There is a lot of documentation about AD FS 3.0, the Active Directory Federation Services that comes with Windows 2012 R2. For example, this series of tutorials walks you through the different steps to build a lab.
However almost all articles assume that you have a simple single domain forest to work with. When your forest has a root domain and one or more child domains, there are a few things which are not very well documented:
- If you don’t have gMSA account, the account to run the AD FS service can reside in the child domain you’re federating. It doesn’t need additional rights in the root domain
- The AD FS Servers (not the proxies, but the internal member servers) need to talk to the Domain Controllers of the domain you’re federating, which may seem obvious. However they also need to speak to the Domain Controllers of the root domain. If you have firewall between the AD FS Server and those Domain Controllers you must open the standard ports for the federation to work. Symptoms include error messages such as Event ID 364
123456Encountered error during federation passive request....Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7012:An error occurred while processing the request. Contact your administrator for details.System.ComponentModel.Win32Exception (0x80004005): Failed to open ldap conection to yourdomain.com
Opening the LDAP, LDAPS or GC ports is not enough, the regular range between a member server and a Domain Controller, as shown on the following picture:
Hi,
If I have no child DC do I still need the ports listed enabled?
So ADFS Proxy is only used when there are external clients out the internet?
Am I correct to state this as an example:
A cloud service where a user needs to enter his DC credentials to authenticate.
Thanks!
If you don’t have any child DC, all requests will go to the DC as both “root” and “child”, so all ports are needed.
ADFS Proxy is used as a machine in the DMZ to relay the authentication to and from the “external world”.
Thank you very much for your reply. So if I intend adfs to be used only in private network I dont need adfs proxy and internal clients will not have to go through proxy?
What does it mean “client cert only”?
So from internet to ADFS proxy, only traffic on 443 is allowed, then adfs proxy to adfs only 443 is allowed?
Exactly. If you’re hosting an application internally which requires SAML, etc., you do not need the ADFS Proxy. However as soon as you need to access or an external service or let access to an internal service to people outside your AD, it is a best practice to implement it.
The port 49443 need to be opened if you are using client certificate to authenticate the client only. If you are using other mechanisms (user/password, additional MFA plugins), it is not required.