Powershell

Windows Server 2016 ADFS SSO with Chrome, Firefox and other user agents

Out of the box Windows Server 2016 Active Directory Federation Services does not allow users running chrome to seamless sign on experience like Internet Explorer. Thankfully there are two simple changes that can be made to enable this functionality.

Open Powershell on one of the ADFS servers as administrator and check the list of existing WIASupportedUserAgents:

PS C:\Windows\system32> Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge

The easiest way to add the additional agents is with the following command, I’ve added Chrome, Mozilla/5.0 and Edge/12.

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")

There was a time before where you did need to disable the ExtendedProtectionTokenCheck for chrome to work, as of writing August 2017 this is no longer the case. Restart the ADFS service and you should be in business!

Advertisements

Powershell Script to Create SharePoint Service Accounts

I find myself creating lots of of SharePoint 2010 Farm deployments these days and with that comes the requirement to create the required user accounds. I have created a quick powershell script below that you can use to script this.

Import-Module activedirectory
$password = "PW”
$domain = “Domain.local”
New-ADUser -SamAccountName sp_install -name sp_Install -UserPrincipalName sp_install@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to install SharePoint on farm servers."}
New-ADUser -SamAccountName sp_farm -name sp_farm -UserPrincipalName sp_farm@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_webapp -name sp_webapp -UserPrincipalName sp_webapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Farm account"}
New-ADUser -SamAccountName sp_svcapp -name sp_svcapp -UserPrincipalName sp_svcapp@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run IIS application pool for service app web services"}
New-ADUser -SamAccountName sp_search -name sp_search -UserPrincipalName sp_search@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run Enterprise Search service"}
New-ADUser -SamAccountName sp_crawl -name sp_crawl -UserPrincipalName sp_crawl@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Default content access account used by crawler to crawl SharePoint sites."}
New-ADUser -SamAccountName sp_ups -name sp_ups -UserPrincipalName sp_ups@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to run User Profile service"}
New-ADUser -SamAccountName sp_ups_import -name sp_ups_import -UserPrincipalName sp_ups_import@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superreader -name sp_superreader -UserPrincipalName sp_superreaderc@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used to sync profile information with AD"}
New-ADUser -SamAccountName sp_superuser -name sp_superuser -UserPrincipalName sp_superuser@$domain -Accountpassword (ConvertTo-SecureString -AsPlainText $password -Force) -Enabled $true -PasswordNeverExpires $true -path ou="Sharepoint Service Accounts,DC=domain,dc=local" -OtherAttributes @{Description="Used for IIS caching"}

Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_search
Add-ADGroupMember "Pre-Windows 2000 Compatible Access" sp_ups_import