I’ve been running AD FS on Core servers for some time now, mostly because I like the smaller footprint and centralized management experience.
The smaller footprint also guarantees:
- That there are less consumed resources
- That the there is less potential attack surface
But I want my GUI…
Sometimes I’ve felt the temptation to just peek into AD FS GUI from remote administration host… only to remember that it’s not possible due to the fact that there is no RSAT for managing AD FS.
Yes this, this is crazy… I am doing it just for the kick of it
This the part that you definitely shouldn’t do in production, or even in staging if you value your deployment – Nonetheless, I had the temptation to see if I can crack this nut:
- Install and configure remote management host temporarily as AD FS slave node
- Disable and stop AD FS service on the remote management node, because you won’t really be needing the service itself, you still need the installation to do management of the primary node
- Do a crazy portproxy with NETSH to send port 1500 to primary AD FS node
- Enjoy remote management (and maybe some crazy side effects…)
#Disable and stop the AD FS service on management computer Get-Service adfssrv | Set-Service -StartupType Disabled; Stop-Service adfssrv #Do a crazy binding to port 1500 netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=1500connectaddress=yourremotehost connectport=1500 #End
Speculation if this was really plausible approach:
Q: Would it just be smarter to have the primary node on GUI enabled server?
A: Pretty much yes
(in this crazy demonstrated approach the only difference, is that you don’t have to have AD FS service running on the remote management host)
Br, Joosua!
SecureCloudBlog 
0 comments on “Don’t try this at home (or how to enable Core Server Remote Management for AD FS GUI)”