Merge pull request #8520 from Deland-Han/ci3907

Deland-Han · web-flow · commit 98bc60924774 · 2025-03-26T14:46:56.000+08:00
AB#3907 [Child of 3895][Azure AD PowerShell references]: ADFS SSO troubleshooting - Windows Server
diff --git a/support/windows-server/active-directory/troubleshoot-ad-fs-sso-issue.md b/support/windows-server/active-directory/troubleshoot-ad-fs-sso-issue.md
@@ -1,7 +1,7 @@
 ---
 title: ADFS SSO troubleshooting
 description: Introduce how to troubleshoot ADFS SSO issues.
-ms.date: 01/15/2025
+ms.date: 04/01/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -82,7 +82,8 @@ Verify if the user agent string of your browser is in the list. If not, add the
    Example:
 
    ```powershell
-   $wiaStrings = $wiaStrings+" =~Windows\s*NT.*Edge"+"Mozilla/5.0"
+   #Add Edge and Chrome on Windows to the string
+   $wiaStrings = $wiaStrings+"=~Windows\s*NT.*Edg.*"+ "=~Windows\s*NT.*Chrome"
    ```
 
 4. Update the WIASupportedUserAgents setting by running the following command:
@@ -104,42 +105,26 @@ For more information, see [Overview of authentication handlers of AD FS sign-in
 
 If the application that you want to access is not Microsoft Online Services, what you experience is expected and controlled by the incoming authentication request. Work with the application owner to change the behavior.
 
-[!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-
 If the application is Microsoft Online Services, what you experience may be controlled by the **PromptLoginBehavior** setting from the trusted realm object. This setting controls whether Microsoft Entra tenants send prompt=login to AD FS. To set the **PromptLoginBehavior** setting, follow these steps:
 
 1. Open Windows PowerShell with the "Run as administrator" option.
-2. Get the existing domain federation setting by running the following command:
+2. Set the PromptLoginBehavior setting by running the following commands:
 
    ```powershell
-   Get-MSOLDomainFederationSettings -DomainName DomainName | FL *
+   Connect-MgGraph -scopes Domain.ReadWrite.All, Directory.ReadWrite.All
+   $tdo= Get-MgDomainFederationConfiguration -DomainID <domain_id>
+   Update-MgDomainFederationConfiguration -DomainId <domain_id> -InternalDomainFederationId $tdo.Id -PromptLoginBehavior <translateToFreshPasswordAuthentication|nativeSupport|disabled>
+   Disconnect-MgGraph
    ```
 
-3. Set the PromptLoginBehavior setting by running the following command:
-
-   ```powershell
-   Set-MSOLDomainFederationSettings -DomainName DomainName -PromptLoginBehavior <TranslateToFreshPasswordAuth|NativeSupport|Disabled> -SupportsMFA <$TRUE|$FALSE> -PreferredAuthenticationProtocol <WsFed|SAMLP>
-   ```
+   > [!NOTE]
+   > \<domain_id> is a placeholder for your domain's name. For example, contoso.com.
 
    The values for the PromptLoginBehavior parameter are:
 
-   1. **TranslateToFreshPasswordAuth**: Microsoft Entra ID sends wauth and wfresh to AD FS instead of prompt=login. This leads to an authentication request to use forms-based authentication.
-   2. **NativeSupport**: The prompt=login parameter is sent as is to AD FS.
-   3. **Disabled**: Nothing is sent to AD FS.
-
-To learn more about the Set-MSOLDomainFederationSettings command, see [Active Directory Federation Services prompt=login parameter support](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login).
-
-<a name='azure-active-directory-azure-ad-scenario'></a>
-
-### Microsoft Entra scenario
-
-If the authentication request sent to Microsoft Entra ID include [the prompt=login parameter](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login), disable the prompt=login capability by running the following command:
-
-```powershell
-Set-MsolDomainFederationSettings –DomainName DomainName -PromptLoginBehavior Disabled
-```
-
-After you run this command, Office 365 applications won't include the prompt=login parameter in each authentication request.
+   1. **translateToFreshPasswordAuth**: Microsoft Entra ID sends wauth and wfresh to AD FS instead of prompt=login. This leads to an authentication request to use forms-based authentication.
+   2. **nativeSupport**: The prompt=login parameter is sent as is to AD FS.
+   3. **disabled**: Nothing is sent to AD FS.
 
 <a name='non-azure-ad-scenario'></a>
 
@@ -229,13 +214,23 @@ If the application that you want to access is Microsoft Online Services for Offi
 1. Get the current SupportsMFA domain federation setting by running the following command:
 
    ```powershell
-   Get-MSOLDomainFederationSettings -DomainName DomainName | FL *
+   Connect-MgGraph -scopes Domain.ReadWrite.All, Directory.ReadWrite.All
+   Get-MgDomainFederationConfiguration -DomainId <domain_id> | FL *
    ```
 
+   > [!NOTE]
+   > \<domain_id> is a placeholder for your domain's name. For example, contoso.com.
+
 2. If the SupportsMFA setting is FALSE, set it to TRUE by running the following command:  
 
    ```powershell
-   Set-MSOLDomainFederationSettings -DomainName DomainName -SupportsMFA $TRUE
+   Update-MgDomainFederationConfiguration -DomainId <DomainName> -FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp"
+   ```
+
+3. Then, run the following command to sign out:
+
+   ```powershell
+   Disconnect-MgGraph
    ```
 
 ### Check if SSO is disabled
@@ -267,7 +262,7 @@ Let's check the internal sign-in functionality using IdpInitiatedSignOn. To do t
    ```
 
 2. From a computer that is inside your network, visit the following page:  
-   `https://<FederationInstance>/adfs/ls/idpinitiatedsignon.aspx`
+   `https://<FederationInstance>/adfs/ls/idpinitiatedsignon`
 
 3. Enter the correct credentials of a valid user on the sign-in page.
 
@@ -288,7 +283,7 @@ Then, check the external sign-in functionality using IdpInitiatedSignOn. Use the
    ```
 
 2. From a computer that is outside of your network, visit the following page:  
-   `https://<FederationInstance>/adfs/ls/idpinitiatedsignon.aspx`
+   `https://<FederationInstance>/adfs/ls/idpinitiatedsignon`
 
 3. Enter the correct credentials of a valid user on the sign-in page.
 
@@ -626,11 +621,10 @@ If a user is trying to log in to Microsoft Entra ID, they will be redirected to
 
 1. [Download](https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185) and install the Azure AD PowerShell module for Windows PowerShell.
 1. Open Windows PowerShell with the "Run as administrator" option.
-1. Initiate a connection to Microsoft Entra ID by running the following command:  
-`Connect-MsolService`
+1. Initiate a connection to Microsoft Entra ID by running `Connect-MgGraph` with proper permission.
 1. Provide the global administrator credential for the connection.
 1. Get the list of users in the Microsoft Entra ID by running the following command:  
-`Get-MsolUser`
+`Get-MgUser`
 1. Verify if the user is in the list.
 
 If the user is not in the list, sync the user to Microsoft Entra ID.
@@ -906,132 +900,6 @@ DS Mapper Usage : Disabled
 Negotiate Client Certificate : Disabled
 ```
 
-### Run script to automatically detect problems
-
-To automatically detect problems with the proxy trust relationship, run the following script. Based on the problem detected, take the action accordingly.
-
-```powershell
-param
-(
-  [switch]$syncproxytrustcerts
-)
-function checkhttpsyscertbindings()
-{
-Write-Host; Write-Host("1 – Checking http.sys certificate bindings for potential issues")
-$httpsslcertoutput = netsh http show sslcert
-$adfsservicefqdn = (Get-AdfsProperties).HostName
-$i = 1
-$certbindingissuedetected = $false
-While($i -lt $httpsslcertoutput.count)
-{
-        $ipport = $false
-        $hostnameport = $false
-        if ( ( $httpsslcertoutput[$i] -match "IP:port" ) ) { $ipport = $true }
-        elseif ( ( $httpsslcertoutput[$i] -match "Hostname:port" ) ) { $hostnameport = $true }
-        ## Check for IP specific certificate bindings
-        if ( ( $ipport -eq $true ) )
-        {
-            $httpsslcertoutput[$i]
-            $ipbindingparsed = $httpsslcertoutput[$i].split(":")
-            if ( ( $ipbindingparsed[2].trim() -ne "0.0.0.0" ) -and ( $ipbindingparsed[3].trim() -eq "443") )
-            {
-                $warning = "There is an IP specific binding on IP " + $ipbindingparsed[2].trim() + " which may conflict with the AD FS port 443 cert binding." | Write-Warning
-                $certbindingissuedetected = $true
-            }
-            $i = $i + 14
-            continue
-        }
-        ## check that CTL Store is set for ADFS service binding
-        elseif ( $hostnameport -eq $true )
-        {
-            $httpsslcertoutput[$i]
-            $ipbindingparsed = $httpsslcertoutput[$i].split(":")
-            If ( ( $ipbindingparsed[2].trim() -eq $adfsservicefqdn ) -and ( $ipbindingparsed[3].trim() -eq "443") -and ( $httpsslcertoutput[$i+10].split(":")[1].trim() -ne "AdfsTrustedDevices" ) )
-            {
-                Write-Warning "ADFS Service binding does not have CTL Store Name set to AdfsTrustedDevices"
-                $certbindingissuedetected = $true
-            }
-        $i = $i + 14
-        continue
-        }
-    $i++
-}
-If ( $certbindingissuedetected -eq $false ) { Write-Host "Check Passed: No certificate binding issues detected" }
-}
-function checkadfstrusteddevicesstore()
-{
-## check for CA issued (non-self signed) certs in the AdfsTrustedDevices cert store
-Write-Host; Write-Host "2 – Checking AdfsTrustedDevices cert store for non-self signed certificates"
-$certlist = Get-Childitem cert:\LocalMachine\AdfsTrustedDevices -recurse | Where-Object {$_.Issuer -ne $_.Subject}
-If ( $certlist.count -gt 0 )
-{
-    Write-Warning "The following non-self signed certificates are present in the AdfsTrustedDevices store and should be removed"
-    $certlist | Format-List Subject
-}
-Else { Write-Host "Check Passed: No non-self signed certs present in AdfsTrustedDevices cert store" }
-}
-function checkproxytrustcerts
-{
-    Param ([bool]$repair=$false)
-    Write-Host; Write-Host("3 – Checking AdfsTrustedDevices cert store is in sync with ADFS Proxy Trust config")
-    $doc = new-object Xml
-    $doc.Load("$env:windir\ADFS\Microsoft.IdentityServer.Servicehost.exe.config")
-    $connString = $doc.configuration.'microsoft.identityServer.service'.policystore.connectionString
-    $command = "Select ServiceSettingsData from [IdentityServerPolicy].[ServiceSettings]"
-    $cli = new-object System.Data.SqlClient.SqlConnection
-    $cli.ConnectionString = $connString
-    $cmd = new-object System.Data.SqlClient.SqlCommand
-    $cmd.CommandText = $command
-    $cmd.Connection = $cli
-    $cli.Open()
-    $configString = $cmd.ExecuteScalar()
-    $configXml = new-object XML
-    $configXml.LoadXml($configString)
-    $rawCerts = $configXml.ServiceSettingsData.SecurityTokenService.ProxyTrustConfiguration._subjectNameIndex.KeyValueOfstringArrayOfX509Certificate29zVOn6VQ.Value.X509Certificate2
-    #$ctl = dir cert:\LocalMachine\ADFSTrustedDevices
-    $store = new-object System.Security.Cryptography.X509Certificates.X509Store("ADFSTrustedDevices","LocalMachine")
-    $store.open("MaxAllowed")
-    $atLeastOneMismatch = $false
-    $badCerts = @()
-    foreach($rawCert in $rawCerts)
-    {   
-        $rawCertBytes = [System.Convert]::FromBase64String($rawCert.RawData.'#text')
-        $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(,$rawCertBytes)
-        $now = Get-Date
-        if ( ($cert.NotBefore -lt $now) -and ($cert.NotAfter -gt $now))
-        {
-            $certThumbprint = $cert.Thumbprint
-         $certSubject = $cert.Subject
-         $ctlMatch = dir cert:\localmachine\ADFSTrustedDevices\$certThumbprint -ErrorAction SilentlyContinue
-         if ($ctlMatch -eq $null)
-         {
-       $atLeastOneMismatch = $true
-          Write-Warning "This cert is NOT in the CTL: $certThumbprint – $certSubject"
-       if ($repair -eq $true)
-       {
-        write-Warning "Attempting to repair"
-        $store.Add($cert)
-        Write-Warning "Repair successful"
-       }
-                else
-                {
-                    Write-Warning ("Please install KB.2964735 or re-run script with -syncproxytrustcerts switch to add missing Proxy Trust certs to AdfsTrustedDevices cert store")
-                }
-         }
-        }
-    }
-    $store.Close()
-    if ($atLeastOneMismatch -eq $false)
-    {
-     Write-Host("Check Passed: No mismatched certs found. CTL is in sync with DB content")
-    }
-}
-checkhttpsyscertbindings
-checkadfstrusteddevicesstore
-checkproxytrustcerts($syncproxytrustcerts)
-Write-Host; Write-Host("All checks completed.")
-```
-
 ### Problem 1: There is an IP specific binding
 
 The binding may conflict with the AD FS certificate binding on port 443.
@@ -1072,23 +940,6 @@ If a CA issued certificate is in a certificate store where only self-signed cert
 
 Therefore, delete any CA issued certificate from the AdfsTrustedDevices certificate store.
 
-### Problem 4: Install KB2964735 or re-run the script with -syncproxytrustcerts
-
-When a proxy trust relationship is established with an AD FS server, the client certificate is written to the AD FS configuration database and added to the AdfsTrustedDevices certificate store on the AD FS server. For an AD FS farm deployment, the client certificate is expected to be synced to the other AD FS servers. If the sync doesn't happen for some reason, a proxy trust relationship will only work against the AD FS server the trust was established with, but not against the other AD FS servers.
-
-To solve this problem, use one of the following methods.
-
-#### Method 1
-
-Install the update documented in [KB 2964735](https://support.microsoft.com/topic/700e0502-c19a-54e4-9c5f-65c2844d9a9f) on all AD FS servers. After the update is installed, a sync of the client certificate is expected to happen automatically.
-
-#### Method 2
-
-Run the script with the – syncproxytrustcerts switch to manually sync the client certificates from the AD FS configuration database to the AdfsTrustedDevices certificate store. The script should be run on all the AD FS servers in the farm.
-
-> [!NOTE]
-> This is not a permanent solution because the client certificates will be renewed on a regular basis.
-
 ### Problem 5: All checks are passed. But the problem persists
 
 Check if there is a time or time zone mismatch. If time matches but the time zone doesn't, proxy trust relationship will also fail to be established.
@@ -1238,3 +1089,14 @@ The following are the device claims. The authorization rules may use some of the
 If there is a missing claim, follow the steps in [Configure On-Premises Conditional Access using registered devices](/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises) to make sure the environment is setup for device authentication.
 
 If all the claims are present, see if the values of the claims from the Dump Token app match the values required in the authorization policy.
+
+## Reference
+
+For more informaiton, see the following articles:
+
+- [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration)
+- [Update-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration)
+- [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands#use-connect-mggraph)
+- [Disconnect-MgGraph](/powershell/module/microsoft.graph.authentication/disconnect-mggraph)
+- [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser)
+- [internalDomainFederation resource type](/graph/api/resources/internaldomainfederation)
