It is quite easy for security professionals to get aggressive with introducing controls into systems. I should know, I have worked with so many and I hold a CISSP, myself. But the overall intent of security is to make sure that systems are available for legitimate purposes. The old notion that the only secure system is one that is turned off and locked away… it doesn’t hold water. That system isn’t available for legitimate use. So, yes… security professionals can get carried away.

The Situation

Installing Active Directory Federation Services, I attempted to make a Managed Service Account by running the following command:

New-ADServiceAccount adfs-msa -DNSHostname STS.DOMAIN.COM -ServicePrincipalNames http/STS.DOMAIN.COM

…which resulted in an error similar to this Ask the Directory Services Team article:

The strange thing was that even attempting basic Active Directory “get” operations would fail with a similar error:

Get-ADUser -Filter *

However, from the same system and same credentials, I was able to browse through Active Directory Users and Computers and create Organizational Units and AD Users.

The Resolution

After reviewing the firewall rules in place between the AD DS domain controllers and member servers (not a best practice to have such a situation), it was found that TCP/9389 was being blocked. What is TCP/9389? The SOAP port for Active Directory Web Services, so that seems to make sense.

Active Directory and Active Directory Domain Services Port Requirements outlines the ports necessary to have proper communications. TCP/9389 is on the list. Once this was opened, the world became a happy place.