fusi0n Posted May 6, 2019 Share Posted May 6, 2019 I have setup ADFS using Windows Server 2016. I have everything working and working through Nginx. However, I have one issue I can't see to fix. connect.mydomainname.com /adfs is an external DNS name that points to an internal hostname of the ADFS server (EL-ADFS-01.ad.mydomainname.com) when I login to connect.mydomainname.com/adfs I login with a vaild username and password, it redirects me to EL-ADFS-01.ad.mydomainname.com. I have it working by having an external DNS entry to point to the same firewall as the connect.mydomainname.com. If I use a bad user/pass, I don't get a redirect, just that it's a bad user/pass. I've messed around with the nginx settings some and I'm not sure the issue is with nginx since it seems to only happen for successful logins. Any ideas? Link to comment Share on other sites More sharing options...
Dented Posted May 20, 2019 Share Posted May 20, 2019 You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. sinetheo 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 20, 2019 Veteran Share Posted May 20, 2019 I think it is a microsoft thing...though I cannot be of much service as my internal domain is the same as my external domain and things are a bit easier to manage because of it. Link to comment Share on other sites More sharing options...
Dented Posted May 21, 2019 Share Posted May 21, 2019 17 hours ago, Dented said: You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. Sorry about the short reply, was on the phone on a bus. If you give me a bit more detail on your setup I think I can help you. How many ADFS hosts do you have? Are you using nginx for load balancing internal connections between multiple hosts, as a reverse proxy for publishing AD FS externally, or both? Do you have the mydomain.com zone internally as well as externally? Does nginx do DNS-lookups externally or internally? connect.mydomain.com needs to be an A-Record both internally and externally. It cannot be a CName(alias). If nginx is used as a load balancer, the AD FS nodes must be configured with IP in nginx, not host name. If nginx is used as a reverse proxy, it must connect to the internal AD FS farm using FQDN of connect.mydomain.com, which must be an A-Record or a local host record on the nginx server. That said, I know nothing about nginx, but I am fairly familiar with AD FS. Link to comment Share on other sites More sharing options...
fusi0n Posted May 21, 2019 Author Share Posted May 21, 2019 Thank you everyone for your help. I actually had ADFS setup incorrectly. The domain that I was using was the internal dns name and not the dns name of the proxy server. Once I changed this in the ADFS Console, everything started working. Then I setup Duo for 2FA and everything is working great. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts