Mar 15 2018 06:25 AM
We currently have the following setup:
Now my question:
Which ports do I need to open between the ADFS servers in the Contoso.com forest and the Domain Controllers in the Fabrikam.com forest in order to successfully authenticate those Fabrikam users?
Unfortunately, the docs under https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements do not specify the ports. We currently only opened 443 between the ADFS and the DCs in the Fabrikam forest but what do we need to open to make it work exactly?
Aug 15 2018 06:33 PM
Same scenario for me right now and I am wondering if you ever resolved this one?
Aug 16 2018 04:28 AM
443 is not enough, unless Fabricam has their own ADFS.
I think that you need at least 389 and 636 (SSL) for LDAP, but here is the full list of possible ports: https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-w...
Aug 16 2018 05:50 PM - edited Aug 16 2018 05:51 PM
I'm thinking client to ADFS server communications from the fabrikam.com clients in the other forest to the ADFS server(s) in contoso.com are also required by:
- Opening port 443 on the firewall so the fabrikam.com clients can talk to adfs.contoso.com over HTTPS.
- Use split DNS and a conditional forwarder to adfs.contoso.com in the fabrikam.com DNS servers so they can resolve the address across the VPN/direct tunnel, if it exists.
- Adding adfs.contoso.com to the Intranet zone for fabrikam.com clients via GPO.
- fabrikam.com clients should bypass proxies when accessing adfs.contoso.com.
Will test this in my lab and get back with the results.
Aug 17 2018 03:44 AM
Aug 17 2018 03:44 AM
Yes I got this working! I used all of the ports listed in the AD section here (https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-w...) and also added Kerberos tcp/88. I also implemented the other communications I suggested and SSO to office.com from the trusted forest works beautifully.