Recommended Posts

I have setup ADFS using Windows Server 2016. I have everything working and working through Nginx. However, I have one issue I can't see to fix. 

 

connect.mydomainname.com /adfs is an external DNS name that points to an internal hostname of the ADFS server (EL-ADFS-01.ad.mydomainname.com)

 

when I login to connect.mydomainname.com/adfs I login with a vaild username and password, it redirects me to EL-ADFS-01.ad.mydomainname.com. I have it working by having an external DNS entry to point to the same firewall as the connect.mydomainname.com

 

If I use a bad user/pass, I don't get a redirect, just that it's a bad user/pass. 

 

I've messed around with the nginx settings some and I'm not sure the issue is with nginx since it seems to only happen for  successful logins. 

 

Any ideas?

Link to comment
https://www.neowin.net/forum/topic/1382536-adfs-redirection-help/
Share on other sites

  • 2 weeks later...
  On 20/05/2019 at 15:13, Dented said:

You can't use CName records for. AD FS. It needs to be an A-record pointing to the internal ip. 

Expand  

Sorry about the short reply, was on the phone on a bus.

 

If you give me a bit more detail on your setup I think I can help you.

 

How many ADFS hosts do you have?

Are you using nginx for load balancing internal connections between multiple hosts, as a reverse proxy for publishing AD FS externally, or both?

Do you have the mydomain.com zone internally as well as externally?

Does nginx do DNS-lookups externally or internally?

 

connect.mydomain.com needs to be an A-Record both internally and externally. It cannot be a CName(alias). If nginx is used as a load balancer, the AD FS nodes must be configured with IP in nginx, not host name. If nginx is used as a reverse proxy, it must connect to the internal AD FS farm using FQDN of connect.mydomain.com, which must be an A-Record or a local host record on the nginx server.

 

That said, I know nothing about nginx, but I am fairly familiar with AD FS.

Thank you everyone for your help.

 

I actually had ADFS setup incorrectly. The domain that I was using was the internal dns name and not the dns name of the proxy server. Once I changed this in the ADFS Console, everything started working. Then I setup Duo for 2FA and everything is working great.

 

Thanks!

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Not sure I agree with your particular interpretation of this. An ESU key is still required per device that you have to enter into the device in order to activate ESU. These aren't being given out for free. The linked Microsoft article still states: "If you have paid to enroll your remaining Windows 10 systems in the ESU program..." which seems to confirm this.
    • I swear, whoever is handling the Gundam IP for video games should be fired. How can you go from the gems that were releasing in PS1, PS2 and PS3, to the utter disaster that's today, from the VR game just to be on the hype bandwagon and all the focus on SD. This will probably be studied as one of the worst ways companies mishandle an IP.
    • Meta is now using every possible source to power its data centers by Hamid Ganji Chip shortage is not the only obstacle hindering AI development. The insatiable thirst for electricity from data centers has caused serious problems for tech giants, to the point where they have been forced to invest heavily in purchasing nuclear power plants. However, green and renewable energy could also serve as an alternative power source for data centers. As reported by Reuters, Meta has signed four deals with Renewable energy developer Invenergy to supply 791 megawatts (MW) of solar and wind power for its data centers. This is the second green deal between Meta and Invenergy to supply renewable energy to Meta's data centers, following the firms' signing of contracts last year for 760 MW of solar electricity. According to Invenergy, the latest deal soars Meta's renewable energy purchases to 1,800 MW. The green energy will come from Invenergy's projects in Ohio, Arkansas, and Texas. While renewable energy has a more limited capacity compared to methods like nuclear power, it still holds significant potential to meet some of the data center's energy needs. Moreover, investing in renewable energy aligns with Big Tech's net-zero plans. Last year, Meta announced a request for proposals (RFP) to identify nuclear energy developers in the United States. The company plans to generate 1-4 gigawatts (GW) of new nuclear power by early 2030. Also, in June this year, Meta and energy company Constellation announced plans to revive an aging nuclear power plant in Illinois that has been shut down since 2017 due to financial losses. Meta could rely on this nuclear power plant for the next 20 years. While some major tech companies were committed to achieving net-zero emissions by 2040, the soaring power demands from AI data centers could render all those green plans obsolete. That is why these companies have called for reforms to net-zero rules, as achieving their ambitious net-zero goals by 2040 seems highly unlikely.
  • Recent Achievements

    • Conversation Starter
      Kavin25 earned a badge
      Conversation Starter
    • One Month Later
      Leonard grant earned a badge
      One Month Later
    • Week One Done
      pcdoctorsnet earned a badge
      Week One Done
    • Rising Star
      Phillip0web went up a rank
      Rising Star
    • One Month Later
      Epaminombas earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      531
    2. 2
      ATLien_0
      207
    3. 3
      +FloatingFatMan
      170
    4. 4
      Michael Scrip
      148
    5. 5
      Steven P.
      122
  • Tell a friend

    Love Neowin? Tell a friend!