ADFS 3.0 Firewall Ports in root-child domains 4

There is a lot of documentation about AD FS 3.0, the Active Directory Federation Services that comes with Windows 2012 R2. For example, this series of tutorials walks you through the different steps to build a lab.

However almost all articles assume that you have a simple single domain forest to work with. When your forest has a root domain and one or more child domains, there are a few things which are not very well documented:

  • If you don’t have gMSA account, the account to run the AD FS service can reside in the child domain you’re federating. It doesn’t need additional rights in the root domain
  • The AD FS Servers (not the proxies, but the internal member servers) need to talk to the Domain Controllers of the domain you’re federating, which may seem obvious. However they also need to speak to the Domain Controllers of the root domain. If you have firewall between the AD FS Server and those Domain Controllers you must open the standard ports for the federation to work. Symptoms include error messages such as Event ID 364

    Opening the LDAP, LDAPS or GC ports is not enough, the regular range between a member server and a Domain Controller, as shown on the following picture:ADFS-architecture-Root-Child-Domain

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 thoughts on “ADFS 3.0 Firewall Ports in root-child domains

  • Janus Barinan


    If I have no child DC do I still need the ports listed enabled?

    So ADFS Proxy is only used when there are external clients out the internet?
    Am I correct to state this as an example:
    A cloud service where a user needs to enter his DC credentials to authenticate.


    • Dimitri Post author

      If you don’t have any child DC, all requests will go to the DC as both “root” and “child”, so all ports are needed.
      ADFS Proxy is used as a machine in the DMZ to relay the authentication to and from the “external world”.

      • Janus

        Thank you very much for your reply. So if I intend adfs to be used only in private network I dont need adfs proxy and internal clients will not have to go through proxy?

        What does it mean “client cert only”?

        So from internet to ADFS proxy, only traffic on 443 is allowed, then adfs proxy to adfs only 443 is allowed?

        • Dimitri Post author

          Exactly. If you’re hosting an application internally which requires SAML, etc., you do not need the ADFS Proxy. However as soon as you need to access or an external service or let access to an internal service to people outside your AD, it is a best practice to implement it.
          The port 49443 need to be opened if you are using client certificate to authenticate the client only. If you are using other mechanisms (user/password, additional MFA plugins), it is not required.