SPN settings in a ADFS 3.0 lab setup

active-directory windows-server-2012-r2 adfs spn
13,143

You can either let the ADFS wizard make necessary configuration for gMSA account

or

you can pre-create your gMSA account with correct SPN (which is your adfs Service name). Same name needs to be also at certificate subject and SAN fields.

-Sami

Share:
13,143

Related videos on Youtube

itaysk
Author by

itaysk

Updated on September 18, 2022

Comments

  • itaysk
    itaysk over 1 year

    I am a developer trying to understand authentication with ADFS (2012 R2), so I am trying to setup an ADFS lab. I have found 2 guides:

    Doc1 starts with creating a gSMA account, however Doc2 says "The ADFS configuration wizard will automatically configure the correct Service Principal Names (SPN) on this service account so don’t worry about this configuring the SPN."

    Which path should I take? If you think I should create the gSMA account, can you help me understand what values I should provide in my lab? They are using

    New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com

    My server is called server1.mydomain.local. Should my new gSMA command look like this?:

    New-ADServiceAccount FsGmsa -DNSHostName server1.mydomain.local -ServicePrincipalNames http/server1.mydomain.local

    I am specifically asking about the "ServicePrincipalNames" attribute because doc2 says to "Ensure that the physical computer name of any of the ADFS servers in the farm don’t match the ADFS service name"

    • HopelessN00b
      HopelessN00b about 10 years
      Could you clarify this? I'm not sure what the question is. Either let the wizard create an SPN for you, or make one yourself, but either way, you have to make sure that the SPN is different from any computer hostname. (Is that the answer you're looking for?)
    • itaysk
      itaysk about 10 years
      Can I run the wizard without creating a user\SPN\gSMA in advance? I am not an IT guy, I'm a developer so I don't know the consequences...
    • HopelessN00b
      HopelessN00b about 10 years
      You can - worst that happens is that authentication won't work until you register an SPN, and under other circumstances that can be a bitch to troubleshoot, but since you already know what to look at, there should be no problem with registering the SPN manually after the fact, if you want.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain
Do I really need an account in domain\administrators for the Web Application Proxy with ADFS 3.0 on a domain controller?
Setting disk quotas with Active Directory
How to convert regular windows 10 account to an active directory account?
How do I configure DNSMasq on DD-WRT when using Active Directory?
How can I list all members from AD group showing enable and disabled users?
How to join a system to a domain controller in Microsoft Azure
Brute force attack with no IP to trace
AD FS and DC on same Server