AD FS 2.0: How to Change the net.tcp Ports for Services and Administration

AD FS 2.0: How to Change the net.tcp Ports for Services and Administration

Active Directory Federation Services (AD FS) 2.0 uses two net.tcp ports for functions of the Federation Service.

Services net.tcp port -
1501

Administration net.tcp port -
1500

There may come a time when another application or service is using either of the above ports, and a conflict occurs which causes an issue with one of the services. You can configure AD FS 2.0 to listen on different net.tcp ports in order to avoid the conflict.

The steps below detail the supported method for changing the Services or Administration net.tcp ports in AD FS 2.0:

Note: In the steps, the example new ports are:
Services - 1601
Administration - 1600


To change the services net.tcp port from 1501 to 1601

1. Launch
PowerShell
2. Add the AD FS 2.0 PowerShell snap-in:
    
add-pssnapin microsoft.adfs.powershell
3. Configure the Services net.tcp port via the Set-ADFSProperties cmdlet:
    
Set-ADFSProperties -nettcpport 1601
4. Confirm the change:
    
Get-ADFSProperties
5. Restart the AD FS 2.0 service in the Services console


To change the administration net.tcp port from 1500 to 1600

1. Launch
PowerShell
2. Get a WMI object into a $temp variable:
   
 $temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
3. Set the ConfigurationServiceAddress property to the new net.tcp address using the new port:
    
$temp.ConfigurationServiceAddress=”net.tcp://localhost:1600/policy”
4. Write your change back to the object:
    
$temp.put()
5. Restart the AD FS 2.0 service in the Services console
6. Verify the change from an elevated Command Prompt:
    a.
netstat -anob > netstat.txt
    b. Open netstat.txt in
Notepad
    c. Find
1600



 

Symptoms of port conflict

If port 1501 is taken by another process at the time of AD FS 2.0 service start, you will find event ID 364 in the AD FS 2.0/Admin log in Event Log with the following description:  

MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.TimeoutException: The open operation did not complete within the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The socket transfer timed out after 00:01:00. You have exceeded the timeout set on your binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.


 

 

Community Resources

Net.TCP Port Sharing

http://msdn.microsoft.com/en-us/library/ms734772.aspx

 

Leave a Comment
  • Please add 8 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price - MSFT edited Revision 7. Comment: Typo in the first line. Changed "fedration" to "Federation".

  • Ed Price MSFT edited Revision 5. Comment: Updated title.

  • Ed Price MSFT edited Revision 3. Comment: Title and formatting edits.

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price MSFT edited Revision 3. Comment: Title and formatting edits.

  • Ed Price MSFT edited Revision 5. Comment: Updated title.

  • Ed Price - MSFT edited Revision 7. Comment: Typo in the first line. Changed "fedration" to "Federation".

  • Is port 1501 used for any communication between ADFS Proxy and ADFS Federation servers?

Page 1 of 1 (4 items)