2

I am trying to move my ADFS / WAP to the cloud to give better resilience after experiencing a recent failure.

In part to save on VM costs, I am using just 2 VMs, with ADFS installed on a domain controller, and the WAP on a separate machine. It seems like lots of people recommend running ADFS on a domain controller.

I'm a bit stuck though when it comes time to configure the Web Application Proxy. It asks for a local administrator account on the ADFS server...in this case, I'd have to add the account to MyDomain\Administrators, a pretty high-risk group. This doesn't really fit with the idea of running ADFS on a DC.

When starting the WAP post-install configuration, I am looking at the Federation Server page, where it asks for the Federation Service Name, and just below it prompts for a local administrator account on the ADFS server. There is no local administrators group on the DC of course, only the equivalent Domain\Administrators group which gives access to modifying the domain itself.

Is there a way around this, besides taking the ADFS role off of the DC? A more limited account maybe? Or is this lower risk than it seems at first glance?

Quinten
  • 1,056

2 Answers2

1

OK, I found this: http://goodworkaround.com/node/53 and reading closely, it says that the admin credentials are not saved but are only used to create the initial proxy trust. This is NOT made clear by the Microsoft documentation I could find, but I am going to trust it.

Quinten
  • 1,056
0

I used a domain admin account for our ADFS service even though it's not on the DC. I probably misread it and thought it required a domain admin. I made a dedicated account for it, and the ADFS server is inside the firewall and we are running a WAP that is not joined to the domain in the DMZ. For us that is reasonable security.

If you really don't want to use a domain admin account, you'll have to take it off the DC.

Todd Wilcox
  • 2,883