Server 2012 R2: ADFS with Group Managed Service Account in PowerShell.

Update: This issue has been addressed by Microsoft, at least in the documentation. See the TechNet article for the latest parameters.

I always like to be on the latest and greatest version of whatever software I am using. Right now, it’s Office 365 with ADFS integration to my Windows Server 2012 R2 server.

One of my favorite new features of Server 2012 R2 is the ability to run ADFS with a Group Managed Service Account. Unfortunately, since this is such an esoteric and nascent feature, it is scarcely documented. With the standard management GUI, configuring this is a simple task – it’s just another step in the wizard. But with PowerShell, the process is not as apparent.

 

 

I like to run all of my servers in Server Core unless I absolutely have to install the management GUI. That means that if I want to configure ADFS, I am going to do it with PowerShell. Unfortunately, the documentation for the configuration command, Install-ADFSFarm, is lacking a key parameter.

From reading the documentation, I assumed that I could specify my Group Managed Service Account through the -ServiceAccountCredential parameter. However, I was unsuccessful when specifying my gMSA through that parameter. Determined to derail this dilemma, I broke down and installed the management GUI and ran through the wizard. In the final step, I pressed the “View Script” button and found the golden nugget I was looking for.

-GroupServiceAccountIdentifier

That parameter, which does not appear in the documentation, or even when tabbing through the parameter list in PowerShell, is the key to configuring ADFS with a gMSA in Server 2012 R2!

Here’s the complete script I generated. Your configuration will vary, but you can configure it as needed.

 

Hopefully this will help some other system administrators who want to stay on the bleeding edge – so much so that there’s not even documentation!