(Please refer to the VIP Plugin for ADFS Integration Guide)

Important considerations before upgrading: 

• All AD FS servers within a farm must use the same version of the VIP integration module. If a plugin version mismatch between members is detected, VIP multi-factor authentication will not function. 
• To avoid downtime, route authentication traffic through a temporary AD FS server during the upgrade. Or, upgrade the primary server first and route authentications there while farm member servers are upgraded and brough online. 

Instructions:

1. Create a backup of the ADFS Installation folder (C:\Program Files\Symantec\ADFS3 or C:\Program Files\Symantec\ADFS).
2. Create a backup of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0
3. Download the latest AD FS plug-in from VIP Manager. (VIP Manager>Account>Download Files>Third Party Integrations>Plugins>Active_Directory_Federation_Services.zip). The plugin version is indicated in the version.txt file.
4. Go to Control Panel > System and Security > Administrative Tools.
5. Open the AD FS Management console.
   • Right-click on Authentication Policies and select the Edit Multi-factor Authentication Methods.
   • On the Additional tab, clear the VIP Authentication Provider check box under Select additional authentication methods, then click OK.
6. Open the Control Panel > All Control Panel Items > Programs and Features. Uninstall VIP Authentication Provider for ADFS.
7. Restart the AD FS services.
8. Install the new AD FS Plug-in.
9. Launch the VIP Integration Settings console and configure the settings.
   Or, restore the registry backup taken in step 2, the open the VIP Integration Settings console to confirm.
10. If JS was enabled: Copy the contents of the Program Files\Symantec\ADFS\JScripts folder taken from step 1 to the <installation folder>\Program Files\Symantec\ADFS\JScripts folder. 
    Note: If the ADFS plug-in is installed and configured in a multi-server primary\secondary deployment (i.e., AD FS server farm), the VIP configuration settings on secondary AD FS server will show Windows Account Name as the VIP User ID. This is by design - the VIP User ID value configured on the primary ADFS server will be used for VIP authentications.
11. Test the connection to the VIP cloud: Launch the VIP Integration console. Click the Test Settings button, enter a valid user name and security code, then click OK. A successful response indicates a trusted connection was established to the Authentication URL. 

How to verify AD FS is using the latest VIP plug-in:

1. Browse to <installation folder>\Program Files\Symantec\ADFS\ and verify the .DLL show the timestamp 20 Nov 2024 or later:
   
2. The VIP Authentication Provider for ADFS version in add\remove programs shows 9.9.1 or later:
   
3. Perform a test to confirm VIP MFA is functioning, then check the VIP plugin log on the ADFS server(s) in C:\Program Files\Symantec\ADFS. The Request ID will contain the prefix  ADFS_9_9_1. 
   example: 2/11/2024 2:09:46 PM : User TESTUSER authentication successful, Request ID: ADFS_9_9_1_192_168_1_60_12345

Temporary workaround: If your organization cannot immediately install the latest AD FS plug-in that contains the DigiCert G2\G3 root CA, follow these steps to disable certificate pinning. The following steps are recommended as a temporary workaround only until such time the VIP plugin can be upgraded to version 9.9.

Disable certificate pinning:

(backup the Windows Registry before proceeding)

1. Launch the registry editor (regedit) on the server. 
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0
   
   
3. Set the CertPinEnabled flag from (1) to zero (0) to disable certificate pinning.
4. Exit the registry
5. Open the Windows certificates console and confirm DigiCert Global Root G2 is in the Trusted Root Certification Authorities certificates:
   
6. Restart the AD FS service.