ADFS: EWS Load Balancer (ELB) require a CNAME record?

ADFS 3.0 (2 x STS nodes)

I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer).  It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.

Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer.  That does not seem to be available in AWS.

How do you handle this?

Thank you.
LVL 8
K BAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed HamadaSenior IT ConsultantCommented:
You're trying to use a cloud load balancer for your STS? Why not simply create ADFS Farm ?
0
Mohammed HamadaSenior IT ConsultantCommented:
Take a look here at this article, when you have ADFS farm you could configure DNS that would point to the VIP on your load balancer and the load balancer would handle the tokens or requests by sending it to either member of the ADFS and that would send it to the Primary ADFS Server.

https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
0
K BAuthor Commented:
I am Not following what you mean
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Aaron TomoskySD-WAN SimplifiedCommented:
Here are the instructions from Microsoft on how to set it up in azure. You can modify this for aws or IMO put it in azure where it should be since it's talking to azure anyway.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
0
K BAuthor Commented:
Thank you for your replies.  The question revolves around AWS ELBs inability to take a static IP.  You must use a CNAME record to point to the VIP.  Docs at Microsoft warn against using CNAME records in ADFS implementations
0
Aaron TomoskySD-WAN SimplifiedCommented:
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.

I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.

If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
0
Aaron TomoskySD-WAN SimplifiedCommented:
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.

I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.

If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
0
K BAuthor Commented:
Oh I'm all about azure too. :-)

This is a customer that has standardized on AWS.
0
Aaron TomoskySD-WAN SimplifiedCommented:
Apparently not since they need adfs ;)
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.

Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.

If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
0
Narender GakkaAWS / DevOps / Cloud ConsultantCommented:
Hi there, please create a HTTPS Listener on External/Internal AWS ELB which you are creating and possibly offload SSL on to it if not you can just go for TCP load balancing, in either case, for DNS you would need to create a CNAME and map you DNS to it as ELB in AWS does change IP addresses on the fly and can add or remove them at any time.

I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
1
K BAuthor Commented:
2017-03-27_2017.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
K BAuthor Commented:
This was the solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.