ADFS : Error when joining a server to a FARM

Hi all,

During an ADFS farm extension that I’m making for my customer, I have followed all the documented TechNet documentation regards the network prerequisites (flow and ports).  But unfortunately, was not enough !

Existing and target architecture

The existing architecture is a 2 members ADFS 3.0 FARM, load balanced via a hardware load balancer. We also had 2 load balanced WAP (Web Application Proxy) severs for ‘proxying’ external connections.

ADFS-Migration-Source

The goal is to add 2 additional ADFS Federation servers and 2 WAP servers on the secondary datacenter. In our case, we are using Azure as the datacenter extension.

ADFS-Migration-target

The two sites (On-premise and Azure) are connected via a VPN connection that will be soon upgraded to an Express route circuit for more performances and availability. Connection between the two sites is filtered via a on-premise firewall and Azure NSG. So understanding the firewall requirement for the ASDFS servers communication is mandatory in our case. This post does not discuss the ADFS extension itself bit an issue you may encounter during the server join step.

The Microsoft documentation shows that the only ports used for the communication between two ADFS servers are the following : Honestly, you will not fond the answer anywhere :/

https://social.technet.microsoft.com/Forums/windowsserver/en-US/0d876e9d-97e1-4aea-9bdf-1ebaf6fb6fca/adfs-federation-server-replication-ports?forum=winserverDS

 

Source

Target

Protocol

Port

ADFS server

ADFS server

tcp 443
Internet WAP server (or VIP) tcp 443,49443
WAP server ADFS server (or VIP) tcp 443,49443

 

Adding the server to the FARM

After authorizing this port, I added the ADFS role and begin adding the server to the existing FARM.

Obviously I received the following error:

Snap 2015-07-21 at 14.31.29

Unable to retrieve conflict information from the primary server

The specified dns name of the primary federation server could not be resolved. Verify that the DNS name is correct, and that the ADFS service is running on the primary federation server and try again.

I checked every thing : Ping tests, telnet tests, DNS tests… Still unable to add the server. Finally I decided to install wiresharjk to look what the server is trying to do during the configuration phase.

Look to the result:

Snap 2015-07-21 at 14.31.59

Yes, the server is trying to communicate with the ADFS primary server on port 80

I asked the network team to authorize traffic on this port, and it worked like a charm.

So to add the 80 port to the port requirements:

Source

Target

Protocol

Port

ADFS server

ADFS server

tcp 443, 80*
Internet WAP server (or VIP) tcp 443,49443
WAP server ADFS server (or VIP) tcp 443,49443

* Try first to  open the port from t’’he server you want to join’ to the ‘ADFS primary server’ (not both direction). I think this port is used just for a connectivity test or to initiate the connection than the traffic is switched to 443

Advertisements