• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

ADFS Redirection Help

Recommended Posts

+fusi0n    1,996

I have setup ADFS using Windows Server 2016. I have everything working and working through Nginx. However, I have one issue I can't see to fix. 

 

connect.mydomainname.com /adfs is an external DNS name that points to an internal hostname of the ADFS server (EL-ADFS-01.ad.mydomainname.com)

 

when I login to connect.mydomainname.com/adfs I login with a vaild username and password, it redirects me to EL-ADFS-01.ad.mydomainname.com. I have it working by having an external DNS entry to point to the same firewall as the connect.mydomainname.com. 

 

If I use a bad user/pass, I don't get a redirect, just that it's a bad user/pass. 

 

I've messed around with the nginx settings some and I'm not sure the issue is with nginx since it seems to only happen for  successful logins. 

 

Any ideas?

Share this post


Link to post
Share on other sites
Dented    1

You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. 

  • Like 1

Share this post


Link to post
Share on other sites
sc302    1,723

I think it is a microsoft thing...though I cannot be of much service as my internal domain is the same as my external domain and things are a bit easier to manage because of it.  

 

Share this post


Link to post
Share on other sites
Dented    1
17 hours ago, Dented said:

You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. 

Sorry about the short reply, was on the phone on a bus.

 

If you give me a bit more detail on your setup I think I can help you.

 

How many ADFS hosts do you have?

Are you using nginx for load balancing internal connections between multiple hosts, as a reverse proxy for publishing AD FS externally, or both?

Do you have the mydomain.com zone internally as well as externally?

Does nginx do DNS-lookups externally or internally?

 

connect.mydomain.com needs to be an A-Record both internally and externally. It cannot be a CName(alias). If nginx is used as a load balancer, the AD FS nodes must be configured with IP in nginx, not host name. If nginx is used as a reverse proxy, it must connect to the internal AD FS farm using FQDN of connect.mydomain.com, which must be an A-Record or a local host record on the nginx server.

 

That said, I know nothing about nginx, but I am fairly familiar with AD FS.

Share this post


Link to post
Share on other sites
+fusi0n    1,996

Thank you everyone for your help.

 

I actually had ADFS setup incorrectly. The domain that I was using was the internal dns name and not the dns name of the proxy server. Once I changed this in the ADFS Console, everything started working. Then I setup Duo for 2FA and everything is working great.

 

Thanks!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.