What's the album sound like? Well, some people seem to think that my beloved Marillion simply sound like Journey, so I suppose that I need to think of a similarly well-known analogy for this one.  Uhhh....hmmm...I suppose Magne smacks a bit of the Goo Goo Dolls, or of the Dave Matthews Band. Maybe.  If either of those is your cup of tea, go download "Kryptonite" and "Nothing Here to Hold You" from your MP3 provider of choice to see if the rest of "Past Perfect Future Tense" might float your boat.

[1] You know, that "one-hit wonder" band from the 80's who've actually released something like a dozen albums over the last 22 years.  :-)

How to make it go:

• On ADFSACCOUNT, import the Token-signing certificate from ADFSRESOURCE into the local computer's Personal store.
• On ADFSRESOURCE, import the Token-signing certificate from ADFSACCOUNT into the local computer's Personal store.
• On ADFSWEB, import the root CA for ADFSRESOURCE into the local computer's Trusted Root Certificates store.
• On ADFSCLIENT, import the root CA for ADFSACCOUNT, ADFSRESOURCE, and ADFSWEB into the local computer's Trusted Root Certificates store. (NB: the claimapp sample app will still work if you miss this part, you'll just get one or more "IE doesn't like this cert, do you want to continue?" prompts nagging at you when you attempt to test from the client.)

All of these can be exported as .cer files; at no point do you need to go exporting private keys from one machine to another. (I think the docs reference exporting the ADFSRESOURCE cert to ADFSWEB as a .pfx file, but I made it work without doing so, for my part.)  You will achieve more reliable results if you import the certs using the Certificates MMC, not Internet Explorer, and if you do so while signed on as a local admin on the respective box, so that the certs land in the computer's cert store rather than a user-specific store. The docs indicate that the ADATUM test user doesn't need to be a local admin on the client box to run the sample app, and it doesn't...but doing the leg-work to make the certs behave as desired is another story.

To see if you have achieved self-signed certificate nirvana, confirm that you can navigate to the following URLs from the client without receiving any cert errors:

• https://adfsaccount.adatum.com (NB: will return a blank page. That's fine, you just want to confirm that you can get there without any cert errors.)
• https://adfsaccount.adatum.com/adfs/fs/federationserverservice.asmx (Will return a standard-looking ASP.NET ASMX page.)
• https://adfsresource.treyresearch.net (Also blank, but should fire up with no cert errors.)
• https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx (Standard-looking ASMX page.)
• https://adfsweb.treyresearch.net (Another blank one.)

The moral of this story being, of course, that self-signed certificates will be the death of me before this day is over.

The ADFS part?  Fairly easy, if you don't count the trailing '/' in the definition of the application URL that, as it turns out, really really matters! and cost me 30 minutes of head-scratching right at the end after I'd figured out everything else.

Now, the PKI (read: "everything else") part? Took me the whole fracking weekend to get it right. I don't know if the docs are only 90% of the way there, or if I just wasn't reading carefully enough. JoeK does not kid when he tells you that "publicly-signed PKI certificates are the key to salvation when configuring ADFS."

I shall now officially dub the last 3 days: "The ADFS Weekend of Repeated and Abject Failures, though Happily Everything Ended Well."  Too long for a t-shirt slogan, but otherwise captures things quite nicely.

It's the same basic "playing around with AD FS" scenario that was released as a .DOC file for R2 - treyresearch and adatum and a claims-aware web app, puts the FSA and FSR on a DC, uses self-signed certs...though it's not actually all that hard to install AD CS on the DCs and use an enterprise CA instead of self-signed for this purpose. All the usual "not for production use" caveats are in effect: for those familiar with the phrase, it's "the bouncy slide" in action.

I'm listing it here because I seriously had no idea that this had been updated for 2008 until the link was sent to me, and my Google-fu usually doesn't let me down that hard, so maybe someone else can't find it either. 

The consolation prize is that my "muddling around and doing what made sense in my head" has actually been a pretty good match to documentation that I hadn't yet seen, so rock on with my bad self, and all.

(Side note - the navigation on that jump-off page actually isn't the greatest - if you're looking for "Click here for step 1", "Click here for step 2", etc., on the main pane, you're not going to find it. Rather, you'll need to expand the nav-bar in the left-hand pane to drill down to the actual steps involved.)

If I were a person who drinks at all, I'd be cracking open a bottle of scotch right about now.  :-)

How old were you when you started using computers?

I was 5, if you can believe it - I was definitely a forerunner of the current crop that has grown up with the technology. 

What was your first machine?

An ADAM - basically it was a Coleco game system that also allowed you to drop out to a BASIC compiler so that it could be marketed as "educational." Bought for me by my Pop-Pop, rest his soul, because I was "a really smart kid" and he didn't want to just get me a Barbie doll or something for Christmas. For a guy who didn't make it past the 3rd grade, in retrospect we can say that the man was onto something.

What was the first real script you wrote?

Lots of BASIC programs and Amiga/Commodore64 stuff - wrote silly little games using little pixelated sprite guys just to see if I could do it...then wound up in a school system that had some teachers and a guidance counselor who (I kid you not) bought into the "girls aren't good at math/computers" codswollop, which derailed me from doing anything substantive in that arena for a few years.

What scripting languages have you used?

BASIC, whatever the C64/Amiga programming language was. C, C++, Java, JavaScript, VBScript, VBA, DOS batch files, AJAX, Ruby, C#.NET, Powershell, command-line automation with the ds* and joeware tools.

What was your first professional sysadmin gig?

Deskside support monkey for a medical supply firm. Didn't know nearly enough when I started the job, so it was massively stressful, but definitely worth putting me on the right path.

If you knew then what you know now, would have started in IT?

Absolutely. I have a profession that I'm (if I say so) very good at, that pays me well, and that has brought me an extensive (albeit physically distant) circle of friends whose intellect I respect and whose company I hold incredibly dear. I've been doing this for over a decade, and I still refer to my job as "getting to play with toys."

If there is one thing you learned along the way that you would tell new sysadmins, what would it be?

[1] It's only IT: nobody dies.

[2] If you're working for a company/boss who takes it as a personal affront that you want to take a vacation day that is rightfully yours, that is your first indication that you need to be working somewhere else.

[3] Surround yourself with people who know more than you do.

What’s the most fun you’ve ever had scripting?

Writing the AD Cookbook, both times. I love seeing what I can do to efficiently automate AD tasks.

Who am I calling out?

"Tag, you're it!"

Brad

David

Princess Jorge!