What are the port requirements between ADFS servers and AD Domain Controllers?

Dear Sharad,

Thank you for your question regarding the port requirements between Active Directory Federation Services (ADFS) servers and Active Directory Domain Controllers (AD DCs).

As per yours questions one by one

port requirements, ADFS servers require communication with AD DCs for authentication, user lookups, and group membership validation. The key ports that must be open are:

• TCP 389 (LDAP) – Used for Lightweight Directory Access Protocol (LDAP) queries.

TCP 636 (LDAPS) – Secure LDAP over SSL/TLS.

TCP 3268 (Global Catalog LDAP) – Used for queries against the Global Catalog.

TCP 3269 (Global Catalog LDAPS) – Secure Global Catalog queries.

TCP/UDP 53 (DNS) – Required for domain name resolution.

TCP/UDP 88 (Kerberos) – Used for Kerberos authentication.

TCP 135 (RPC Endpoint Mapper) – Required for RPC services.

Dynamic RPC Ports (TCP 49152-65535) – Used for additional RPC communication.

The communication between ADFS and AD DCs must be bi-directional because:

ADFS initiates queries to AD DCs for authentication and directory lookups.

AD DCs respond to these requests, and in some cases (such as Kerberos or replication-related traffic), the DC may need to communicate back to the ADFS server.

If your network security team has concerns about opening bi-directional ports, you can:

Restrict the source/destination IPs to only the necessary ADFS servers and AD DCs.

Ensure LDAPS (636/TCP, 3269/TCP) is used to encrypt directory traffic.

Monitor traffic patterns to detect anomalies.

For more details, pls look bellow Microsoft’s official documentation

ADFS Prerequisites

Active Directory and ADFS Port Requirements

Let me know if you need further clarification.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer