How to set up AD FS on AWS Directory Service without Domain Administrator account?

Question

I have created a AWS Managed Microsoft AD, and I have a Windows Server 2019 EC2 instance where I am trying to enable AD FS. I have joined the EC2 instance to the domain, installed AD tools, and am able to perform basic AD tasks using the default AD Admin user. So far so good.

However when I try to configure AD FS, I get stuck with this error

"The credential provided is not a domain administrator. Provide a credential that is a member of the Domain Admins group and try again."

Taking a look at the AWS docs, I found this.

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html

To perform operational management of your directory, AWS has exclusive control of accounts with Enterprise Administrator and Domain Administrator privileges. This includes exclusive control of the AD administrator account.

So..... how could I possibly enable AD FS unless I had access to the AD administrator account?

Answer 1

You can't.

When you install ADFS it searches for available DC and writes a number of entries to AD.

To do this, it needs domain admin.

You don't need domain admin. to run ADFS. It can use a service account.

Answer 2

It was a truly sad limitation of AWS Directory Service until, surprisingly, AWS themselves suggested a crafty way to install AD FS on AWS Managed Directory Service in one of their blog posts: https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/

What the blog post is saying is that you can create a custom container for AD FS and then make the AD FS service use it (instead of the default container, which is unavailable as you do not have full admin rights to the whole domain).

I will not provide the recipe here as it is well described in the article referenced above.