The last couple of weeks I was involved in deploying a new Active Directory Federation Services (ADFS) 2016 at a customer. This customer had planned to use a ADFS farm of 4 hosts ADFS servers and 4 ADFS proxy nodes, The ADFS servers were using the Windows Internal Database synchronization between the ADFS nodes to sync the configuration. This synchronization sends unencrypted traffic over port 80 to the other ADFS nodes. The information which is send is only configuration data of the ADFS environment and not usernames and passwords. Bit still the information is send over HTTP to the other ADFS nodes. Since this configuration was not acceptable for the customer we needed to change the configuration. In this blogpost I want to share what actions we performed to change the ADFS configuration. Since this information is not completely documented at this moment I tried to share this information.
In this blogpost I will focus on changing the port of the ADFS WID synchronization, the other solution is to use a SQL database instead of the WID internal database. With a SQL database configuration you can configure encryption and all ADFS nodes will talk directly to the database. But when you’ve planned to implement a high available ADFS environment the SQL environment should be high available as well. A high available SQL environment will can become expensive very fast. Based on the costs the customer decided to go for using WID synchronization but chaning the port from standard 80 to a custom port. In this blogpost I use port 8080 as the custom port. The following actions need to be performed to change the ADFS WID synchronization:
- Change the Synchronization port on the primary ADFS server;
- Configure the secondary ADFS nodes to use the custom synchronization port;
- Configure the ADFS Proxy (WAP) server to use the custom port;
Note that you will need to change the ADFS proxy servers as well. The documentation is not always very clear about this but since we ended up with non-working ADFS environment. So you have to change the configuration on these servers. Each step will consist of the commands which need to be executed. Before you start changing your ADFS environment be aware that firewalls between the ADFS nodes and the ADFS proxy nodes are configured to allow the custom port. Also important to mention if you’ve a load balancer before your ADFS servers this new custom port needs to be added to the load balancer configuration. But when you have configured the network components you can start with the primary ADFS server, the following actions need to be performed on the primary ADFS server:
- Run the following command as administrator on the primary node: Netsh http add urlacl url=http://+:8080/adfs/ user=”NT SERVICE\adfssrv” Listen=yes delegate=yes
- Run the following Powershell command as administrator on the primary node: Set-adfsproperties -httpport 8080
- Restart the ADFS service
After changing the configuration on the primary ADFS node you will need to change the configuration on all other ‘secondary’ nodes of the ADFS farm. You can do this by executing the following commands:
- Run the following command as administrator on the secondary nodes: Netsh http add urlacl url=http://+:8080/adfs/ user=”NT SERVICE\adfssrv” Listen=yes delegate=yes
- Run the following Powershell command as administrator on the secondary nodes: Set-adfssyncproperties primarycomputerport 8080
- Restart the ADFS service
Last step is to configure the ADFS proxy nodes. The proxy nodes need this configuration change so that the certificate rollover between ADFS nodes and the ADFS proxy nodes stays working. The following action need to be performed on the ADFS proxy nodes:
- Run the following command as administrator on the ADFS proxy nodes: netsh http add urlacl url=http://+:8080/adfs/ user=”NT SERVICE\adfssrv”
If you want to check if the synchronization of between the ADFS nodes is working as expected you can look for event 348 in the ADFS eventlog of the secondary nodes or using the PowerShell command Get-ADFSSyncProperties. The results of the cmdlet shows the configured Primary ADFS server and Port and the last synchronization result. If you want to check if the ADFS proxy nodes can communicate over the new custom port you’ve to search for the certificate rollover event 396. If you want to be sure that you can also renew the ADFS proxy trust.
I hope that the above information will help you if you want change the configuration. We’ve performed the above actions closely with Microsoft Premier Support. So If you’re not sure about changing the ADFS configuration validate above steps in your test environment.