asked on ADFS: EWS Load Balancer (ELB) require a CNAME record?
ADFS 3.0 (2 x STS nodes)
I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer). It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.
Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer. That does not seem to be available in AWS.
How do you handle this?
Thank you.
I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer). It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.
Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer. That does not seem to be available in AWS.
How do you handle this?
Thank you.
Active DirectoryExchangeMicrosoft 365AWS
Last Comment
K B
You're trying to use a cloud load balancer for your STS? Why not simply create ADFS Farm ?
Take a look here at this article, when you have ADFS farm you could configure DNS that would point to the VIP on your load balancer and the load balancer would handle the tokens or requests by sending it to either member of the ADFS and that would send it to the Primary ADFS Server.
https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
https://social.technet.microsoft.com/Forums/windows/en-US/33d73a55-92cc-41c6-9055-8bdd89cef20b/adfs-30-farm-and-high-availability?forum=ADFS
ASKER
I am Not following what you mean
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
This is a farm. Farms don't provide HA
VMs sit in aws so does elb
The load balancers provide HA
Here are the instructions from Microsoft on how to set it up in azure. You can modify this for aws or IMO put it in azure where it should be since it's talking to azure anyway.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs
ASKER
Thank you for your replies. The question revolves around AWS ELBs inability to take a static IP. You must use a CNAME record to point to the VIP. Docs at Microsoft warn against using CNAME records in ADFS implementations
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
ASKER
Oh I'm all about azure too. :-)
This is a customer that has standardized on AWS.
This is a customer that has standardized on AWS.
Apparently not since they need adfs ;)
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.
Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.
If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.
Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.
If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Hi there, please create a HTTPS Listener on External/Internal AWS ELB which you are creating and possibly offload SSL on to it if not you can just go for TCP load balancing, in either case, for DNS you would need to create a CNAME and map you DNS to it as ELB in AWS does change IP addresses on the fly and can add or remove them at any time.
I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This was the solution