The last couple of weeks I was involved in deploying a new Active Directory Federation Services (ADFS) 2016 at a customer. This customer had planned to use a ADFS farm of 4 hosts ADFS servers and 4 ADFS proxy nodes, The ADFS servers were using the Windows Internal Database synchronization between the ADFS nodes to sync the configuration. This synchronization sends unencrypted traffic over port 80 to the other ADFS nodes. The information which is send is only configuration data of the ADFS environment and not usernames and passwords. Bit still the information is send over HTTP to the other ADFS nodes. Since this configuration was not acceptable for the customer we needed to change the configuration. In this blogpost I want to share what actions we performed to change the ADFS configuration. Since this information is not completely documented at this moment I tried to share this information.
Continue reading