Password policy often is established to enable secure management of user-level passwords. In addition to setting length and complexity, one way that password security is best managed is to require password freshness. In a shared service user identity such as the AD FS 2.0 service identity user account, when used in a federation server farm this issue can require a more managed update process.

To update the AD FS service user password in a federation server farm

Perform the following steps in order for each federation server in a server farm, beginning with the primary (first) server in the farm:

  1. Update the password for the AD FS service.

    Use the following command at an elevated command prompt: "sc config adfssrv password=new_password"

  2. Restart the AD FS service.

    First, use the following command at an elevated command prompt to stop the service: "net stop adfssrv"

    Next, use the following command at an elevated command prompt to restart the service: "net start adfssrv"

  3. Update password for the AD FS application pool (ADFSAppPool).

    You can do this using the following steps within Internet Information Services (IIS) Manager.

    1. In IIS Manager, in the Connections pane, expand the Web server node, and then click Application Pools.
    2. Click Advanced Settings and update Identity by clicking the [...] button.
    3. In the Application Pool Identity dialog, where Custom account is selected, click Set.
    4. In the Set Credentials dialog box, specify the updated AD FS 2.0 service identity user password.
  4. Restart IIS.

    Use the following command at an elevated command prompt: "iisreset /noforce"