ADFS Redirection Help

[fusi0n]

I have setup ADFS using Windows Server 2016. I have everything working and working through Nginx. However, I have one issue I can't see to fix. 

 

connect.mydomainname.com /adfs is an external DNS name that points to an internal hostname of the ADFS server (EL-ADFS-01.ad.mydomainname.com)

 

when I login to connect.mydomainname.com/adfs I login with a vaild username and password, it redirects me to EL-ADFS-01.ad.mydomainname.com. I have it working by having an external DNS entry to point to the same firewall as the connect.mydomainname.com. 

 

If I use a bad user/pass, I don't get a redirect, just that it's a bad user/pass. 

 

I've messed around with the nginx settings some and I'm not sure the issue is with nginx since it seems to only happen for  successful logins. 

 

Any ideas?

[Dented]

You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. 

[sc302 Veteran]

I think it is a microsoft thing...though I cannot be of much service as my internal domain is the same as my external domain and things are a bit easier to manage because of it.  

 

[Dented]

  On 20/05/2019 at 15:13, Dented said:

You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. 

Expand  

Sorry about the short reply, was on the phone on a bus.

 

If you give me a bit more detail on your setup I think I can help you.

 

How many ADFS hosts do you have?

Are you using nginx for load balancing internal connections between multiple hosts, as a reverse proxy for publishing AD FS externally, or both?

Do you have the mydomain.com zone internally as well as externally?

Does nginx do DNS-lookups externally or internally?

 

connect.mydomain.com needs to be an A-Record both internally and externally. It cannot be a CName(alias). If nginx is used as a load balancer, the AD FS nodes must be configured with IP in nginx, not host name. If nginx is used as a reverse proxy, it must connect to the internal AD FS farm using FQDN of connect.mydomain.com, which must be an A-Record or a local host record on the nginx server.

 

That said, I know nothing about nginx, but I am fairly familiar with AD FS.

[fusi0n]

Thank you everyone for your help.

 

I actually had ADFS setup incorrectly. The domain that I was using was the internal dns name and not the dns name of the proxy server. Once I changed this in the ADFS Console, everything started working. Then I setup Duo for 2FA and everything is working great.

 

Thanks!