Share via

AD FS 2.0: How to Change the net.tcp Ports for Services and Administration

  • Article

Active Directory Federation Services (AD FS) 2.0 uses two net.tcp ports for functions of the Federation Service.

Services net.tcp port - 1501

Administration net.tcp port - 1500

There may come a time when another application or service is using either of the above ports, and a conflict occurs which causes an issue with one of the services. You can configure AD FS 2.0 to listen on different net.tcp ports in order to avoid the conflict.

The steps below detail the supported method for changing the Services or Administration net.tcp ports in AD FS 2.0:

Note: In the steps, the example new ports are:
Services - 1601
Administration - 1600

**To change the services net.tcp port from 1501 to 1601

**1. Launch PowerShell
2. Add the AD FS 2.0 PowerShell snap-in:
    add-pssnapin microsoft.adfs.powershell
3. Configure the Services net.tcp port via the Set-ADFSProperties cmdlet:
    Set-ADFSProperties -nettcpport 1601
4. Confirm the change:
    Get-ADFSProperties
5. Restart the AD FS 2.0 service in the Services console

To change the administration net.tcp port from 1500 to 1600

  1. Launch PowerShell
  2. Get a WMI object into a $temp variable:
        $temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
  3. Set the ConfigurationServiceAddress property to the new net.tcp address using the new port:
        $temp.ConfigurationServiceAddress=”net.tcp://localhost:1600/policy”
    4. Write your change back to the object:
        $temp.put()
  4. Restart the AD FS 2.0 service in the Services console
  5. Verify the change from an elevated Command Prompt:
        a. netstat -anob > netstat.txt
        b. Open netstat.txt in Notepad
        c. Find 1600

** **

Symptoms of port conflict

If port 1501 is taken by another process at the time of AD FS 2.0 service start, you will find event ID 364 in the AD FS 2.0/Admin log in Event Log with the following description:  

MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.TimeoutException: The open operation did not complete within the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The socket transfer timed out after 00:01:00. You have exceeded the timeout set on your binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

 

 

Community Resources

Net.TCP Port Sharing

http://msdn.microsoft.com/en-us/library/ms734772.aspx