The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.
ADFS: EWS Load Balancer (ELB) require a CNAME record?
ADFS 3.0 (2 x STS nodes)
I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer). It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.
Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer. That does not seem to be available in AWS.
How do you handle this?
Thank you.
I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer). It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.
Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer. That does not seem to be available in AWS.
How do you handle this?
Thank you.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Take a look here at this article, when you have ADFS farm you could configure DNS that would point to the VIP on your load balancer and the load balancer would handle the tokens or requests by sending it to either member of the ADFS and that would send it to the Primary ADFS Server.
https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
I am Not following what you mean
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
Here are the instructions from Microsoft on how to set it up in azure. You can modify this for aws or IMO put it in azure where it should be since it's talking to azure anyway.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
Thank you for your replies. The question revolves around AWS ELBs inability to take a static IP. You must use a CNAME record to point to the VIP. Docs at Microsoft warn against using CNAME records in ADFS implementations
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
Apparently not since they need adfs ;)
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.
Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.
If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.
Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.
If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Hi there, please create a HTTPS Listener on External/Internal AWS ELB which you are creating and possibly offload SSL on to it if not you can just go for TCP load balancing, in either case, for DNS you would need to create a CNAME and map you DNS to it as ELB in AWS does change IP addresses on the fly and can add or remove them at any time.
I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.