This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 78%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
There are many post on how to change the service account by using the following script:
ADFS3.xChangeSvcAcct.ps1
https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-ddb67df0#content
However, what I do not think is clear is how to proceed when you have an ADFS Web Proxy.
The script talks about primary and secondaries. If I understand correctly, you first update on the secondary servers,
and then you move to the primary.
But does the ADFS Proxy is considered a secondary? If not, once I run the script on the primary server, how do I update
the service account on the Proxy?
Has anybody gone through this scenario?
Thanks
The Web Application Proxy (aka WAP, that's how we call the ADFS Proxy since Windows Server 2012 R2) does not leverage the ADFS service account at all.
As a matter of fact, WAP don't even need to be domain joined. WAPs authenticate with the ADFS farm using TLS authentication (certificates are generated when you join the WAP to the farm and then roll-over on a regular basis).
In other words, there is no action required on the WAPs when you change the service account of the ADFS farm.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
How about the local account? Can it be used as service account?
Also if there is only one adfs, how is the changing of service account done?
It has to be a domain account (starting ADFS on Windows Server 2012 R2). It is actually storing things in AD and needs to be able to access it.
To change the service account from one domain user to another, you can just use the script you mentioned. Also, I am not sure what you mean by "only one ADFS".