-
Notifications
You must be signed in to change notification settings - Fork 280
Expand file tree
/
Copy pathsetupadfs.ps1
More file actions
75 lines (60 loc) · 2.43 KB
/
setupadfs.ps1
File metadata and controls
75 lines (60 loc) · 2.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Copyright (c) Microsoft Corporation. All rights reserved.
# See LICENSE.txt in the project root for license information.
<#
.SYNOPSIS
Configures existing AD FS for Azure Stack
.DESCRIPTION
It will create a relying Party Trust to Azure Stack's AD FS with the necessary rules. It will also turn on form based authentication and Enable as setting to support Edge
.PARAMETER ExternalDNSZone
Specify the Extnerl Dns Zone of Azure Stack which was also provided for initial deployment
.EXAMPLE
.\setupadfs.ps1 -externaldnszone local.azurestack.external
#>
Param(
[string]$ExternalDNSZone
)
$currentPath = $PSScriptRoot
#Create Endpoint
$VIP="adfs.$ExternalDnsZone"
#Verify if Endpoint is reachable
Write-Host "Validate AD FS Endpoint if reachable"
$Validator1=Test-NetConnection -ComputerName $VIP -Port 443
IF ($Validator1.TcpTestSucceeded -ne $true){
Write-Host "Check you DNS Integration with Azure Stack Error "$Validator1.TcpTestSucceeded ""
Exit}
else{
Write-host "Status "$Validator1.TcpTestSucceeded""
#Create Metadata URL
$MetadataURL= "https://$VIP/FederationMetadata/2007-06/FederationMetadata.xml"
#Verify Metadata URL
Write-Host "Validate AD FS Metadata URL"
$Validator2=Invoke-WebRequest $MetadataURL -usebasicparsing
If ($Validator2.StatusCode -ne 200){
Write-Host "Metadata URL could not be retrived Error "$Validator2.StatusCode""
Exit}
else{
Write-Host "Status "$Validator2.StatusCode""
#Determine Windows Version
$WindowsVersion= [environment]::OSVersion.Version
#Configure Relying Party Trust
If ($WindowsVersion.Build -lt 14393) {
#Must be 2012 or 2012 R2
Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true
}
else{
#Must be 2016
Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true -AccessControlPolicyName “Permit everyone”
#Enable Form Based Authentication
Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIPC","Windows Rights Management Client","Kloud")
#Enable Supprt for Edge Browser
Set-AdfsProperties -IgnoreTokenBinding $true
#Enable Refresh Token
Set-ADFSRelyingPartyTrust -TargetName AzureStack -TokenLifeTime 1440
}
}
}