • Question

  • Hi,

    I have to find the ADFS Proxy server name from ADFS server.

    Is there any way to programmatically find server's which act as a federation server and proxy server in AD environment?

    Does Active Directory Domain Services (ADSIEDIT.msc) store information about Federation server and federation proxy server in ADFS Farm?

    Is there any PowerShell command to find information about federation server and proxy server names?

    How Federation server and Federation Proxy server communicate with each other.

    Sandeep Gupta

    Wednesday, September 7, 2016 1:24 PM

Answers

  • The communication between ADFS in Windows Server 2012 R2 servers is stateless. We do not keep track of the server's name. When you add a new ADFS server you need to specify where the DB is, and that it is. If the DB is WID, then you need to specify the name of the Primary ADFS server but really it is just to locate the DB, not to keep track of what are the different servers in the farm. All ADFS servers in a farm are running under the same security context (service account). If you are using a gMSA, you can look at what machine can retrieve the password if the gMSA and that could give you an indication of what are the nodes of the farm (as long as this gMSA is dedicated for ADFS and that you remove stale servers):

    Get-ADServiceAccount -Identity "<you gMSA account's name>" -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword

    Because ADFS nodes are often in a Load Balancer cluster, you check this appliance/server/device for its configuration... Or because ADFS requires a SSL cert, you could also track this way down, see which server got a cert. Or you could scan all your servers (using a script of leverage an agent such as SCCM) to determine whether or not the role is installed.

    The ADFS farm is not keeping track of each ADFS proxy server but instead is considering all ADFS proxy server as a whole. When an ADFS proxy join the farm, the ADFS proxy is responsible to generate a self sign certificate and store it in the DB of the ADFS farm. So technically we could parse the output of this T-SQL on the DB and have the list of all imported self signed certificate:

    SELECT [ServiceSettingsData] FROM [AdfsConfiguration].[IdentityServerPolicy].[ServiceSettings])

    The output should contains something like:

     <ProxyTrustConfiguration>
          <ObjectVersion>0</ObjectVersion>
          <TokenLifeTime>21600</TokenLifeTime>
          <ProxyTrustId>fdca3f1f-25eb-4a43-99f7-46309d876a25</ProxyTrustId>
          <_subjectNameIndex xmlns:d4p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
            <d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
              <d4p1:Key>CN=ADFS ProxyTrust - proxy001</d4p1:Key>
              <d4p1:Value xmlns:d6p1="http://schemas.datacontract.org/2004/07/System.Security.Cryptography.X509Certificates">
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
              </d4p1:Value>
            </d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
            <d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
              <d4p1:Key>CN=ADFS ProxyTrust - proxy002</d4p1:Key>
              <d4p1:Value xmlns:d6p1="http://schemas.datacontract.org/2004/07/System.Security.Cryptography.X509Certificates">
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
              </d4p1:Value>
            </d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
          </_subjectNameIndex>
        </ProxyTrustConfiguration>

    Here you can see two section d4p1:Key containing the hostname of the proxy... Doesn't really tell you much since there is no FQDN nor IP address...

    But there is nothing built-in...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, September 7, 2016 4:54 PM
  • Actually the table [AdfsConfiguration].[IdentityServerPolicy].[WebApplicationProxyData] is easier to parse... It contains the same data as the output of Get-WebApplicationProxyConfiguration.

    If you know at least one WAP server, you can also use: Get-WebApplicationProxyConfiguration on that one. It will tell you the list of all WAP that have been one day in the WAP group (even those who are no longer if you havent take them out correctly).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, September 13, 2016 3:58 PM

All replies

  • The communication between ADFS in Windows Server 2012 R2 servers is stateless. We do not keep track of the server's name. When you add a new ADFS server you need to specify where the DB is, and that it is. If the DB is WID, then you need to specify the name of the Primary ADFS server but really it is just to locate the DB, not to keep track of what are the different servers in the farm. All ADFS servers in a farm are running under the same security context (service account). If you are using a gMSA, you can look at what machine can retrieve the password if the gMSA and that could give you an indication of what are the nodes of the farm (as long as this gMSA is dedicated for ADFS and that you remove stale servers):

    Get-ADServiceAccount -Identity "<you gMSA account's name>" -Properties PrincipalsAllowedToRetrieveManagedPassword | Select-Object PrincipalsAllowedToRetrieveManagedPassword

    Because ADFS nodes are often in a Load Balancer cluster, you check this appliance/server/device for its configuration... Or because ADFS requires a SSL cert, you could also track this way down, see which server got a cert. Or you could scan all your servers (using a script of leverage an agent such as SCCM) to determine whether or not the role is installed.

    The ADFS farm is not keeping track of each ADFS proxy server but instead is considering all ADFS proxy server as a whole. When an ADFS proxy join the farm, the ADFS proxy is responsible to generate a self sign certificate and store it in the DB of the ADFS farm. So technically we could parse the output of this T-SQL on the DB and have the list of all imported self signed certificate:

    SELECT [ServiceSettingsData] FROM [AdfsConfiguration].[IdentityServerPolicy].[ServiceSettings])

    The output should contains something like:

     <ProxyTrustConfiguration>
          <ObjectVersion>0</ObjectVersion>
          <TokenLifeTime>21600</TokenLifeTime>
          <ProxyTrustId>fdca3f1f-25eb-4a43-99f7-46309d876a25</ProxyTrustId>
          <_subjectNameIndex xmlns:d4p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
            <d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
              <d4p1:Key>CN=ADFS ProxyTrust - proxy001</d4p1:Key>
              <d4p1:Value xmlns:d6p1="http://schemas.datacontract.org/2004/07/System.Security.Cryptography.X509Certificates">
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
              </d4p1:Value>
            </d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
            <d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
              <d4p1:Key>CN=ADFS ProxyTrust - proxy002</d4p1:Key>
              <d4p1:Value xmlns:d6p1="http://schemas.datacontract.org/2004/07/System.Security.Cryptography.X509Certificates">
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
                <d6p1:X509Certificate2>
                  <RawData xmlns:d8p1="http://www.w3.org/2001/XMLSchema" xmlns="" i:type="d8p1:base64Binary">Blablabla</RawData>
                </d6p1:X509Certificate2>
              </d4p1:Value>
            </d4p1:KeyValueOfstringArrayOfX509Certificate29zVOn6VQ>
          </_subjectNameIndex>
        </ProxyTrustConfiguration>

    Here you can see two section d4p1:Key containing the hostname of the proxy... Doesn't really tell you much since there is no FQDN nor IP address...

    But there is nothing built-in...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, September 7, 2016 4:54 PM
  • Actually the table [AdfsConfiguration].[IdentityServerPolicy].[WebApplicationProxyData] is easier to parse... It contains the same data as the output of Get-WebApplicationProxyConfiguration.

    If you know at least one WAP server, you can also use: Get-WebApplicationProxyConfiguration on that one. It will tell you the list of all WAP that have been one day in the WAP group (even those who are no longer if you havent take them out correctly).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, September 13, 2016 3:58 PM