2

I am trying to move my ADFS / WAP to the cloud to give better resilience after experiencing a recent failure.

In part to save on VM costs, I am using just 2 VMs, with ADFS installed on a domain controller, and the WAP on a separate machine. It seems like lots of people recommend running ADFS on a domain controller.

I'm a bit stuck though when it comes time to configure the Web Application Proxy. It asks for a local administrator account on the ADFS server...in this case, I'd have to add the account to MyDomain\Administrators, a pretty high-risk group. This doesn't really fit with the idea of running ADFS on a DC.

When starting the WAP post-install configuration, I am looking at the Federation Server page, where it asks for the Federation Service Name, and just below it prompts for a local administrator account on the ADFS server. There is no local administrators group on the DC of course, only the equivalent Domain\Administrators group which gives access to modifying the domain itself.

Is there a way around this, besides taking the ADFS role off of the DC? A more limited account maybe? Or is this lower risk than it seems at first glance?

Quinten
  • 1,076
  • 1
  • 11
  • 25

2 Answers2

1

OK, I found this: http://goodworkaround.com/node/53 and reading closely, it says that the admin credentials are not saved but are only used to create the initial proxy trust. This is NOT made clear by the Microsoft documentation I could find, but I am going to trust it.

Quinten
  • 1,076
  • 1
  • 11
  • 25
  • This has moved to https://goodworkaround.com/2013/9/20/howto---adfs-on-windows-server-2012-r2-with-office-365/. – dlanod Apr 02 '18 at 23:50
0

I used a domain admin account for our ADFS service even though it's not on the DC. I probably misread it and thought it required a domain admin. I made a dedicated account for it, and the ADFS server is inside the firewall and we are running a WAP that is not joined to the domain in the DMZ. For us that is reasonable security.

If you really don't want to use a domain admin account, you'll have to take it off the DC.

Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31
  • Okay, thanks. But to be clear there is no requirement that it be in the Domain Admins account, only that it be in the Domain\Administrators account, slightly different permissions in AD. I'm probably a bit paranoid as this is going on "the cloud" and it's my first such server that is domain joined. – Quinten Jun 25 '15 at 20:32
  • Actually I think you are talking about a different account, the ADFS service account. I'm talking about the account you use to connect to the ADFS server when configuring WAP. Did you use the same account for both? I.e., did you put the Domain Admins account on the WAP that isn't joined to the domain, in your DMZ? – Quinten Jun 25 '15 at 20:54
  • You know, I don't remember and I can't seem to figure out how to see what I did. Are you sure credentials have to be added on the WAP server? I mean, doesn't it just re-publish the application exposed by the ADFS server? – Todd Wilcox Jun 25 '15 at 22:47
  • Yes, it's a requirement to proceed through with the WAP configuration. – Quinten Jun 26 '15 at 02:21