Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

To change or update the AD FS 2.0 service identity for a federation server farm requires additional changes beyond that of updating the logon user for the service in the Services node in Server Manager.

The service identity for Active Directory Federation Service (AD FS) 2.0 is the Windows user account that is used to logon and run the AD FS 2.0 Windows service when it is started. By default, the built-in NTAUTHORITY\NETWORK SERVICE account is used unless you create a Windows user account that you have updated your AD FS 2.0 installation to use.

This topic discusses the steps involved in changing the service user for a federation server farm. This procedure might be useful if you have more than one federation server farm and want to assign a different service user identity to each farm.

To change or update the service identity for a federation server farm

  1. Create the new AD FS 2.0 service identity account as a domain user account.
  2. Update the user account used by the AD FS 2.0 Windows Service on each federation server joined to the farm using the following steps.
     
    1. Open the Services node in Server Manager.
    2. In the details pane, right-click AD FS 2.0 Windows Service and then click Properties.
    3. Click the Log On tab, click This account, click Browse, and then specify the new domain user account you created in the previous step in the Select User dialog box. When you are finished, click OK.
    4. Type the password that is assigned for the user account in the Password box and in the Confirm password box, and then click OK.
    5. Repeat this procedure on each federation server in the farm.
  3. Update the ADFSAppPool application pool identity on each federation server joined to the farm.

    For more information, see the section “Verify the AD FS 2.0 application pool configuration” in     Things to Check Before Troubleshooting AD FS 2.0.
  4. Use Active Directory Users and Computers to update the access control list (ACL) for the PKI objects that are created in Active Directory domain data (domain\Program Data\Microsoft\ADFS\GUID) to grant the new service user account any read/write permissions it requires (i.e. allow all permissions except Full control and Delete all child objects).

 

, , [Edit tags]
Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 30 May 2013 1:00 PM

    What permissions does the service account need to have?

  • Posted by
    on 3 Jun 2011 6:53 PM

    Brad Mahugh MSFT edited Revision 5. Comment: An error caused this content to be removed.  

Page 1 of 1 (2 items)