04 System Management
When component is registered, you can manage Services with PowerShell or MMC Console. Some PowerShell Cmdlet are only running on primary servers, and MMC is limited to manage users on secondary servers
- Log on a Primary Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Enable-MFASystem –detailed to get information.
- type get-help Disable-MFASystem –detailed to get information.
- Enter your command
Enable-MFASystemDisable-MFASystem
- Log on a Primary Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Restart-MFAComputerServices –detailed to get information.
- Enter your command
Restart-MFAComputerServices -Identity yourserver.fqdn
MFA is using notifications between servers. Notifications are working with a Secured WCF service (tcp) To enable communication between your Adfs servers you must :
Open tcp ports between servers on firewall's domain zone (port 5987)
Log on a each Adfs server as Adfs administrator or Delegated administration group member
Launch a new PowerShell session as administrator
type get-help Set-MFAFirewallRules –detailed to get information.
Enter your command
Set-MFAFirewallRules # using MFA Server listSet-MFAFirewallRules -ComputersAllowed '172.16.0.1, 172.17.0.50'Managing firewall rules is only possible with PowerShell (not in MMC)
If you have created MFA certificates (RSA) in previous installations, you must update Access Control List. to give the good rights on the certificates private keys for the Adfs service and the Adfs account
- Log on a each Adfs server as Adfs administrator or Delegated administration group member
- Launch a new PowerShell session as administrator
- type get-help Update-MFACertificatesAccessControlList –detailed to get information.
- Enter your command
Update-MFACertificatesAcessControlList Update-MFACertificatesAcessControlList -CertsKind (AllCerts | MFACerts | ADFSCerts | SSLCerts)This cmdlet only add or update ACL, by default all certificates private keys are updated (AllCerts)
Also available in MMC under Service Status Node
We found that on Adfs 2016 and 2019, each time the adfssrv service is restarted, or every 30 minutes. a new "Key/Pair", yes ! a private key is generated in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys server directory. These additional keys are not attached to any certificate or other. Really very strange, it still seems that it is a bug of Adfs interacting with the Framework, that Microsoft really takes time to correct ...
This problem concerns precisely the key of the SSL certificate.
To avoid ending up with several thousand files in this directory (it's a security problem), you can either use a PowerShell command from time to time or activate a regular cleaning process.
Warning !
Depending of your configuration, this operation is very intrusive, private keys that not belongs to an installed certificate will be deleted (except the one dedicated to RDP connection).
You must backup your VM or take a snapshot and test before applying this in production.
Log on a each Adfs server as Adfs administrator or Delegated administration group member
Launch a new PowerShell session as administrator
type get-help Clear-MFAOrphanedRSAKeyPairs –detailed to get information.
Clear-MFAOrphanedRSAKeyPairs # Enable automatic garbage every 30 mn Clear-MFAOrphanedRSAKeyPairs -AutoCleanUp $true -CleanUpDelay 30
- Restart the MFA Service with powershell
Restart-Service mfanotifhub
- Log on the a primary ADFS server as administrator
- Launch MMC snappin
