AdfsServiceAccountModule - ADFS 2016 and 2019 compatibility issues

[Paul-Vi]

1. Function GenerateSQLScripts
   ADFS 2012 database name "AdfsConfiguration" is hardcoded in line 437
   It is a bug, DB update will fail on newer ADFS version
   2016 - AdfsConfigurationV3 and 2019 - AdfsConfigurationV4

2. Function Set-CertificateSharingContainerSecurity
   note: requires domain admin permissions
   ADFS property $ADFSProperties.CertificateSharingContainer will be always $null when running without domain admin rights
   Service account permissions set by this function grant: #GenericRead , #CreateChild , #WriteProperty , #Self
   are different to permissions in this script
   https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-ad-fs-delegated-admin#script-for-preparing-ad : #GenericRead , #CreateChild , #WriteProperty, #WriteOwner , #DeleteTree , #WriteDACL
   Which permissions are the right one?

3. old service account SID in ServiceSettingsData configuration after change
   after service account change SID of old account still exists in configuration data in:
   <SecurityTokenService>....
<AllowedOnBehalfOfCallers><Sid>S-1-5-21-xxxxxxxx.....</Sid></AllowedOnBehalfOfCallers>....
</SecurityTokenService>
   No idea what is it about, but definitely looks strange. https://learn.microsoft.com/en-us/dotnet/api/microsoft.identityserver.policymodel.configuration.stsconfiguration.allowedonbehalfofcallers?view=adfs-2019#microsoft-identityserver-policymodel-configuration-stsconfiguration-allowedonbehalfofcallers

[joaovitorhr]

Domain admin permissions should be listed in the requirements for the service account module.
I've been stuck on this for months because I didn't know that domain admin permissions are required. We were able to run the script without errors, set the SPN manually, have all the sample post items completed, but we get error 1064 when trying to start the ADFS service. This is probably because of what you mentioned in item 2.