ADFS without domain

Question

Is it possible to run a ADFS 2.0 without connecting the server to a domain? We are using Shibboleth as claims provider, so we actually don't need active directory here.

We manage to setup the ADFS (with AdfsSetup.exe /quiet) and configure it without any problems. However on start-up not all endpoints are started. In particular the endpoint net.tcp://localhost:1501/adfs/services/trusttcp/windows is missing which leads to the following error when authenticating SharePoint:

Encountered error during federation passive request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.RequestFailedException: 
MSIS7012: An error occurred while processing the request. 
Contact your administrator for details. 
---> Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: 
MSIS7004: An exception occurred while connecting to the federation service.
The service endpoint URL 
'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. 
---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at 
net.tcp://localhost:1501/adfs/services/trusttcp/windows that could accept the
 message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

How did you solve this problem in the end? I'm having a similar setup with ADFS 3. — Housy, May 18 '16 at 06:53
The trick was to set up a "fake" domain controller for the setup and switch it off again later. — Igor Lankin, May 18 '16 at 17:58
Were you able to forward all user attributes/claims from Shibboleth to the relying party? — Housy, May 18 '16 at 19:26
It worked as far as I remember, but we had some issues with the claim mappings. In the end we only had to forwarded the uid on the production system. — Igor Lankin, May 18 '16 at 22:04

score 6 · Accepted Answer · answered Apr 17 '15 at 15:06

6

I didn't know the answer to your question off the top of my head, since after managing 5000+ user workstations and 30 servers without AD I kind of feel like any network larger than two workstations needs AD, ;) so I went and looked.

The ADFS requirements at Technet say:

Domain Requirements

All AD FS servers must be a joined to an AD DS domain.

All AD FS servers within a farm must be deployed in a single domain.

The domain that the AD FS servers are joined to must trust every user account domain that contains users authenticating to the AD FS service.

So... sorry. It looks like yes, your server must be in a domain.

answered Apr 17 '15 at 15:06

Katherine Villyard

18,510
4
36
59

Hi Katherine, thank you for your answer. We know AD is a stated requirement for ADFS, but we hoped it might still work without.The are posts which indicate it _could_ work. (e.g. http://stackoverflow.com/a/10958000/51721). You are right about there should be an AD, and there is one for the internal users. However our ADFS setup is meant be only used by external users (for SharePoint) which will be authenticated via Shibboleth. There is no point in setting up an additional AD as the users are managed elsewhere. – Igor Lankin Apr 17 '15 at 16:21
There is no need for an *extra* domain. You could reuse the same domain as SharePoint. Managing Windows machines without a Domain is soo much more work than with a domain. Admin accounts, Windows Updates, Policies for configuration..... – paullem Apr 22 '15 at 10:40

ADFS without domain

1 Answers1