This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 51%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hi All,
I have been asked quite a few questions about our infrastructure and in particular ADFS (Active Directory Federation Services). I have no idea as I don't have anything to do with Federated Services. I don't even know if it is set up in our Domain. I basically need to find out if we have Federation Services installed. Would anyone have any advice on how to check if we even have Federation Services installed on our Domain.
Any information would be greatly received.
Regards.
Hi,
As the naming of the server could basically be anything, and still host the ADFS roles, the best would be to query and find if there are any ADFS services running on your servers.
For example by running the following PowerShell script:
Get-Service -ComputerName -DisplayName "*Active Directory Federation *" | select DisplayName
Also have a look at the following threads with the similar query:
https://community.spiceworks.com/topic/2200852-how-to-find-adfs-servers-in-the-environment
Best regards,
Leon
If you know the FQDN of the service, you can follow DNS to see where it points to. If you don't know the FQDN of the service, but you know of an application using ADFS, you can try to sign-in to this application to be redirected to ADFS and get the name. The names of ADFS deployments are often similar, so you can also arbitrary try sts.<your domain>, federation.<your domain>, fs.<your domain> or adfs.<your domain>.
If DNS leads you to a load balancer, then you can ask the team in charge of it to give you the endpoint for the actual service.
You can also look in AD. Using the Users and Computer console, make sure you have enabled the Advanced Features in the View menu and navigate to: Program Data, Microsoft then ADFS. You need to be a member of the Domain Admins group to see those objects. If you have something there, it means you have (or at least used to have an ADFS farm).
Then if you look at the Security tab of the object which as a GUID for name, you might see a GMSA account (in the list of accounts with permission on the object, you might have one that looks like a user account but has a name finishing with a $ sign). If you have one, you can list what computers have permission to retrieve the password of that account with the following command:
Get-ADServiceAccount -Identity <name of the GMSA account> -Properties PrincipalsAllowedToRetrieveManagedPassword
If you don't have a GMSA account in the list of that security tab, you are left with either enabling AD audit (not worth it if that's not already enabled) or scan the servers like Leon suggested.
You could also try to scan the network for a host listening on port 443 and 49443 as ADFS does listen on those two ports for clients (and technically port 80 as well for other ADFS servers if that's a deployment with multiple servers using WID).
Thanks very much piaudon.
I will take a look at the information you have provided.
Rgs