Change password feature introduced with ADFS 3.0 and it is also available with ADFS 2016. Change password feature will let you to change your Active directory password to a new one from a web interface while providing the existing password. From this post let’s discuss on a scenario which you can use the Change password feature of ADFS and how to implement it with ADFS and ADFS Proxy. 

Office 365 Password Change

Let’s take Office 365 as a customer scenario. When you implement office 365 your authentication provider is Azure Active directory, you can choose to select your identities (User names and passwords) to create on cloud or sync to Azure active directory from On-premise local active directory. Most of the organizations go with the Directory Sync option because they don’t want to maintain two separate accounts for email and login. And the issue comes when the user need to change their password. Either user have to change it from a domain joined computer, which will take away the advantage of going cloud or all users should have Azure Active Directory Premium licenses that support password write back option.

In this kind of a scenario you can use the ADFS change password option. User will have a web portal which they can access from anywhere and they just simply have to type their existing password and change it to a new one. If the company have an existing ADFS environment, it can be used for this or you can create a new simple ADFS environment only for implementing Change Password.

Prerequisites for ADFS and ADFS Proxy

For this scenario I’m installing ADFS on Server 2016 and Web application proxy for external access. WAP should be isolated in the DMZ while only access through port 443.

Certificate Requirements

SSL certificate is required by ADFS and ADFS proxy to serve HTTPS requests. Certificate name should be according to the ADFS service name such as “sts.microsoft.com”. Certificate should be publicly trusted and you can use the same certificate for WAP server. 

High level steps –

• Generate the certificate request using IIS server
• Use the Certificate request the get the Public certificate
• Import the certificate into ADFS and export it with the private key
• Import the certificate into ADFS proxy

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-2016-requirements#BKMK_1

Hardware Requirements

Use the AD FS 2016 Capacity Planning spreadsheet to determine the number of ADFS and Web Application Proxy servers you will need

http://adfsdocs.blob.core.windows.net/adfs/ADFSCapacity2016.xlsx

Access ports and DNS

• Service account is required for managing ADFS, Domain user permission would be enough
• ADFS Proxy (WAP) should be reside in a DMZ, it will require port 443 to access internal network.
• DNS host record should be created in the ADFS proxy while pointing internal ADFS server as the ADFS service name.

Implementing ADFS 2016

1. Login to the ADFS server
2. Server manager- Add roles - add Active Directory Federation Service and next till service get installed.
   
   
   
3. After ADFS role installed configure it in Server Manger
4. Select Create First federation server in the federation server farm and next
   
   
   
5. Provide a domain administrator credentials, this only for ADFS configurations
   
   
   
   
   
6. In Specify service properties page, import the SSL Certificate
   
   
   
7. Provide the federation service name and Federation service display name
   
   
   
8. Next specify the previously created ADFS service account this can be a domain user account
   
   
   
9. Skip the SQL database and click next
   
   
   
10. Click next and install the service
    
    
    
11. After installing the service, restart the server and test the Configuration by running the following URL on the ADFS server.
    

    https://localhost/adfs//fs//federationserverservice.asmx
    
    

    You will get the certificate error because you are using localhost address

12. You have to create a DNS A Record to the name of the ADFS service in the local DNS server, as example sts.microsoft.com to the internal IP of the server. After creating the record check again with the ADFS service name instead of local host, Certificate error will be sorted.
    
    

Installing ADFS Proxy

Before installing ADFS proxy, make sure you have created the Host record in proxy to the ADFS service name and pointing it to the internal ADFS server. Also import the previously generated certificate in to the personal certificate folder of the local server.

1. Login to the Proxy server, Server manager - Add roles
2. Add Remote Access role
   
   
   
3. Select Web Application Proxy and next
   
   
   
4. After installing the Server role, select configure
5. Fill the Federation Server Name, and the local administrator credentials of the ADFS Server
   
   
   
6. Select the federation certificate (certificate should be imported to the personal container)
   
   
   
7. Check the operation status
   
   
   

Enabling Change Password on ADFS

Enabling change password can be done by few simple steps, you can allow it to both internal and external users by selecting Enable and Enable in Proxy options.

Go to the ADFS Configurations – Services – Endpoints – Other, select /adfs/portal/updatepassword, and select Enable or both Enable on Proxy options.

Test the configurations using following URL

https://ADFSServicename.com/adfs/portal/updatepassword

Note – you have to change the external DNS to publish the ADFS service name, also make sure it only have port 443 access

Hope this post is worthy

Cheers

Asitha De Silva