https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/where-to-place-a-federation-server
looks like this server shouldn’t visible from internet,(only ADSF proxy should) maybe you want to use different account with dns challenge, acme.sh supports that, but it’s bash script…