Description:
You have existing ADFS running with regular user account. To increase security you want to change the ADFS service account to use group managed service account or gMSA account.
Resolution:
Source of Information: https://github.com/microsoft/adfsToolbox/tree/master/serviceAccountModule
Download the ServiceAccount.psm1
module to all of your AD FS servers (primary and secondary)
Import the PowerShell Module on all servers
In a PowerShell window, run the following: ipmo ServiceAccount.psm1
For Windows Server 2016 and later, add a rule granting the new service account necessary permissions.
In a PowerShell window on the primary AD FS server, run the following:
Add-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>
Note that <ServiceAccount>
should be the service account you want to grant permissions to and can be provided either in the format Domain\User
or merely User
.
<ListOfSecondaryServers>
should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.
Change the service account on each machine in the farm.
Beginning with the secondary servers, run the following:
Update-AdfsServiceAccount
Once the function has been executed on all secondary servers, proceed to run it on the primary server.
If Device Registration Services (DRS) is set up in your AD FS environment, you must also use the Set-AdfsDeviceRegistration
cmdlet (an internal command exposed by the service) to add the proper permissions to the new service account.
For Windows Server 2016 and later, remove the rule granting permissions to the old service account.
In a PowerShell window on the primary AD FS server, run the following:
Remove-AdfsServiceAccountRule -ServiceAccount <ServiceAccount> -SecondaryServers <ListOfSecondaryServers>
Note that <ServiceAccount>
should be the service account you want to revoke permissions for and can be provided either in the format Domain\User
or merely User
.
<ListOfSecondaryServers>
should be replaced with a list of secondary servers if the environment is a WID farm so that the configuration database can be synced across all machines.