When you get serious about security in Hybrid Identity implementations, you would opt to implement AD FS servers and Web Application Proxies as Server Core installations. However, this poses a slight problem with the Azure AD Connect Health Agent for AD FS, because at first glance, you can’t configure it on Server Core installations of Windows Server.
I have the Azure AD Connect Health Agent for AD FS working on my Server Core-based Active Directory Federation Services (AD FS) servers and my Web Application Proxies. I’ve gone back and forth and have successfully used the method below on AD FS Servers and Web Application Proxies running:
- Server Core installations of Windows Server 2012 R2
- Server Core installations of Windows Server 2016
- Installations of Windows Server version 1709
Let me show you how:
About Azure AD Connect Health
Azure AD Connect Health helps administrators monitor and gain insights into their Hybrid Identity implementations. It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services by providing monitoring capabilities for your key identity components:
- Azure Active Directory Connect installations
- Active Directory Federation Services (AD FS) servers
- Web Application Proxies
- Active Directory Domain Controllers
Azure AD Connect Health makes the key data points about these components easily accessible in the Azure AD Connect Health portal so performance monitoring, usage analysis, troubleshooting and gaining other important insights becomes easy.
Azure AD Connect Health agent for AD FS
To monitor Active Directory Federation Services (AD FS) servers
and Web Application Proxies you can install the Azure AD Connect Health agent for AD FS on these servers.
After installation, the agent needs to be configured to communicate to the Azure Active Directory tenant, that is part of the Hybrid Identity implementation. During configuration, the agent, therefore, asks for global admin credentials.
When communicating to the Azure AD Connect Health service, the Azure AD Connect Health agent for AD FS communicates to several endpoints and sets up outgoing connections, based on TCP 80, TCP443 and TCP5671.
Configuring the Azure AD Connect Health Agent for AD FS on Server Core
Step 1. Download the Azure AD Connect Health AD FS Agent
The first thing we need to do is get our hands on the installer for the Azure AD Connect Health Agent for AD FS. To this purpose, we perform these steps on any Windows installation:
- Go to the Microsoft Azure Portal using your favorite browser.
- Log on with credentials of an account in the Azure Active Directory tenant with Global Admin (Company Administrator) privileges. Perform multi-factor authentication, when prompted.
- In the left navigation pane, click on Azure Active Directory.
- In Azure Active Directory’s navigation pane, click on Azure AD Connect.
- In the main pane for Azure AD Connect, click on the Quick Start tile.
- In the new pane, in the Get Tools section, click the link Download Azure AD Connect Health Agent for AD FS.
- Save the AdHealthAdfsAgentSetup.exe to an easy accessible location.
Step 2. Getting the installer on the Server Core installations
There are several ways to get the installer for Azure AD Connect Health Agent for AD FS onto Server Core installations. While some prefer the file share method, this is not particularly useful in scenarios where the Web Application Proxies are placed in a strictly managed perimeter network, where you’d have RDP access, at best.
There’s a little trick I use to get the files I need onto Server Core installations, making clever use of the built-in functionality of RDP and Notepad.
While you could get fooled into believing you don’t have File Explorer-like functionality on Server Core installation, Notepad actually offers this functionality as part of its File, Open dialogue screens.
I perform these steps:
- On the Windows installation where you previously downloaded the installer for Azure AD Connect Health Agent for AD FS, select the installer by left-clicking it. Then, right-click it and select Copy from the context menu.
- Log on to the Server Core installation using RDP with default settings, using the Remote Desktop Connection (mstsc.exe)
- On the Server Core’s command line, type Notepad.exe.
- In Notepad, click on File in the menu bar, and then click Open.
- In the Open dialogue window, select the option All Files instead of the default Text Documents (.txt) for Files of type:.
- Navigate to a folder where you can easily access the installer from the command line. As I prefer short command lines, I usually place installers in the root of the C:\ drive.
- Click in an empty space in the folder where you’d want to place the installer, and type Ctrl and V at the same time, to paste the installer in the location.
- Verify the file was pasted into the location and then click Cancel in the Open dialogue window.
- Close Notepad.
For security purposes, disable the clipboard ability for Remote desktop sessions on the Server Core-based Web Application Proxies, when you’re done configuring.
Step 3. Installing the Azure AD Connect Health AD FS Agent
To start the installation of the Azure AD Connect Health Agent for AD FS, simply run the following command on the command line of the Server Core installation:
In the Azure AD Connect Health AD FS Agent window, click the Install button.
After the Installation succeeds, click the Configure Now button.
The Azure AD Connect Health Agent for AD FS configuration will fail, stating the following error:
Register-AzureADConnectHealthAgent: The type initializer for ‘Microsoft.identityModel.Clients.ActiveDirectory.Internal.
WindowsFormsWebAuthenticationDialogBase’ threw an exception.
This is expected.
A log file is created. When you go through the log file, you’ll notice a line stating
Unable to load DLL ‘IEFRAME.dll’: The specified module could not be found. (Exception from HRESULT: 0x8007007E)
Here is the cause of the failure. Internet Explorer is not availabile on Server Core installations and the Azure AD Connect Health Agent for AD FS tries to leverage Internet Explorer to display the login prompt for Azure Active Directory, using the Azure Active Directory Authentication Libraries (ADAL) experience.
Step 4. Configuring the Azure AD Connect Health AD FS Agent
Luckily, the Azure AD Connect Health Agent for AD FS provides information how to solve this situation. To solve this issue, we are advised to run the Register-AzureADConnectHealthADFSAgent PowerShell Cmdlet manually.
Now, of course, strictly running it results in the same error. Therefore, we run it slightly different, in a way that consists of two lines of PowerShell code:
$cred = Get-Credential
Register-AzureADConnectHealthADFSAgent -Credential $cred
After the first line of PowerShell, we are prompted for credentials. We need to enter the userPrincipalName and password for an account in Azure Active Directory with Global Admin (Company Administrator) privileges in the Azure AD Tenant and does not have multi-factor authentication enabled.
Enforcing multi-factor authentication on privileged accounts in Azure Active Directory is a best practice, and actually free for admins. However, in this case, we need to temporarily use an account without multi-factor authentication.
After the second line of PowerShell code, the Azure AD Connect Health Agent for AD FS will be successfully configured and communicating to the Azure AD Connect Health endpoints, reporting:
Agent registration completed successfully.
You can get the Azure AD Connect Health Agent for AD FS working on Server Core installations.
However, you can’t configure it, when using a privileged Azure Active Directory account that has multi-factor authentication enforced.
Thanks a lot Sander – I was missing the bit with the MFA-enforced user when registering the agent. Got it to work now.
Do we need to install and register the agent on WAP servers also ?
You don't need to install the Azure AD Connect Health agent on the Web Application Proxy servers, but when you do, you gain the full Azure AD Connect Health functionality, a complete overview of the AD FS implementation and synthetic sign-ins.
This is a great blogpost if the authentication is where the agent is failing, but what if the AD FS server or Web App Proxy can reach the service endpoints, but fails when it begins the blob data upload procedure. I am getting the following error:
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.
It sounds like you're not using TLS 1.2 to communicate with the service endpoints.
Please follow the instructions in the blogposts on disabling weak protocols, cipher suites and hashing algorithms (enabling TLS 1.2 should be sufficient) and enforcing Azure AD Connect (components) to use TLS 1.2.
Hello Sander. I would like to ask you for help. In MS doc is written that:
Pass-through Authentication is not integrated with Azure AD Connect Health.
I was consider to use "AD FS application activity report" to assess application readiness to migrate their authentification from ADFS -> Azure AD
Does it mean that i cannnot install healt agents and afterwards use activity report from AD connet health to assess aplications auth ?
Thanks a lot for help !
You can install the agents and use the insights.
AD FS can be used as the sign-in method for Azure AD, but does not need to be configured as such for the Azure AD Connect Health agent for AD FS do perform its magic.