Forcing the use of a specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS

Active Directory Federation Services (AD FS) in combination with Azure Multi-Factor Authentication (MFA) Server work together when you install and configure the Azure MFA Adapter for AD FS.

Now, per Relying Party Trust (RPT) in Active Directory Federation Services (AD FS), you might want to force the use of a specific Azure Multi-Factor Authentication method.

The default checkboxes in the Global Authentication Policies and Authentication Policies per Relying Party Trust allow to enable and/or disable Multi-Factor Authentication as a requirement to log on on a per user  basis, for the extranet and/or intranet and for managed and/or unmanaged devices. Now, for a lot of scenarios, these option are inadequate. Not to worry, because you can use the Edit claim rules… option from the AD FS Management Console (Microsoft.IdentityServer.msc) for a specific Relying Party Trust in the list.

The default way to do this, is to add the following line to the Claims Issuance Rule for the Relying Party Trust (RPT):

=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);

Now, this claim rule will trigger the use of Multi-Factor Authentication, but it doesn’t force the use of a specific Azure Multi-Factor Authentication method.

To achieve this, we need to use an additional claims issuance rule.
This is pretty simple, because Azure MFA Server and the Active Directory Federation Services (AD FS) Security Token Service (STS) add the method to a claimtype called authmethod.

 

Available methods

When you look at the logging produces when you enable AD FS Auditing, you can clearly see the claimtypes floating by:

A typical ADFS Claim through AD FS logging Event ID 501 (click for larger screenshot)

Now, in the example above, the last claimtype specifies the the Azure Multi-Factor Authentication method used.

The table below lists the claimtype in relationship with the Azure Multi-Factor Authentication method used, based on AD FS on Windows Server 2012 R2 (AD FS 3.0) and Azure Multi-Factor Authentication Server version 7.1.2.1:

Table with available claims and Multi-factor Authentication methods

Let’s look at each of these a little deeper:

 

Forcing a method

Now all we need to do, to force the use of the phone call as the specific Azure Multi-Factor Authentication method for a Relying Party Trust in AD FS, is to edit the above Claims Issuance rule to look like this:

=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/ws/2012/12/authmethod/otp”);

 

Recommendations

Now, this approach leads to a couple of interesting observations:

  1. The Active Directory Federation Services (AD FS) Extensible Authentication Framework (EAF) feature, that the Azure MFA Adapter uses, does not offer the ability to force a specific authentication method. When you don’t use the method specified, you get prompted for multi-factor authentication again and again. To this purpose, enable the Prompt for user method feature.
  2. When a user does not have the appropriate method configured, redirect him/her to the MFA Server User Portal to configure it.

Further reading

Azure MFA Server 7.1.2.1 Release Notes
Choosing the right Azure MFA authentication methods
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience
Azure Multi-Factor Authentication Server version 7.0.2.1 is here
Azure Multi-Factor Authentication Server reaches version 7.0.0.9 
Prompting colleagues for their Multi-Factor Authentication method in AD FS

0  

Prompting colleagues for their Multi-Factor Authentication method in AD FS

PhoneFactorSince version 7 of the on-premises Azure MFA Server, a new setting is available that might make sense in your Hybrid Identity environment when using Active Directory Federation Services (AD FS), called Prompt for user’s method.

According to the Azure MFA Server 7.1.2.1 Release Notes, this feature is available since version 7.0.0.9.

In the release notes the feature is described as:

AD FS adapter now displays a list of MFA methods to choose from based on

  1. options configured under the Allow users to select method checkbox and
  2. the information registered by the user.

This allows users to choose a preferred authentication method each time they sign in. Alternatively, the adapter can perform the users default MFA method immediately, then display the list of options if the user doesnt respond. Note that users connecting from Windows Phone whose default method is Mobile App will always see the list of options except Mobile App due to a known issue where the app being accessed loses state when switching over to the authenticator app, thus resulting in a failed authentication after completing MFA.

This feature makes this configuration very easy to implement for version 7 of Azure MFA, and up. Let’s dive into it:

 

Prior to Azure MFA Server version 7

For versions of Azure MFA Server prior to version 7, you needed to add an extra line of text to the MultiFactorAuthenticationAdfsAdapter.config file, before registering the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) Adapter.

To enable the Prompt for user’s method feature, you needed to add the following line:

<AutomaticallyTriggerUserDefaultMethod>False</AutomaticallyTriggerUserDefaultMethod>

To Automatically trigger user’s default method, use the following line:

<AutomaticallyTriggerUserDefaultMethod>True</AutomaticallyTriggerUserDefaultMethod>

 

When you had already registered an Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) Adapter, you had to disable the MFA provider in AD FS, unregister the adapter, re-register the adapter and then enable the MFA provider in AD FS again, just to switch this functionality on or off. A lot of hassle for a setting that feels trivial…

 

Azure MFA Server version 7, and up

To enable or disable the Automatically trigger user’s default method in Azure Multi-Factor Authentication (MFA) Server version 7, and up, you can use the Azure MFA Server Management User Interface (MultiFactorAuthUI.exe).

In Global Settings, select or deselect the option to Automatically trigger user’s default method under Allow users to select method.

Global Settings in Azure MFA Server (click for larger screenshot)

This change is almost immediate. You don’t need to reset or restart, de-register or re-register the Azure MFA AD FS Adapter(s) to make it happen.

 

Further reading

Azure MFA Server 7.1.2.1 Release Notes 
Choosing the right Azure MFA authentication methods 
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience 
Azure Multi-Factor Authentication Server version 7.0.2.1 is here 
Azure Multi-Factor Authentication Server reaches version 7.0.0.9

0  

Pictures of our Hybrid Identity session at Graafschap College

As I mentioned last week, Raymond Comvalius and I were scheduled for an ‘Inspire Me’ session at Graafschap College in Doetinchem last Friday. Our challenge was to inspire 50 High School students in their final year for their future as systems administrators.

For me, last Friday was a day I could sleep late. While normally you would find me in The Hague around 7 AM, this time around I only needed to be in Utrecht at 8:30 AM. Friday traffic in the Netherlands also meant I didn’t really have to account for much delay on the way over.

Charging points as far as the eye can see at P+R "De Uithof" (click for larrger photo)

Raymond picked me up at the ‘De Uithof’ public transportation hub, where I parked the company car to charge at one of the 28 charging points available.

We drove East and soon encountered snow. Raymond and I didn’t have much snow where we live, but in the East of the Netherlands up to 4 inches of snow had fallen the previous night.

Snowy Doetinchem (click for larger photo)Entering Gruitpoort with Raymond (click for larger photo)

Just a couple of days before the session, Ronald Wassink told us that he had a surprise for us. This year around we weren’t scheduled in the auditorium but in the theatre around the corner, the Gruitpoort.

This is a nice little venue, with a nice lay-out and proper audio and video, although Raymond and I don’t really need microphones. Knipogende emoticon

A little introduction. We do things with Windows and Active Directory (click for larger photo, by Ronald Wassink)
Raymond explaing Claims-based Authentication (click for larger photo)Announcing a little break using the Hybrid Identity Authentication Twister Mat (click for larger photo by Ronald Wassink)

We did a little 15-minute break after an hour and a half of slides and demos, so the guys could get a cup of coffee or tea. We then pushed on for another hour, explaining Modern Management and typical do’s and don’ts for Hybrid Identity.

Afterwards, Raymond and I enjoyed lunch with Ronald at the venue and discussed the future of systems management and educating people to make them prepared for the Continuously Integrating road that lays ahead.

What started out as a modest request after Microsoft TechDays 2014, accumulates to the fourth ‘Inspire Me’ session, four years in a row. A truly satisfying experience!

We had fun! Glimlach 

 

Let’s do this next year, too.

Further reading

Raymond and I are inspiring a new batch of High School students again this year 
Pictures of our Enterprise Mobility and Azure session at Graafschap College 
Raymond and I are teaching High School students on Enterprise Mobility and Azure 
Raymond and I will be inspiring a new group of High School students  
Pictures of our BYOD High School session 
Raymond and I will be delivering our BYOD Show to High School students      
Why Lifecycle Management can’t be a mere afterthought anymore

0  

Only Three Months of Support remain for DirSync and Azure AD Sync

Wake up!As I wrote earlier, Microsoft ends support for implementations using the stand-alone Azure AD Sync tool and implementations of DirSync per April 13, 2017.

As I write this, there is a mere three months left to take care of your migration to a recent version of Azure AD Connect and the implementation of lifecycle management policies and processes, you’ll need to avoid this situation in the future.,

 

What solutions are being deprecated?

DirSync

The Windows Azure Active Directory Sync (DirSync) tool was Microsofts first tool to make it possible for organization to synchronize user accounts and groups between their on-premises Active Directory Domain Services (AD DS) environments and Azure Active Directory. Its most appealing use was to synchronize these objects for Office 365, Microsofts cloud productivity suite that uses Azure Active Directory as its identity store.

DirSync was aimed at organization with a single Active Directory forest.
Version 7022.000 is the last release of DirSync, dating back to July 31, 2014.

Azure AD Sync

The stand-alone Azure AD Sync tool was introduced in late 2014 and its last release dates back to May 2015 (version 1.0.494.0501). Its goal was identical to DirSync;: to synchronize objects between on-premises Active Directory Domain Services environments and Azure Active Directory.

However, Azure AD Sync was aimed at organizations with multiple Active Directory forests and other advanced scenarios. The Azure AD Sync tool, however, didn’t offer the same breadth of functionality as DirSync did.

Azure AD Sync was folded into Azure AD Connect, when Azure AD Connect became Generally Available (GA) as version 1.0.8641.0 in June 2015.

   

About Azure AD Connect

Azure Active Directory Connect is the new ‘umbrella’ product to achieve Hybrid Identity.

Unlike the DirSync and Azure AD Sync tools, Azure Active Directory offers an implementation wizard for every aspect of Hybrid Identity in both single and multi-forest environments. Since version 1.1, Azure AD Connect also supports 3rd party LDAP directories.

If you’re looking for the ground-breaking new Pass-through Authentication (PTA) and Seamless Single Sign-on (S3O) features as an alternative to your Password Hash Sync (PHS) of Active Directory Federation Services (AD FS) implementation, take a look at version 1.1.371.0, or up. Install it on Windows Server 2012 R2, or up, for full functionality.

When used together with Azure AD Premium and/or Enterprise Mobility Suite (EMS) licenses, Azure AD Connect supports Azure AD Connect Health for Sync, Azure AD Connect Health for AD FS, Azure AD Connect Health for Directory, password write-back, group write-back, device write-back and directory extensions.

   

About Lifecycle Management

As Azure and Azure Active Directory change almost daily, organizations harnessing their powers in a Hybrid implementation, need to think about lifecycle management.
Lifecycle Management can’t be a mere afterthought anymore
.

Hybrid Identity admins need to keep their versions of Azure AD Connect, the Azure AD PowerShell Module, scripts and optionally Active Directory Federation Services (AD FS) current.

Automating changes through Infrastructure-as-Code, combined with a test and/or acceptance environment, other than, but representative for, your actual production environment, is not a luxury anymore; It’s a necessity.

 

Call to Action

When you have either the DirSync tool, the Azure AD Sync tool or a version of Azure AD Connect below 1.1.x deployed for your Azure Active Directory synchronization needs, you are strongly urged to plan to migrate to Azure AD Connect version 1.1.180.0, or up.

The FAQ on the deprecation of DirSync and the stand-alone Azure AD Sync tool, additionally, hints at a future deprecation of the Windows Azure Active Directory Connector for FIM.

Further reading

DirSync and Azure AD Sync will reach End of Support on April 13, 2017 
Why the Azure Active Directory Windows PowerShell Module is good news  
Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios 
Tip! Use the Azure AD Connect Configuration Documenter

0  

I’m presenting an Hybrid Identity Evening at iSense ICT Professionals

Next week, on Thursday January 19, 2017, I’m delivering an entire evening dedicated to Active Directory and Hybrid Identity at iSense ICT Professionals’ Gouda Headquarters. 

iSense ICT Professionals' Gouda Headquarters 

About iSense ICT Professionals

IsenseiSense ICT Professionals is a Dutch ICT company, specialized in staffing ICT Professionals. Their main focus is on systems management, database administration, business analysis and software development (based on java, .NET and PHP)

iSense has recently started a community initiative instilling team spirit and knowledge sharing. Through this initiative, other Dutch Microsoft MVPs have presented at iSense knowledge sharing events, like Adnan Hendricks, Jeff Wouters and Raymond Comvalius.

 

About the Hybrid Identity Evening

I’m presenting an entire evening on Active Directory and Hybrid Identity, after we gather around some food starting at 6PM.

My first presentation, from 7 PM to 7:45 PM, focuses on Hybrid Identity. I’ll discuss claims-based authentication, Azure AD, AD FS and Azure AD Connect. After a short break, I’ll discuss Azure Multi-Factor Authentication for another 45 minutes (from 8:15 PM to 9 PM), until we stop for drinks and informal chats.

 

Join me!

iSense is organizing the Hybrid Identity evening free of charge.
Sign up
Dutch and get to iSense Gouda office on Thursday January 19, 2017.

0  

From the field: Colleagues in specific group encounter error “AADSTS50107 Requested federation realm object does not exist.”

Sometimes, you hit error messages that are just too vague to troubleshoot. I like these kinds of situations. This particular one is especially fun, because it requires some intermediate knowledge of Active Directory Federation Services in Hybrid Identity environments.

My favorite subject. Emoticon met brede lach

 

The situation

Single Sign-On (SSO) for organizations comes in many shapes and sizes.
One of the more popular setups is Hybrid Identity where Active Directory and Azure Active Directory work together. For authentication, in the majority of these implementations, Active Directory Federation Services (AD FS) is used.

One of the more advanced scenarios is the scenario where domain-joined devices automatically join Azure Active Directory based on a Group Policy setting, a Service Connection Point (SCP) and Active Directory Federation Services (AD FS) Claims Issuance Rules. The detailed information for this scenario is provided by Microsoft on GitHub for Connecting domain-joined devices to Azure AD for Windows 10 experiences.

 

The problem

In an implementation, following the scenario described above, some colleagues encounter an error message when logging into Office 365. This Azure Active Directory-integrated application is used in an environment where Hybrid Identity is configured with federation towards Active Directory Federation Services (AD FS) on Windows Server 2012 R2.

They receive an error message when logging on, stating:

AADSTS50107: Requested federation realm object ‘http://sts.domain.tld/adfs/services/trust’ does not exist.

All other colleagues have no problem using any of the applications that are integrated with Azure Active Directory or Active Directory Federation Services (AD FS).

 

Our investigation

We began our troubleshooting roughly a month ago.

The Active Directory Domain Services environment consists of one Active Directory domain in one Active Directory forest. Further investigation reveals that while colleagues are part of hundreds of groups, the colleagues that are affected by the issue are all part of a specific group in Active Directory.

The Relying Party Trust (RPT) between Azure Active Directory and Active Directory Federation Services (AD FS) for the Office 365 Identity Platform was created using the Convert-MSOLDomainToFederated Windows PowerShell Cmdlet from the Azure Active Directory PowerShell Module. Its purpose is to change a verified DNS domain name to a federated domain.

 

The cause

The Issuance Transform Rules you created at the time to Connect domain-joined devices to Azure AD for Windows 10 experiences for the Office 365 Identity Platform, named

  • Issue object GUID
  • Issue account type for domain joined computers
  • Pass through primary SID

read:

Issue object GUID

c1:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “515$”, Issuer =~ “^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$”]

c2:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer =~ “^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$”] => issue(store = “Active Directory”, types = (“http://schemas.microsoft.com/identity/claims/onpremobjectguid”), query = “;objectguid;{0}”, param = c2.Value);


Issue account type for domain joined computers

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “515$”, Issuer =~ “^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$”] => issue(Type = “http://schemas.microsoft.com/ws/2012/01/accounttype”, Value = “DJ”);


Pass through primary SID

c1:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value =~ “515$”, Issuer =~ “^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$”]

c2:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid”, Issuer =~ “^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$”] => issue(claim = c2);

 

The second of these rules is the one wreaking havoc on the users in the specific group.
This specific rule checks for membership of the Domain Computers group, by looking at the Well-known Group sID for it: 515.

The colleagues, that were experiencing problems with signing in to Office 365, happened to be members of a group, whose sID ended in 7515…

Note:
Azure AD Connect can also create the above rules when you configure it for AD FS through Custom Settings. Even if an organization hasn’t created the Claims Issuance Rules manually, they might still trip over them.

 

The solution

We changed the Issuance Transform Rules.

Everywhere we encountered

Value =~ “515$

We replaced it to read

Value =~ “-515$”.

This fixed the problem, because it actually looks for the sID to end with -515, eliminating all other groups ending with 515, like 1515, 2515, etc.

 

Escalating

After the fourth customer experiencing the issue, I reached out to Microsoft. They had changed the documentation already to include the same fix we had, but of course, when an organization has things working, they rarely go back to the documentation to see if it has changed.

Note:
The documentation being hosted on GitHub is a pretty big clue Microsoft expects their documentation to change, possibly based on feedback by people like you and me.

Note:
Microsoft has been consistent in its endeavours to erradicate the above situation, so when you use an updated version of Azure AD Connect and/or the Azure Active Directory PowerShell Module 2.0, you’ll see four Active Directory Federation Services (AD FS) claims issuance rules being created, of which the ones targetting the Domain Computers group have the minus added.

 

Call to Action

As I’ve previously laid out, Lifecycle Management can’t be a mere afterthought anymore. Please:

  • Check to see if your Claims Issuance Rules are impacted by this issue.
  • Monitor for servicedesk calls from colleagues not being able to log into Office 365.
  • Upgrade to the latest version of Azure AD Connect.
    Note that Azure AD Connect installations with Express Settings are auto-upgraded to the latest stable release, although they haven’t since version 1.1.343.0.
  • Regularly check for updates to Azure AD Connect and the documentation.

Further reading

Connect domain-joined devices to Azure AD for Windows 10 experiences
How to configure automatic registration of domain-joined devices with Azure AD
Why Lifecycle Management can’t be a mere afterthought anymore
Well-known security identifiers in Windows operating systems
Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios
Claim Rules

Hat tip

Thank you to my colleagues MarcZ and BasA for sharing and caring.

0  

Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios

Last week, Microsoft released a new version of Azure AD Connect, dubbed version 1.1.380.0, that contains a bug fix that is especially applicable to organizations using Azure AD Connect in a networking environment consisting of multiple Active Directory domains and/or Active Directory Forests.

 

What’s New

In this build of Azure AD Connect, an issue was fixed where the IssuerID claim rule for AD FS is missing.
This snag has been bugging Azure AD Connect implementations since version 1.1.343.0.

If you have multiple federated domains in Azure AD, then a Claims Issuance Rules containing the IssuerID claimtype is required.

The IssuerID claimtype offers the functionality for every federated domain in Azure AD to have a unique identifier. If multiple federated domains point to the same Active Directory Federation Services (AD FS) implementation, the identifier would be the same across multiple federated domains, and Azure AD does not allow that. The additional IssuerID claimtype allows for this scenario, creating a custom and unique issuer identifier, based on the DNS domain name.

Claims Issuance Rules are configured automatically to issue the IssuerID claimtype when you use the –SupportMultipleDomain switch for the Convert-MSOLDomaintoFederated Windows PowerShell Cmdlet, but apparently, the last two version of Azure AD Connect did not correctly configure the Claims Issuance Rules for multi-domain and multi-forest scenarios.

 

Version information

This is version 1.1.380.0 of Azure AD Connect.
It was signed off on on December 28th, 2016.

 

Download information

You can download Azure AD Connect here.
The download weighs 78,0 MB.

 

Concluding

If you’ve previously upgraded your Azure AD Connect installation to version 1.1.371.0, you can download and install this version of Azure AD Connect above and upgrade to this version.

When you’ve installed Azure AD Connect using Express Settings, the Automatic Updating functionality will not upgrade your Azure AD Connect installation(s) to this version. Installations configured with Express Settings will continue to run version 1.1.343.0

Further reading

Azure AD Connect 1.1.371.0 offers PTA and S3O preview capabilities
Azure AD Connect version 1.1.343.0 with support for Windows and SQL Server 2016
Azure AD Connect version 1.1.281.0 has been released

0  

Raymond and I are inspiring a new batch of High School students again this year

Just like the previous three years, Raymond and I have scheduled another ‘Inspire Me’ meeting with High School students of the Graafschap College in Doetinchem, the Netherlands.

On Friday January 13th, we’re presenting two 1-hour presentation as part of the last year of studies for High School students aspiring to become Systems Administrators.

  

About our presentation

We will be discussing the concepts of Modern Management to these students.
While their books don’t cover most of the Bring-Your-Own, Choose-Your-Own, Windows 10, Intune or Azure stuff, our presentation is chock-full with it. Or course, we’re not just theoretically explaining it, but also demo’ing the most intriguing aspects of claims-based authentication, hybrid identity and leveraging current investment, all based on one relatively simple case, they might get asked on their first job as a Systems Administrator:

Can you provide secure access to our organizations resources for both trusted and untrusted devices, used by both employees and others, without the need for firewalls, and, of course, for the lowest possible (initial) cost?

The fun part of our presentation is that after several of these sessions, the students rebuild one the shown implementation and have to explain how it works to their teachers. In the past years, our implementation got mimicked quite often, which is the biggest compliment they can give us!

 

About the High School

Logo Graafschap CollegeWe are invited by the two teachers as part of the MBO Level 4 ICT Management Year 3 curriculum at the Graafschap College in Doetinchem, the Netherlands.

Personally, I feel honored to contribute to making the education of these ICT Professionals-to-be more future proof by telling them about Enterprise Mobility and Azure. Their textbooks don’t contain this information yet, so I feel getting it presented to them by two passionate Microsoft MVPs is the next best thing.

 

I’m looking forward to it again! Glimlach

Further reading

Raymond and I are teaching High School students on Enterprise Mobility and Azure 
Raymond and I will be inspiring a new group of High School students 
Raymond and I will be delivering our BYOD Show to High School students

0  

On Cloud Nine: 2017 Microsoft MVP for Enterprise Mobility, Identity and Access

On Cloud Nine

In a state of blissful happiness

I was thrilled to receive a message from the Microsoft Most Valuable Professional (MVP) Award team, this afternoon, telling me I received my ninth Microsoft MVP Award in a row.

MVP 2017

Stating I’m on Cloud Nine says it all: With everything that has happened in 2016, I’m jubilant to be a part of the MVP Program for another year.

Thank you. Glimlach

0  

Would you like to manage AD FS on Windows Server 2016, too? No problem!

Yesterday, I blogged on the entirely new Management Pack for Active Directory Domain Services on Windows Server 2016. What I didn’t notice, until now, is that a management pack for Active Directory Federation Services is also available,

 

About the AD FS MP

The Active Directory Federation Services (AD FS) Management Pack provides both proactive and reactive monitoring of your AD FS deployment for both the federation server and the federation server proxy roles.

The management pack monitors events that the AD FS Windows service records in the AD FS event logs, and it monitors the performance data that the AD FS performance counters collect. It also monitors the overall health of the AD FS system and the federation passive application, and it provides alerts for critical issues and warning issues.

This management pack includes monitoring of the following core components:

  • token issuance
  • token acceptance
  • artifact service
  • Web sites
  • trust management
  • certificate rollover
  • Windows Internal Database synchronization.

 

Windows Server 2016 only

Where the completely rewritten System Center Management Pack for Active Directory Domain Services (AD DS) offers support for Active Directory Domain Controllers running Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016, this version of the System Center Management Pack for Active Directory Federation Services (AD FS) supports AD FS Servers (acting as STSs) and Web Application Proxies running Windows Server 2016 only. \

 

Version

This is version 10.0.1.0 of the Active Directory Federation Services Management Pack.
It can be deployed to Windows Server 2016-based systems,

This Management Pack requires System Center 2012 or newer and does not replace your 7.0.x Active Directory Federation Services Management Pack deployment.

 

Download

You can download version 10.0.1.0 of the Active Directory Federation Services Management Pack here. It is available in 18 languages and weighs between 484KB and 576KB per language.

 

Recommendation

Don’t let monitoring your Windows Server 2016-based Active Directory Federation Services (AD FS) servers and Web App Proxies slow down your migration to Microsofts latest and greatest

0