--- title: Installing PingID MFA Adapter for AD FS using the CLI description: Use the command-line interface (CLI) to install and register the PingID multi-factor authentication (MFA) Adapter for Microsoft Active Directory Federation Services (AD FS). component: pingid page_id: pingid:pingid_integrations:pid_installing_pid_mfa_adapter_for_ad_fs_cli canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_installing_pid_mfa_adapter_for_ad_fs_cli.html revdate: March 27, 2023 section_ids: before-you-begin: Before you begin steps: Steps --- # Installing PingID MFA Adapter for AD FS using the CLI Use the command-line interface (CLI) to install and register the PingID multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* Adapter for Microsoft Active Directory Federation Services (AD FS). ## Before you begin Make sure: * You have installed AD FS 4.0 on Windows Server 2016 or AS FS 3.0 on Windows Server 2012 R2. * You have installed .NET 4.6 or later. * Port 443 is open to allow outbound communication with the PingID service. For further details about required web access, see [PingID required domains, URLs, and ports](../pingid_service_management/pid_domains_urls_ports.html). * PingID integration for AD FS employs redirects and cross-site requests. Changes to cookie behavior implemented by browsers, such as Google Chrome 80, can cause disruptions to authentication flows. To ensure changes to cookie behavior do not cause disruptions to your authentication flows, make sure your AD FS servers have the latest SameSite cookie support updates from Microsoft. For information about the SameSite cookie changes introduced in Chrome 80 and details on how to upgrade your server, see this [Microsoft support article](https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applications). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This operation involves restarting the AD FS service. After the installation is complete, you will need to select the PingID MFA Adapter as an MFA method in AD FS. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you have another MFA provider installed on your AD FS instance, but it is not configured correctly, you may not be able to install PingID MFA Adapter for AD FS and may receive an error when running the PingID MFA installer. To avoid potential software conflicts, we recommend that you disable any unused MFA authentication methods before you install PingID Adapter for AD FS. | ## Steps 1. In the PingOne admin portal, go to **Setup → PingID → Client Integration**. 2. To download the `pingid.properties` file, in the **Integrate with PingFederate and Other Clients** section, click **Download**. 3. On the [PingID Downloads](https://www.pingidentity.com/en/resources/downloads/pingid.html) page, go to **Integrations**, and download and extract the file for **AD FS**. 4. Open a command prompt and run the following: ``` PingIdAdfsAdapter.exe /p=[full-path-to-properties-file] /ct=[claim-type-uri] [/SILENT | VERYSILENT] [/SUPPRESSMSGBOXES] [/AcceptTerms] ``` Where: | Switch | Description | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/p=[full-path-to-properties-file]` | The path to the pingid.properties file that you downloaded from the admin portal. | | `/ct=[claim-type-uri]` | The claim type URI. For more information, see the following Claim Type table. | | `/SILENT` | Hide the install wizard window and show the installation progress window. | | `/VERYSILENT` | Hide the install wizard window and the installation progress window. | | `/SUPPRESSMSGBOXES` | Suppress message boxes during installation. This switch only has an effect when combined with `/SILENT` or `/VERYSILENT`. | | `/AcceptTerms` | Suppress message boxes and silently accept the terms of PingID installation. | PingID MFA Adapter for AD FS supports the following claim types. | Claim Type | Description | URI | | ------------------------ | -------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | | **UPN** | The user principal name (UPN) of the user, in the format `user@domain.com` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` | | **Windows account name** | The Windows Account Name of the user in the format `DOMAIN\USER` | `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | After the installation is complete, the claim type cannot be modified.Assess your environment and decide which claim type fits your specific environment. You must consider the effect the claim type will have on your environment setup.For example, if you have a split DNS implementation, where the UPN carries the external domain name, and the `WindowsAccountName` carries the internal domain name, you must use the `WindowsAccountName` claim type for the MFA Adapter. If you use the UPN claim type instead, the MFA Adapter attempts to locate the external domain name as an AD domain that does not exist, and fails to retrieve the user from the AD.For more information about claim types, see Microsoft's documentation on [The role of claims](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims). |