AdfsServiceAccountModule - ADFS 2016 and 2019 compatibility issues

[Paul-Vi]

1. Function GenerateSQLScripts ADFS 2012 database name "AdfsConfiguration" is hardcoded in line 437 It is a bug, DB update will fail on newer ADFS version 2016 - AdfsConfigurationV3 and 2019 - AdfsConfigurationV4

2. Function Set-CertificateSharingContainerSecurity note: requires domain admin permissions ADFS property $ADFSProperties.CertificateSharingContainer will be always $null when running without domain admin rights Service account permissions set by this function grant: #GenericRead , #CreateChild , #WriteProperty , #Self are different to permissions in this script https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-ad-fs-delegated-admin#script-for-preparing-ad : #GenericRead , #CreateChild , #WriteProperty, #WriteOwner , #DeleteTree , #WriteDACL Which permissions are the right one?

3. old service account SID in ServiceSettingsData configuration after change after service account change SID of old account still exists in configuration data in: <SecurityTokenService>.... <AllowedOnBehalfOfCallers><Sid>S-1-5-21-xxxxxxxx.....</Sid></AllowedOnBehalfOfCallers>.... </SecurityTokenService> No idea what is it about, but definitely looks strange. https://learn.microsoft.com/en-us/dotnet/api/microsoft.identityserver.policymodel.configuration.stsconfiguration.allowedonbehalfofcallers?view=adfs-2019#microsoft-identityserver-policymodel-configuration-stsconfiguration-allowedonbehalfofcallers

[joaovitorhr]

Domain admin permissions should be listed in the requirements for the service account module. I've been stuck on this for months because I didn't know that domain admin permissions are required. We were able to run the script without errors, set the SPN manually, have all the sample post items completed, but we get error 1064 when trying to start the ADFS service. This is probably because of what you mentioned in item 2.