Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
- FS-01.domain.local false
Set-AdfsProperties -EnabledPInitiatedSignonPage $true
Get-AdfsProperties | Select-Object HostName, EnabledPInitiatedSignonPage
- FS-01.domain.local True

Awesome! When I refresh my browser it is loading without any errors now.

Steps performed on desktop via Server Manager

Right click on DC-04 and open AD FS Management
I expand Service
I go to Endpoints

The guide then says to enable Token Issuance for SAML 2.0/WS-Federation but then shows a picture of the disable button. I'm guessing that's his way of knowing it is enabled?

I go to Authentication Methods
- Under Primary Authentication Methods I click Edit
- Under Intranet I uncheck Windows Authentication
- I click OK

I refresh my browser to test. My test is successful! I love picking up steam! That completes part 3 for me, so now I'll try going back to Authentik and seeing if I can get it to connect to Active Directory.

Steps performed from desktop via browser

I log in to Authentik
I navigate to the Admin Interface
I go to Directory and click on Federation & Social Logins
I click on Create
- I select LDAP Source
- I click Next
- Name: domain.local
- Server URI: ldaps://dc-02.domain.local,ldaps://dc-03.domain.local,ldaps://dc-04.domain.local
- I uncheck Enable StartTLS
- Bind CN: [email protected]
- Base DN: domain.local
- User Property Mappings:
  - authentik default LDAP Mapping: Mail
  - authentik default LDAP Mapping: Name
  - authentik default Active Directory Mapping: givenName
  - authentik default Active Directory Mapping: sAMAccountName
  - authentik default Active Directory Mapping: sn
  - authentik default Active Directory Mapping: userPrincipal Name
- Group Property Mappings:
  - authentik default LDAP Mapping: Name
- I click on Finish

So it's still doing the exact same thing it had done before. When I hit the Sync button it logs that I hit it but nothing ever syncs, and I see no errors or explanation for it. So where do I go from here with this? I'm honestly a little stumped. Well I think I'll start by making certain everything on the server is up to date.

Steps taken from AUTHENTIK-01

sudo apt update
sudo apt upgrade -y
sudo reboot
cd /apps/authentik
sudo docker-compose down
wget -O docker-compose.yml https://goauthentik.io/version/2023.8/docker-compose.yml
sudo docker-compose up -d

I wasn't expecting much, so I am not surprised when there is no change to the issue. When I hit the resync button it turns green for a few seconds and then back to blue. The event log shows the model was updated but it does not list ldap_sync_active-directory under System Tasks like the picture in their integration documentation. After a little google searching I came across this page.

Steps taken from AUTHENTIK-01

sudo docker-compose run --rm work ldap_sync domain.local

This came back with a number of screens worth of text, but the error basically boiled down to:

In _validate_attribute_type raise LDAPInvalidDnError('attribute type not present')

OK, so it has something to do with the DN. What did I put for the DN again? domain.local. Well that won't work. So exactly how do I find the DN that Authentik would be looking for?

Steps performed on desktop via Windows Terminal

dsquery *
- "DC=domain,DC=local"

So in Authentik I change the DN to DC=domain,DC=local
Poof! The sync status is showing a whole bunch of items synced now. Hooray! Wow, I am glad I actually made some progress with this!