Avatar of K B
K B
Flag for United States of America asked on

ADFS: EWS Load Balancer (ELB) require a CNAME record?

ADFS 3.0 (2 x STS nodes)

I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer).  It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.

Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer.  That does not seem to be available in AWS.

How do you handle this?

Thank you.
Active DirectoryExchangeMicrosoft 365AWS

Avatar of undefined
Last Comment
K B

8/22/2022 - Mon
Mohammed Hamada

You're trying to use a cloud load balancer for your STS? Why not simply create ADFS Farm ?
Mohammed Hamada

Take a look here at this article, when you have ADFS farm you could configure DNS that would point to the VIP on your load balancer and the load balancer would handle the tokens or requests by sending it to either member of the ADFS and that would send it to the Primary ADFS Server.

https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
K B

ASKER
I am Not following what you mean
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Aaron Tomosky

Here are the instructions from Microsoft on how to set it up in azure. You can modify this for aws or IMO put it in azure where it should be since it's talking to azure anyway.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
K B

ASKER
Thank you for your replies.  The question revolves around AWS ELBs inability to take a static IP.  You must use a CNAME record to point to the VIP.  Docs at Microsoft warn against using CNAME records in ADFS implementations
Aaron Tomosky

I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.

I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.

If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Aaron Tomosky

I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.

I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.

If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
K B

ASKER
Oh I'm all about azure too. :-)

This is a customer that has standardized on AWS.
Aaron Tomosky

Apparently not since they need adfs ;)
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.

Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.

If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Narender Gakka

Hi there, please create a HTTPS Listener on External/Internal AWS ELB which you are creating and possibly offload SSL on to it if not you can just go for TCP load balancing, in either case, for DNS you would need to create a CNAME and map you DNS to it as ELB in AWS does change IP addresses on the fly and can add or remove them at any time.

I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
ASKER CERTIFIED SOLUTION
K B

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
K B

ASKER
This was the solution