Install-ADFS_Demo_with_OTP.ps1
#Requires -RunAsAdministrator #Requires -Version 4.0 <# .SYNOPSIS Installs ADFS Service with SecureMFA OTP Provider Web Portal on empty Windows Server. .DESCRIPTION Installs ADFS Service with SecureMFA OTP Provider on a single ADFS server using MS SQLEXPRESS database. Dependencies: * Deployment must be done with service account which will be used for ADFS service. Account must be member or local computer administrators� group and Domain Administrators groups for ADFS service to register successfully. * Server is Windows 2019 or 2016 serve and joined to domain. * Server has a valid certificate for ADFS Service communication. It must have CN name which is different to computer's FQDN * Server has "SqlServer" PS Module installed. * Server has a free edition of MSSQL SQLEXPRESS service installed using default Instance Name and Instance ID - SQLEXPRESS * Server has Microsoft Framework 4.6.1 and above installed. .NOTES Version: 2.0.0.1 Author: SecureMfa.com Creation Date: 27/07/2020 Purpose/Change: Release .EXAMPLE C:\PS> Install-ADFS_Demo_with_OTP -adfs_certificate_thumbprint "285394eae4e52bf64d3b6f6c304584f30c3f004f" This command will install ADFS service with SecureMFA OTP Provider and Web Portal which allows to enrol users on a single ADFS server using MSSQL SQLEXPRESS database. #> $zipfilepath = (Join-Path -Path $PSScriptRoot -ChildPath SecureMFA_OTP_SPA.zip) $sqlservermodulepath = "C:\Program Files\WindowsPowerShell\Modules\SqlServer" #Check if windows events source for application log exist, if not create one. if ([System.Diagnostics.EventLog]::SourceExists("Secure MFA OTP") -eq $False) {New-EventLog -LogName "Application" -Source "Secure MFA OTP" ; Write-Host "Secure MFA OTP Log Source Created."} Function Install-ADFS_Demo_with_OTP { Param ( [Parameter(Mandatory=$true)][string]$adfs_certificate_thumbprint, [Parameter(Mandatory=$false)][Switch]$Force ) #Check if ADFS service existi on the system if(((Get-Service adfssrv -ErrorAction SilentlyContinue).Status -ne $null) -and (!($Force))) {write-host "ADFS Service is allready running on this server $env:COMPUTERNAME . Please use new Windows build or unistall ADFS deployment before retry." -ForegroundColor Yellow; break} #Check if ADFS service existi on the system if(((Get-Service 'MSSQL$SQLEXPRESS' -ErrorAction SilentlyContinue).Status -ne 'Running') -and (!($Force))) {write-host "MSSQL SQLEXPRESS Edition is not running on a server $env:COMPUTERNAME . Please make sure you deploy a Free editon of MSSQL SQLEXPRESS Edition using default Instance Name and Instance ID: SQLEXPRESS on this computer to continue." -ForegroundColor Yellow; break} try { $Error.Clear() if (!(Test-Path $zipfilepath -Type Leaf) ) { throw "$zipfilepath does not exist" ; break} if (!(Test-Path $sqlservermodulepath) ) { throw "SqServer module $sqlservermodulepath does not exist please install it from PSGalery: Install-Module sqlserver" ; break} if(!(Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq $adfs_certificate_thumbprint})) {throw "Certificate $adfs_certificate_thumbprint does not exist in Cert:\LocalMachine\My. Please install certificate first before retry." ; break} #Start deployment #SQL Procedure for WID Database creation $SQLProcedureTemplate = @( "USE [master]", "GO", "/****** Object: Database [SecureMfaOTP] Script Date: 27/01/2020 21:52:40 ******/", "CREATE DATABASE [SecureMfaOTP]", "CONTAINMENT = NONE", "ON PRIMARY", "( NAME = N'SecureMfaOTP', FILENAME = N'C:\SecureMFA\SecureMfaOTP.mdf' , SIZE = 6144KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB )", "LOG ON", "( NAME = N'SecureMfaOTP_log', FILENAME = N'C:\SecureMFA\SecureMfaOTP_log.ldf' , SIZE = 1024KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)", "GO", "ALTER DATABASE [SecureMfaOTP] SET COMPATIBILITY_LEVEL = 120", "GO", "IF (1 = FULLTEXTSERVICEPROPERTY('IsFullTextInstalled'))", "begin", "EXEC [SecureMfaOTP].[dbo].[sp_fulltext_database] @action = 'enable'", "end", "GO", "ALTER DATABASE [SecureMfaOTP] SET ANSI_NULL_DEFAULT OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET ANSI_NULLS OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET ANSI_PADDING OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET ANSI_WARNINGS OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET ARITHABORT OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET AUTO_CLOSE OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET AUTO_SHRINK OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET AUTO_UPDATE_STATISTICS ON", "GO", "ALTER DATABASE [SecureMfaOTP] SET CURSOR_CLOSE_ON_COMMIT OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET CURSOR_DEFAULT GLOBAL", "GO", "ALTER DATABASE [SecureMfaOTP] SET CONCAT_NULL_YIELDS_NULL OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET NUMERIC_ROUNDABORT OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET QUOTED_IDENTIFIER OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET RECURSIVE_TRIGGERS OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET DISABLE_BROKER", "GO", "ALTER DATABASE [SecureMfaOTP] SET AUTO_UPDATE_STATISTICS_ASYNC OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET DATE_CORRELATION_OPTIMIZATION OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET TRUSTWORTHY OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET ALLOW_SNAPSHOT_ISOLATION OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET PARAMETERIZATION SIMPLE", "GO", "ALTER DATABASE [SecureMfaOTP] SET READ_COMMITTED_SNAPSHOT OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET HONOR_BROKER_PRIORITY OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET RECOVERY SIMPLE", "GO", "ALTER DATABASE [SecureMfaOTP] SET MULTI_USER", "GO", "ALTER DATABASE [SecureMfaOTP] SET PAGE_VERIFY CHECKSUM", "GO", "ALTER DATABASE [SecureMfaOTP] SET DB_CHAINING OFF", "GO", "ALTER DATABASE [SecureMfaOTP] SET FILESTREAM( NON_TRANSACTED_ACCESS = OFF )", "GO", "ALTER DATABASE [SecureMfaOTP] SET TARGET_RECOVERY_TIME = 0 SECONDS", "GO", "ALTER DATABASE [SecureMfaOTP] SET DELAYED_DURABILITY = DISABLED", "GO", "EXEC sys.sp_db_vardecimal_storage_format N'SecureMfaOTP', N'ON'", "GO", "ALTER DATABASE [SecureMfaOTP] SET READ_WRITE", "GO", "USE [SecureMfaOTP]", "GO", "CREATE TABLE [dbo].[Secrets](", "[upn] [varchar](255) NOT NULL,", "[secret] [char](48) NOT NULL,", "[logon] [tinyint] NULL,", "[lastlogon] [datetime] NULL,", "[logoncount] [int] DEFAULT 0 NOT NULL,", "[failedlogoncount] [int] DEFAULT 0 NOT NULL,", "[failedlastlogon] [datetime] NULL,", "[failedcode] [char](6),", "[logonip] [varchar](64),", "[useragent] [varchar](128),", " CONSTRAINT [PK_Secrets] PRIMARY KEY CLUSTERED", "(", "[upn] ASC", ")WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]", ") ON [PRIMARY]", "GO", "CREATE TABLE [dbo].[UsedCodes](", "[upn] [varchar](255) NOT NULL,", "[interval] [bigint] NOT NULL", ") ON [PRIMARY]", "GO" ) #Start $adfs_service_account = "$env:USERDOMAIN\$env:USERNAME" do { if($inputfailures -eq 0) {Write-Host "Please enter a password for ADFS Service Account $adfs_service_account :"} else {Write-Host "[Retry: $inputfailures] Passwords didn't match for $adfs_service_account Try again:"} $pwd1 = Read-Host "Password" -AsSecureString $pwd2 = Read-Host "Re-enter Password" -AsSecureString $pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd1)) $pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd2)) $inputfailures++ } while ($pwd1_text -ne $pwd2_text ) $fscredential = new-object -typename System.Management.Automation.PSCredential -argumentlist $adfs_service_account,$pwd1 #Create Temp folder and export SQL procedure New-Item -Path "c:\" -Name "SecureMFA" -ItemType "directory" -Force $SQLProcedureTemplate | Out-File C:\SecureMFA\sql_Create_WID_Database_SecureMfaOTP.sql -Force #write-host "Adding $adfs_service_account account into the Local Administrators group" -ForegroundColor Green #Add-LocalGroupMember -Group "Administrators" -Member $adfs_service_account -ErrorAction SilentlyContinue #Select CN from certificate to use with ADFS FederationServiceName $adfs_service_name = Get-ChildItem -Path cert:\LocalMachine\My\$adfs_certificate_thumbprint | select subject | Select-String -Pattern 'CN\=([^},\r\n]+)' | %{$_.Matches.Groups[1].value} write-host "ADFS service name $adfs_service_name has been selected using CN value from $adfs_certificate_thumbprint certificate" -ForegroundColor Green #ADFS Install write-host "Installing ADFS service on a single server" -ForegroundColor Green Add-WindowsFeature ADFS-Federation -Includemanagementtools $install = Install-AdfsFarm -CertificateThumbprint $adfs_certificate_thumbprint -FederationServiceName $adfs_service_name -ServiceAccountCredential $fscredential sleep -Seconds 10 write-host "Installation status:" $install.Status write-host $install.Message -ForegroundColor Yellow #Enable AUdit AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE #Enable SAML 2.0 IdP-initiated sign-on set-adfsproperties -EnableIdpInitiatedSignon $True #Test ADFS Service installation Test-AdfsFarmInstallation -FederationServiceName $adfs_service_name -ServiceAccountCredential $fscredential write-host "Starting SecureMFA OTP Install" -ForegroundColor Green #SQL WID Configuration on localhost Invoke-Sqlcmd -ServerInstance "localhost\SQLEXPRESS" -InputFile "C:\SecureMFA\sql_Create_WID_Database_SecureMfaOTP.sql" #Deploy SecureMFA OTP Provider Install-SecureMfaOtpProvider # Verify your ADFS service by navigating into following URLs using your browser: write-host "Installation of ADFS service $adfs_service_name complete." -ForegroundColor Green write-host "ADFS service endpoints for FederationMetadata:" -ForegroundColor Green write-host "https://$adfs_service_name/FederationMetadata/2007-06/FederationMetadata.xml" -ForegroundColor Cyan write-host "https://$adfs_service_name/adfs/ls/IdpInitiatedSignon.aspx" -ForegroundColor Cyan #ADFS Application Group configuration New-AdfsApplicationGroup -Name "SecureMFA" -ApplicationGroupIdentifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -Description "SecureMFA OTP WebPortal" Add-AdfsNativeClientApplication -ApplicationGroupIdentifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -Name "SecureMFA - Native application" -Identifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -RedirectUri (("http://" + (([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname).tolower() + "/"),("http://" + ($env:computerName).tolower() + "/")) -Description "SecureMFA OTP WebPortal" Get-AdfsApplicationGroup -Name SecureMFa | Add-AdfsWebApiApplication -Name "SecureMFA - Web application" -Identifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -AccessControlPolicyName "Permit everyone and require MFA" -IssueOAuthRefreshTokensTo "AllDevices" -AllowedClientTypes "Public, Confidential" Grant-AdfsApplicationPermission -ClientRoleIdentifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -ServerRoleIdentifier "498a47d9-bbae-439e-9ffd-4f1afc609350" -ScopeNames "openid" -Description "SecureMFA WebPortal" #Deploy IIS Service with SecureMFA OTP WebPortal Install-WindowsFeature -Name Web-Server Remove-Item C:\inetpub\wwwroot\*.* -Force Expand-Archive -LiteralPath $zipfilepath -DestinationPath C:\inetpub\wwwroot -Force $ServiceHost = (([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname).tolower() (Get-Content -path C:\inetpub\wwwroot\App\Scripts\app.js -Raw) -replace 'adfs.mydomain.com',$adfs_service_name| Set-Content -Path C:\inetpub\wwwroot\App\Scripts\app.js ##################### $RPURL = "http://" + (([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname).tolower() + "/" write-host "To access SecureMFA OTP Web Portal go to: $RPURL" -ForegroundColor Cyan write-host "Single Node DEMO ADFS Deployment With SecureMFA OTP Provider Is Complete." -ForegroundColor Green } catch { Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red } } |