Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016.
Server1 is located in the perimeter network.
You install the Active Directory Federation Services server role on Server1. You create an Active Directory Federation Services (AD FS) farm by using a certificate that has a subject name of sts.contoso.com.
You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the solution.
A. 389
B. 443
C. 3389
D. 8531
E. 49443
138https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-support-for-alternate-hostname-binding-for-certificate-authentication
On many networks the local firewall policies might not allow traffic through non-standard ports like 49443. This became an issue when trying to accomplish certificate authentication with AD FS prior to AD FS in Windows Server 2016.
This is because you could not have different bindings for device authentication and user certificate authentication on the same host The default port 443 is bound to receive device certificates and cannot be altered to support multiple binding in the same channel.
The results were that smart card authentication would not work and users were unaware of what happened since there is no indication of what really happened.
In AD FS on Windows Server 2016 this has changed. Now we support two modes, the first uses the same host (i.e. adfs.contoso.com) with different ports (443, 49443).
The second used different hosts (adfs.contoso.com and certauth.adfs.contoso.com) with the same port (443).
This will require an SSL certificate to support “certauth.” as an alternate subject name. This can be done at the time of the farm creation or later via PowerShell.