70-742 Additional Notes – AD Federation Services with Device Registration

70-742

Overview

You can add the Device Registration Service (DRS) to your Active Directory Federation Service (AD FS) configuration. DRS provides seamless second factor authentication, persistent single sign on, and conditional access to devices attempting to access your corporate resources.

Prepare your Forest

To properly implement DRS, you first should prepare your forest. To do this you must meet the following requirements:

  • You must be an Enterprise Admin
  • The forest must be at the Windows Server 2012 R2 schema or higher
  • There must be at least one Global Catalog Server in the forest root domain

Step 1 – On the Federation Server run the PowerShell command:

Initialize-ADDeviceRegistration

Step 2 – When prompted for the ServiceAccountName – enter the service account you used for AD FS

Enable DRS on a Federation Server Farm Node

One each node in the farm, run the PowerShell command:

Enable-AdfsDeviceRegistration

Enable Seamless Second Factor Authentication

Use the AD FS Management Console and navigate to Authentication Policies. Select Edit Global Primary Authentication. Click Enable Device Authentication and click OK.

Update the Web Application Proxy Configuration

On the WAP server – run the PowerShell command:

Update-WebApplicationProxyDeviceRegistration

When prompted, input an account with administrative credentials.

Leave a Reply

Your email address will not be published.