Set-ADFSConfiguration

Set-ADFSConfiguration

Sets the configuration properties of the Federation Service.

Syntax

Parameter Set: Default
Set-ADFSConfiguration [-AcceptableIdentifiers <Uri[]> ] [-AddProxyAuthorizationRules <String> ] [-ArtifactDbConnection <String> ] [-AuthenticationContextOrder <Uri[]> ] [-AutoCertificateRollover <Boolean> ] [-CertificateCriticalThreshold <Int32> ] [-CertificateDuration <Int32> ] [-CertificateGenerationThreshold <Int32> ] [-CertificatePromotionThreshold <Int32> ] [-CertificateRolloverInterval <Int32> ] [-CertificateThresholdMultiplier <Int32> ] [-ClientCertRevocationCheck <String> ] [-ContactPerson <ContactPerson> ] [-DisplayName <String> ] [-ExtendedProtectionTokenCheck <String> ] [-FederationPassiveAddress <String> ] [-HostName <String> ] [-HttpPort <Int32> ] [-HttpsPort <Int32> ] [-Identifier <Uri> ] [-LogLevel <String[]> ] [-MonitoringInterval <Int32> ] [-NetTcpPort <Int32> ] [-NtlmOnlySupportedClientAtProxy <Boolean> ] [-OrganizationInfo <Organization> ] [-PassThru] [-PreventTokenReplays <Boolean> ] [-ProxyTrustTokenLifetime <Int32> ] [-ReplayCacheExpirationInterval <Int32> ] [-SamlMessageDeliveryWindow <Int32> ] [-SignedSamlRequestsRequired <Boolean> ] [-SignSamlAuthnRequests <Boolean> ] [-SsoLifetime <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Set-ADFSConfiguration cmdlet sets the global properties and configuration of the Federation Service.

Parameters

-AcceptableIdentifiers<Uri[]>

Specifies identifiers that are acceptable names for the Federation Service when it checks the audience for claims that it receives from another claims provider.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AddProxyAuthorizationRules<String>

Specifies a policy rule set that can be used to establish authorization permissions for setting up trust proxies. The default value allows the AD FS service user account or any member of BUILTIN\Administrators to register a federation server proxy with the Federation Service. Modifying this property should only be done if you want to enable another account beyond those accounts authorized by default to enable federation server proxies. If the authorization rules you add are configured incorrectly, you can potentially disable registering new proxies.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ArtifactDbConnection<String>

Specifies the connection string to use for the database that maintains the artifacts that the artifact resolution service uses.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AuthenticationContextOrder<Uri[]>

Specifies a list of authentication contexts, in order by relative strength. Each authentication context must be a URI.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AutoCertificateRollover<Boolean>

Specifies whether the system will manage certificates for the administrator and generate new certificates before the expiration date of current certificates.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificateCriticalThreshold<Int32>

Specifies the period of time (in days) before a current primary signing or decryption certificate expires. When this threshold occurs, the Federation Service initiates the auto-rollover service, generates a new certificate, and promotes it to be the primary certificate. This rollover process occurs even if the critical threshold interval does not provide sufficient time for partners to replicate the new metadata. This should be a short period of time that is used only in extreme conditions when the Federation Service has not been able to generate a new certificate in advance.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificateDuration<Int32>

Specifies the period of time (in days) that any certificates that the Federation Service generates remain valid.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificateGenerationThreshold<Int32>

Specifies the period of time (in days) before a new primary certificate is generated to replace the current primary certificate. When this threshold occurs, the Federation Service initiates an auto-rollover process that generates a new certificate and adds it to the secondary collection. This rollover process occurs so that federation partners can consume this metadata in advance and trust is not broken when this newly generated certificate is promoted to be a primary certificate.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificatePromotionThreshold<Int32>

Specifies the period of time (in days) during which a newly generated certificate remains a secondary certificate before being promoted to be the primary certificate.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificateRolloverInterval<Int32>

Specifies the certificate rollover interval (in minutes). This value determines the frequency at which the Federation Service initiates the rollover service by polling to check whether new certificates need to be generated.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CertificateThresholdMultiplier<Int32>

Specifies the certificate threshold multiplier. By default, this parameter uses the number of minutes in a day (1440) as a multiplier. This should be changed only if you want to use a more finely detailed measure of time (such as less than a single day) for calculating the time periods for other certificate threshold parameters in this cmdlet.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ClientCertRevocationCheck<String>

Specifies the type of validation that should occur for the client encryption certificate before it is used for decrypting claims from a claims provider. Valid values are None, CheckEndCert, CheckEndCertCacheOnly, CheckChain, CheckChainCacheOnly, CheckChainExcludingRoot, and CheckChainExcludingRootCacheOnly.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ContactPerson<ContactPerson>

Specifies contact information for support.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-DisplayName<String>

Specifies the friendly name for this Federation Service.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ExtendedProtectionTokenCheck<String>

Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client's credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.

Possible values for this setting are: as follows "Require" (server is full hardened, extended protection is enforced), "Allow" (server is partially hardened, extended protection is enforced where systems involved have been patched to support it) and "None" (Server is vulnerable, extended protection is not enforced). The default setting is "Allow".

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-FederationPassiveAddress<String>

Specifies the relative address for the federation passive virtual directory. By default, /adfs/ls/ address is configured by the AD FS 2.0 Federation Server Configuration Wizard. If you need to change this value, change this value only after you modify the Internet Information Services (IIS) virtual directory on all federation servers in the Federation Service.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-HostName<String>

Specifies the network addressable host name of the Federation Service.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-HttpPort<Int32>

Specifies the HTTP port for the server.

If you use this parameter to modify the HTTP port number you also need to manually reset ACLs on the HTTP endpoint URL used by the Federation service. For more information, see Example 2 below.

By default, the federation server proxy service is configured to use TCP port 80 for HTTP traffic for communication with the federation server. To configure alternate ports, such as port 81 for HTTP, see the topic "Configuring an Alternate TCP/IP Port for Proxy Operations" in the AD FS Deployment Guide.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-HttpsPort<Int32>

Specifies the HTTPS port for the server.

By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic for communication with the federation server. To configure alternate ports, such as TCP port 444 for HTTPS, see the topic "Configuring an Alternate TCP/IP Port for Proxy Operations" in the AD FS Deployment Guide.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Identifier<Uri>

Specifies the URI that uniquely identifies the Federation Service.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-LogLevel<String[]>

Specifies the level of logging detail. The list defines which types of events are logged.

Possible values are Errors, Warnings, Information, SuccessAudits, and FailureAudits.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-MonitoringInterval<Int32>

Specifies how often the Federation Service will monitor the federation metadata of relying parties and claims providers (in minutes) that are enabled for federation metadata monitoring.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-NetTcpPort<Int32>

Specifies the TCP port for the server.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-NtlmOnlySupportedClientAtProxy<Boolean>

Used to enable support for NTLM-based authentication in situations where the active federation server proxy does not support Negotiate method of authentication. This setting only affects the Windows transport endpoint. If this value is changed, the federation server proxy needs to be restarted.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-OrganizationInfo<Organization>

Specifies information about the organization as published in the federation metadata for the Federation Service.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PassThru

Passes the newly extended AD FS configuration object to the pipeline. By default, this cmdlet does not generate any output.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PreventTokenReplays<Boolean>

Specifies whether the Federation Service is configured to prevent the replay of security tokens.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ProxyTrustTokenLifetime<Int32>

Sets the valid token lifetime for proxy trust tokens (in minutes). This value is used by the federation server proxy to authenticate with its associated federation server.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ReplayCacheExpirationInterval<Int32>

Specifies the cache duration for token replay detection (in minutes). This value determines the lifetime in the replay cache for tokens. When the age of a cached token exceeds this interval, the Federation Service determines the token has expired and does not allow replay of it.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SamlMessageDeliveryWindow<Int32>

Specifies the duration for which the SAML messages that the Federation Service sends should be considered valid (in minutes).

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SignedSamlRequestsRequired<Boolean>

Specifies whether the Federation Service indicates in its federation metadata that it requires signed SAML protocol authentication requests.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SignSamlAuthnRequests<Boolean>

Indicates whether the Federation Service will sign SAML protocol authentication requests to claims providers.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-SsoLifetime<Int32>

Specifies the duration of the single sign-on (SSO) experience for Web browser clients (in minutes).

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None

Outputs

The output type is the type of the objects that the cmdlet emits.

  • None

Examples

-------------------------- EXAMPLE 1 --------------------------

Sets the identifier for the Federation Service named "Fabrikam STS".

PS C:\> Set-ADFSConfiguration -DisplayName "Fabrikam STS" -Identifier "https://fabrikam.com"                        

-------------------------- EXAMPLE 2 --------------------------

Sets the HTTP port to 8123.

Before restarting the Federation service, update the ACLs for the corresponding endpoint URLs to ensure that the service can be restarted successfully using the new port numbers. For example, use a Netsh command similar to the following example to add the required ACL for the updated URL.

netsh http addurlacl url=http://+:8123/adfs/services/ -user "Network Service"

PS C:\> Set-ADFSProperties -HttpPort 8123

Get-ADFSConfiguration