Share via

Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

  • Article

To change or update the AD FS 2.0 service identity for a federation server farm requires additional changes beyond that of updating the logon user for the service in the Services node in Server Manager.

The service identity for Active Directory Federation Service (AD FS) 2.0 is the Windows user account that is used to logon and run the AD FS 2.0 Windows service when it is started. By default, the built-in NTAUTHORITY\NETWORK SERVICE account is used unless you create a Windows user account that you have updated your AD FS 2.0 installation to use.

This topic discusses the steps involved in changing the service user for a federation server farm. This procedure might be useful if you have more than one federation server farm and want to assign a different service user identity to each farm.

To change or update the service identity for a federation server farm

  1. Create the new AD FS 2.0 service identity account as a domain user account.

  2. Update the user account used by the AD FS 2.0 Windows Service on each federation server joined to the farm using the following steps.
     

    1. Open the Services node in Server Manager.
    2. In the details pane, right-click AD FS 2.0 Windows Service and then click Properties.
    3. Click the Log On tab, click This account, click Browse, and then specify the new domain user account you created in the previous step in the Select User dialog box. When you are finished, click OK.
    4. Type the password that is assigned for the user account in the Password box and in the Confirm password box, and then click OK.
    5. Repeat this procedure on each federation server in the farm.

  3. Update the ADFSAppPool application pool identity on each federation server joined to the farm.

    For more information, see the section “Verify the AD FS 2.0 application pool configuration” in Things to Check Before Troubleshooting AD FS 2.0.

  4. Use Active Directory Users and Computers to update the access control list (ACL) for the PKI objects that are created in Active Directory domain data (domain**\Program Data\Microsoft\ADFS\**GUID) to grant the new service user account any read/write permissions it requires (i.e. allow all permissions except Full control and Delete all child objects).