Strange experience with Veeam and AD FS

[Atroxes]

This morning we started seeing clients not being able to connect to Office 365 (Exchange and Lync/Skype) through Outlook and mobile clients. OWA was not having issues.

Long story short: When doing a connectivity test (http://testconnectivity.microsoft.com/) to check if our Single Sign-On was functioning correctly, we discovered that we were getting a 503 error when trying to reach "https://sts.contoso.com/adfs/services/trust/mex" which is a page containing identification data that Office 365 needs to be able to access, to hand out tokens to connecting clients.

Researching the 503 error, I stumbled upon someone having issues with a recent CRM installation, where the CRM sandbox was hogging port 808, which apparently is in use by AD FS:
http://blogs.technet.com/b/bshastri/arc ... tlook.aspx

Changing the AD FS port with "Set-ADFSProperties –nettcpport 809" and then a reboot, solved the issue:

My question to anyone here:
Does Veeam B&R 8.0.0.2030 mess with port 808?
I haven't been able to find any documentation about Veeam utilizing port 808 for anything.

The only change that was made to the AD FS server, was a Veeam B&R installation (we migrated from psychical to virtual).

P.S.: Yes, I did a test in production... sorry!

Edit: Added precise Veeam B&R version and build.

[PTide]

Hi,

Have you already checked port 808 usage with any available tool (netstat, wireshark etc.)? If not then please do, and, if any Veeam services are listening on that port (which is an unexpected behaviour), kindly open a case with support and post your case ID here.

Thank you!

[Atroxes]

Hi,

Have you already checked port 808 usage with any available tool (netstat, wireshark etc.)? If not then please do, and, if any Veeam services are listening on that port (which is an unexpected behaviour), kindly open a case with support and post your case ID here.

Thank you!

I might be a coincedence that this issue started occuring right after installation of Veeam, because right now Veeam isn't using port 808 for anything, in fact, nothing on the server is.

[PTide]

I might be a coincedence that this issue started occuring right after installation of Veeam

Did it occur several times or just once?

[Atroxes]

Did it occur several times or just once?

1. AD FS working fine, no issues
2. Veeam is installed, Veeam runs fine
3. Users start reporting not being able to connect, AD FS 503 service unavailable is the culprit (new tokens can't be generated, since AD FS is broken)
4. ADFS nettcpport is changed to 809 and server is restarted.
5. Everything is running smooth again.

Again, I don't know if this was Veeam related, I'm merely guessing here, since the event log shows nothing at all (which caused some headaches) about Veeam or AD FS malfunctioning or conflicting.

However, the AD FS had been running flawlessly up until Veeam was installed. Might be something entirely different, but Veeam just seemed to have something to do with it.

[PTide]

Thank you for clarification. Personally I am very curious about what could be a reason for failure. Please let us know what was that once you nail it.

Thank you.