One of the common questions I get asked from my colleagues during their deployment of AD FS has been the following error they are presented with when they attempt to access the AD FS password update page after a new deployment:
https://fs.contoso.com/ADFS/portal/updatepassword/
fs.contoso.com
An error occurred
An error occurred. Contact your administrator for more information.
· Activity ID: 9c0d8275-b381-43ab-3b01-0080000000c2
· Relying party: fs.contoso.com
· Error details: Object reference not set to an instance of an object.
· Node name: b660961e-76bc-481e-a991-d9ab86f379e4
· Error time: Wed, 20 May 2020 18:41:27 GMT
· Proxy server name: BR***P1
· Cookie: enabled
· User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
The reason for this is because this page is disabled default, which is the same as for the Idp-Initiated Sign on page (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-initiatedsignon).
To enable this page, simply launch the AD FS management console, navigate to AD FS > Service > Endpoints and scroll all the to the bottom to the line item with the URL Path /ADFS/portal/updatepassword/:
There are two configuration properties to configure depending on where you want to be able to reach the update password change. To enable the password change for only internal access, change the configuration for Enabled to Yes and if you want the page to be accessible via the internet, change the Proxy Enabled to Yes:
Once complete, you’ll need restart the AD FS service on all of the servers in order for the configuration to take effect.