Set-ADFSProperties

Set-ADFSProperties

Sets the properties of the Federation Service.

Syntax

Set-ADFSProperties [-AcceptableIdentifier <Uri[]>] [-AddProxyAuthorizationRules <string>] [-DisplayName <string>] 
 [-ArtifactDbConnection <string>] [-AuthenticationContextOrder <Uri[]>] [-AutoCertificateRollover <Boolean>] [-CertificateCriticalThreshold <int>] [-CertificateDuration <int>] [-CertificateGenerationThreshold <int>] [-CertificatePromotionThreshold <int>] [-CertificateRolloverInterval <int>] [-CertificateThresholdMultiplier <int>] [-ClientCertRevocationCheck] [-ContactPerson <ContactPerson[]>] [-ExtendedProtectionTokenCheck <string>] [-FederationPassiveAddress <string>] [-HostName <string>] [-HttpPort <int>] [-HttpsPort <int>] [-Identifier <Uri>] [-LogLevel <string[]>] [-MonitoringInterval <int>] [-NetTcpPort <int>] [-NtlmOnlySupportedClientAtProxy <Boolean>] [-OrganizationInfo <Organization>] [-PreventTokenReplays <System.Nullable[bool]>] [-ProxyTrustTokenLifetime <int>] [-ReplayCacheExpirationInterval <int>] [-SamlMessageDeliveryWindow <int>] [-SignedSamlRequestsRequired <System.Nullable[bool]>] [-SignSamlAuthnRequests <System.Nullable[bool]>] [-SsoLifetime <int>] [-Confirm] [-WhatIf] [<CommonParameters>]
  • AcceptableIdentifier

  • AddProxyAuthorizationRules

  • ArtifactDbConnection

  • AuthenticationContextOrder

  • AutoCertificateRollover

  • CertificateCriticalThreshold

  • CertificateDuration

  • CertificateGenerationThreshold

  • CertificatePromotionThreshold

  • CertificateRolloverInterval

  • CertificateThresholdMultiplier

  • ContactPerson

  • DisplayName

  • ExtendedProtectionTokenCheck

  • FederationPassiveAddress

  • HostName

  • HttpPort

  • HttpsPort

  • Identifier

  • LogLevel

  • MonitoringInterval

  • NetTcpPort

  • NtlmOnlySupportedClientAtProxy

  • OrganizationInfo

  • PreventTokenReplays

  • ProxyTrustTokenLifetime

  • ReplayCacheExpirationInterval

  • SamlMessageDeliveryWindow

  • SignedSamlRequestsRequired

  • SignSamlAuthnRequests

  • SsoLifetime

  • Confirm

  • WhatIf

Detailed Description

The Set-ADFSProperties cmdlet sets the global properties and configuration of the Federation Service.

Parameters

AcceptableIdentifier

Specifies identifiers that are acceptable names for the Federation Service when it checks the audience for claims that it receives from another claims provider.

Data Type: Uri[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

AddProxyAuthorizationRules

Specifies a policy rule set that can be used to establish authorization permissions for setting up trust proxies. The default value allows the AD FS 2.0 service user account or any member of BUILTIN\Administrators to register a federation server proxy with the Federation Service. Modifying this property should only be done if you want to enable another account beyond those accounts authorized by default to enable federation server proxies. If the authorization rules you add are configured incorrectly, you can potentially disable registering new proxies.

Default Value: *exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type = "https://schemas.microsoft.com/authorization/claims/permit", Value = "true");*c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^AD AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("https://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})", param= c.Value );c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid", Issuer =~ "^SELF AUTHORITY$" ] => issue(store="_ProxyCredentialStore",types=("https://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0})", param=c.Value );

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ArtifactDbConnection

Specifies the connection string to use for the database that maintains the artifacts that the artifact resolution service uses.

Default Value: *Standalone and Windows Internal Database (WID) farms:*Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsArtifactStore;Integrated Security=TrueSQL Server farms:Data Source=<fully-qualified domain name of SQL Server>;Initial Catalog=AdfsArtifactStore;Integrated Security=True

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

AuthenticationContextOrder

Specifies a list of authentication contexts, in order by relative strength. Each authentication context must be a URI.

Default Value: {urn:oasis:names:tc:SAML:2.0:ac:classes:Password, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}

Data Type: Uri[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

AutoCertificateRollover

Specifies whether the system will manage certificates for the administrator and generate new certificates before the expiration date of current certificates.

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificateCriticalThreshold

Specifies the period of time (in days) before a current primary signing or decryption certificate expires. When this threshold occurs, the Federation Service initiates the auto-rollover service, generates a new certificate, and promotes it to be the primary certificate. This rollover process occurs even if the critical threshold interval does not provide sufficient time for partners to replicate the new metadata. This should be a short period of time that is used only in extreme conditions when the Federation Service has not been able to generate a new certificate in advance.

Default Value: 2

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificateDuration

Specifies the period of time (in days) that any certificates that the Federation Service generates remain valid.

Default Value: 365

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificateGenerationThreshold

Specifies the period of time (in days) before a new primary certificate is generated to replace the current primary certificate. When this threshold occurs, the Federation Service initiates an auto-rollover process that generates a new certificate and adds it to the secondary collection. This rollover process occurs so that federation partners can consume this metadata in advance and trust is not broken when this newly generated certificate is promoted to be a primary certificate.

Default Value: 20

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificatePromotionThreshold

Specifies the period of time (in days) during which a newly generated certificate remains a secondary certificate before being promoted to be the primary certificate.

Default Value: 5

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificateRolloverInterval

Specifies the certificate rollover interval (in minutes). This value determines the frequency at which the Federation Service initiates the rollover service by polling to check whether new certificates need to be generated.

Default Value: 720

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

CertificateThresholdMultiplier

Specifies the certificate threshold multiplier. By default, this parameter uses the number of minutes in a day (1440) as a multiplier. This should be changed only if you want to use a more finely detailed measure of time (such as less than a single day) for calculating the time periods for other certificate threshold parameters in this cmdlet.

Default Value: 1440

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ContactPerson

Specifies contact information for support.

Data Type: ContactPerson[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

DisplayName

Specifies the friendly name for this Federation Service.

ExtendedProtectionTokenCheck

Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client's credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.

Possible values for this setting are: as follows "Require" (server is full hardened, extended protection is enforced), "Allow" (server is partially hardened, extended protection is enforced where systems involved have been patched to support it) and "None" (Server is vulnerable, extended protection is not enforced). The default setting is "Allow".

Default Value: Allow

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

FederationPassiveAddress

Specifies the relative address for the federation passive virtual directory. By default, /adfs/ls/ address is configured by the AD FS 2.0 Federation Server Configuration Wizard. If you need to change this value, change this value only after you modify the Internet Information Services (IIS) virtual directory on all federation servers in the Federation Service.

Default Value: /adfs/ls/

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

HostName

Specifies the network addressable host name of the Federation Service.

Data Type: string

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

HttpPort

Specifies the HTTP port for the server.

Warning

If you use this parameter to modify the HTTP port number you also need to manually reset ACLs on the HTTP endpoint URL used by the Federation service. For more information, see Example 2 below.

Note

By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic and port 80 for HTTP traffic for communication with the federation server. To configure alternate ports, such as TCP port 444 for HTTPS and port 81 for HTTP, see Configuring an Alternate TCP/IP Port for Proxy Operations.

Default Value: 80

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

HttpsPort

Specifies the HTTPS port for the server.

Note

By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic and port 80 for HTTP traffic for communication with the federation server. To configure alternate ports, such as TCP port 444 for HTTPS and port 81 for HTTP, see Configuring an Alternate TCP/IP Port for Proxy Operations.

Default Value: 443

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Identifier

Specifies the URI that uniquely identifies the Federation Service.

Data Type: Uri

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

LogLevel

Specifies the level of logging detail. The list defines which types of events are logged.

Possible values are Errors, Warnings, Information, SuccessAudits, and FailureAudits.

Default Value: {Errors, Information, Verbose, Warnings}

Data Type: string[]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

true

variableLength

MonitoringInterval

Specifies how often the Federation Service will monitor the federation metadata of relying parties and claims providers (in minutes) that are enabled for federation metadata monitoring.

Default Value: 1440

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

NetTcpPort

Specifies the TCP port for the server.

Default Value: 1501

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

NtlmOnlySupportedClientAtProxy

Used to enable support for NTLM-based authentication in situations where the active federation server proxy does not support Negotiate method of authentication. This setting only affects the Windows transport endpoint. If this value is changed, the federation server proxy needs to be restarted.

Default Value: False

Data Type: Boolean

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

OrganizationInfo

Specifies information about the organization as published in the federation metadata for the Federation Service.

Data Type: Organization

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

PreventTokenReplays

Specifies whether the Federation Service is configured to prevent the replay of security tokens.

Default Value: True

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ProxyTrustTokenLifetime

Sets the valid token lifetime for proxy trust tokens (in minutes). This value is used by the federation server proxy to authenticate with its associated federation server.

Default Value: 21600

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

ReplayCacheExpirationInterval

Specifies the cache duration for token replay detection (in minutes). This value determines the lifetime in the replay cache for tokens. When the age of a cached token exceeds this interval, the Federation Service determines the token has expired and does not allow replay of it.

Default Value: 60

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SamlMessageDeliveryWindow

Specifies the duration for which the SAML messages that the Federation Service sends should be considered valid (in minutes).

Default Value: 5

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SignedSamlRequestsRequired

Specifies whether the Federation Service indicates in its federation metadata that it requires signed SAML protocol authentication requests.

Default Value: False

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SignSamlAuthnRequests

Indicates whether the Federation Service will sign SAML protocol authentication requests to claims providers.

Default Value: False

Data Type: System.Nullable[bool]

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

SsoLifetime

Specifies the duration of the single sign-on (SSO) experience for Web browser clients (in minutes).

Default Value: 480

Data Type: int

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

true

required

Variable Length?

false

variableLength

Confirm

Prompts you for confirmation before executing the command.

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

WhatIf

Describes what would happen if you executed the command without actually executing the command.

Data Type: SwitchParameter

Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

true

variableLength

Accept wildcard characters?

false

globbing

Accept Pipeline Input?

false

pipelineInput

Position?

named

position

Value Attributes

Name Value PSMAML Attribute

Required?

false

required

Variable Length?

false

variableLength

Input Type

None

Return Type

None

Notes

  • The ADFSProperties resource contains properties and settings for the Federation Service.

Examples

-------------------------- EXAMPLE 1 --------------------------

Command Prompt: C:\PS>

 
Set-ADFSProperties -DisplayName "Fabrikam STS" -Identifier "https://fabrikam.com"                        

Description

-----------

Sets the identifier for the Federation Service named "Fabrikam STS".

-------------------------- EXAMPLE 2 --------------------------

Command Prompt: C:\PS>

 Set-ADFSProperties -HttpPort 8123 

Description

-----------

Sets the HTTP port to 8123. Before restarting the Federation service, update the ACLs for the corresponding endpoint URLs to ensure that the service can be restarted successfully using the new port numbers. For example, use a Netsh command similar to the following example to add the required ACL for the updated URL.

netsh http addurlacl url=https://+:8123/adfs/services/ -user "Network Service"

See Also

Reference

Get-ADFSProperties

Other Resources

Online version: