cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

O365 Multi forest ADFS <> Domain Controller Communication

Stephan Bisser
Brass Contributor

‎Mar 15 2018 06:25 AM

‎Mar 15 2018 06:25 AM

O365 Multi forest ADFS <> Domain Controller Communication

We currently have the following setup:

  • 2 AD forests (with a 2way trust)
    • Contoso.com
    • Fabrikam.com
  • ADFS & AADC deployed in the Contoso.com forest connected to the O365 tenant
  • AADC is syncing users from both forests to AAD
    • ADFS successfully authenticates users in the Contoso.com forest but doesn't authenticate users in the Fabrikam.com forest (the sign in page just loads 1-2 minutes and just refreshes then without an error or anything)

 

Now my question:

Which ports do I need to open between the ADFS servers in the Contoso.com forest and the Domain Controllers in the Fabrikam.com forest in order to successfully authenticate those Fabrikam users?

 

Unfortunately, the docs under https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements do not specify the ports. We currently only opened 443 between the ADFS and the DCs in the Fabrikam forest but what do we need to open to make it work exactly?

Labels:
2,723 Views
1 Like
5 Replies
Reply
5 Replies

‎Aug 15 2018 06:33 PM

‎Aug 15 2018 06:33 PM

Re: O365 Multi forest ADFS <> Domain Controller Communication

Same scenario for me right now and I am wondering if you ever resolved this one?

0 Likes
Reply
Nestori Syynimaa

‎Aug 16 2018 04:28 AM

‎Aug 16 2018 04:28 AM

Re: O365 Multi forest ADFS <> Domain Controller Communication

443 is not enough, unless Fabricam has their own ADFS.

I think that you need at least 389 and 636 (SSL) for LDAP, but here is the full list of possible ports: https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-w...

 

0 Likes
Reply

‎Aug 16 2018 05:50 PM - edited ‎Aug 16 2018 05:51 PM

‎Aug 16 2018 05:50 PM - edited ‎Aug 16 2018 05:51 PM

Re: O365 Multi forest ADFS <> Domain Controller Communication

I'm thinking client to ADFS server communications from the fabrikam.com clients in the other forest to the ADFS server(s) in contoso.com are also required by:

- Opening port 443 on the firewall so the fabrikam.com clients can talk to adfs.contoso.com over HTTPS.

- Use split DNS and a conditional forwarder to adfs.contoso.com in the fabrikam.com DNS servers so they can resolve the address across the VPN/direct tunnel, if it exists. 

- Adding adfs.contoso.com to the Intranet zone for fabrikam.com clients via GPO.

- fabrikam.com clients should bypass proxies when accessing adfs.contoso.com.

 

Will test this in my lab and get back with the results.

0 Likes
Reply

‎Aug 17 2018 03:44 AM

‎Aug 17 2018 03:44 AM

Re: O365 Multi forest ADFS <> Domain Controller Communication

Yes I got this working! I used all of the ports listed in the AD section here (https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-w...) and also added Kerberos tcp/88. I also implemented the other communications I suggested and SSO to office.com from the trusted forest works beautifully.

0 Likes
Reply