Server 2016 ADFS 3.0 and Azure AD update password url not working

0

I am trying to enable users to update their password.

I have a Server 2016 with Active Directory and ADFS configured for SSO.
SSO works fine and Active Directory is synced with Azure AD.
We use Office 365 and new users are synced as planned.

I enabled the AD FS endpoint /adfs/portal/updatepassword as is asked in tutorials that I have read.
When I surf to https://www.example.com/adfs/portal/updatepassword I get "HTTP Error 503. The service is unavailable." Same for http.

I have enabled AD FS Tracing in the event viewer but I cannot find any entries to help me locate and fix the problem.

Also, when I click change password from Office 365, I get an error "You can't change your password here".

I don't know if these two are related or not, but I'm completely stuck. Any help would be greatly appreciated!

So just to be clear: I want users that are not working on domain joined computers, to be able to change their password from their Office 365 environment.

Edit: I get this error in AD FS Admin event log:

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 

Additional Data 
Exception details: 
System.Net.HttpListenerException (0x80004005): Access is denied
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.Start()
   at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

I have disabled the updatepassword endpoint and I still get this error when I restart the AD FS Service. So does this error somehow prevent the endpoint from being enabled/loaded? And where can I find the logs of the web server? I'm flying (crashing) blind here.

active-directory
password
adfs
azure-active-directory
asked on Server Fault Mar 28, 2017 by Johan Claes • edited Mar 30, 2017 by Johan Claes

1 Answer

1

If the users in Azure AD are federated or password synced from on-premises, then you should enable Password WriteBack before they can change passwords from the Office 365 portal. Also note that the Password WriteBack feature requires Azure AD Premium subscription. More details about this can be found here.

Yes, it is also possible using the endpoint /adfs/portal/updatepassword/ to let your users change passwords. However, you should note that:

  1. If you are using ADFS 3.0 on Server 2012 R2, by default only on the workplace joined devices(device registered in AD) users can change passwords. You can install the hotfix KB3035025 to get rid of this.

  2. You should enable the updatepassword endpoint on proxy to make the users from external network have the ability to change passwords. More details about the detailed steps can be found here.

answered on Server Fault Mar 29, 2017 by Jimmy Sun • edited Mar 29, 2017 by Jimmy Sun

User contributions licensed under CC BY-SA 3.0