none
Connecting WAP to ADFS - Can't use group Managed Service Account RRS feed

  • Question

  • When I try to establishing an connection from WAP to ADFS server with this script:

    $ADFSCred = Get-Credential  # example.com\fsgMSA$
    
    $fingerprintWap = Get-ChildItem Cert:\LocalMachine\My\ -Recurse |`
    where{ $_.Subject –like „*adfs01.example.com*“ } |`
    select -ExpandProperty thumbprint 
    
    Install-WebApplicationProxy -FederationServiceTrustCredential $ADFSCred `
    -CertificateThumbprint $fingerprintWap `
    -FederationServiceName "Adfs01.example.com"

    I get the following error:

    Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation service. 
    Error: Unauthorized. Verify that the service account has administrative access on the target Federation Server.
    At line:8 char:1
    + Install-WebApplicationProxy -FederationServiceTrustCredential $ADFSCr ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
        + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand


    By using "example.com\administrator" (domainadmin) it works, but I want to us a group Managed Service Account for security reason.

    Wednesday, October 11, 2017 12:04 PM

Answers

  • You don't have to create an account (though you could). You can simple use the same account you are using to administrate ADFS. The credentials are just use to establish the trusts and are not stored/saved on the WAP. After the installation, the WAP will use a certificate obtain during the setup to authenticate with the ADFS server.

    The account just need to be a member of the local administrators group of the ADFS server, regardless of the database type you have (you don't need to have rights on the ADFS DB either).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by 1.FreddyD Monday, October 16, 2017 4:43 AM
    Friday, October 13, 2017 2:05 PM
    Owner

All replies

  • The WAP installation just needs an account to read the ADFS database. So there is no need to use a service account here as the operation is not saving the credentials. It is a one-time thing. So run that with an account who is a member of the local administrators group of the ADFS server. And that's it.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 13, 2017 12:20 AM
    Owner
  • Hi Pierre!

    Thanks for your reply!

    This account won't be need anymore(for any authentication or service, etc.) after this configuration?

    So I can create an Account for this and delete it after this step?

    What permissions are required for this account? Are there recommendations for security regarding this account? 

    It doesn't matter if using WID or SQL?


    • Edited by 1.FreddyD Friday, October 13, 2017 11:19 AM
    Friday, October 13, 2017 11:15 AM
  • You don't have to create an account (though you could). You can simple use the same account you are using to administrate ADFS. The credentials are just use to establish the trusts and are not stored/saved on the WAP. After the installation, the WAP will use a certificate obtain during the setup to authenticate with the ADFS server.

    The account just need to be a member of the local administrators group of the ADFS server, regardless of the database type you have (you don't need to have rights on the ADFS DB either).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by 1.FreddyD Monday, October 16, 2017 4:43 AM
    Friday, October 13, 2017 2:05 PM
    Owner