bikash sharma
asked on
Windows integrated authentication through WAP
I have 2 ADFS servers and 2 WAP, we don't have any internal DNS zone for company.com where I could create an A record for adfs.company.com, so adfs.company.com is resolved through internet internally i.e the traffic to adfs.company.com either internally or externally resolves through public DNS. I want to achieve integrated windows authentication for the users who are on intranet and form based authentication for the users on extranet , the later is ok but getting IWA for internal users is an issue, can the experts out there throw some light on this.Thankyou
Create a zone on your internal DNS for adfs.company.com. Inside it create a new A record, leave the name blank, and point it at the IP of the load balancer for your internal ADFS servers.
ASKER
Hi Radhakrishnan,
We have got our IE security zones all set, have kept adfs.company.com as on zone 1 i.e intranet zone.
Hi Footech,
Your idea is a solution but our scenario is a bit different we don't want to have internal DNS zone for adfs.company.com since it again requires load balancer in case of ADFS failover, we don't have a load balancer, we use third party dns product that polls adfs.company.com and send traffic to the primary adfs WAP, if the WAP server is down it diverts the traffic to the other WAP server, this way we are achieving high availability without load balancers in between.
Let me give more detail, until now we had ADFS 2.0 and TMG 2010 as proxy, adfs site is published through TMG that is domain joined and we don't have any zone on internal DNS server , so the same design needs to be implemented just the difference is instead of TMG this time we are using WAP. WAP are not domain joined as of best practice.
Thankyou Guys, for your response, does this above detail be of some use to make things clear.
We have got our IE security zones all set, have kept adfs.company.com as on zone 1 i.e intranet zone.
Hi Footech,
Your idea is a solution but our scenario is a bit different we don't want to have internal DNS zone for adfs.company.com since it again requires load balancer in case of ADFS failover, we don't have a load balancer, we use third party dns product that polls adfs.company.com and send traffic to the primary adfs WAP, if the WAP server is down it diverts the traffic to the other WAP server, this way we are achieving high availability without load balancers in between.
Let me give more detail, until now we had ADFS 2.0 and TMG 2010 as proxy, adfs site is published through TMG that is domain joined and we don't have any zone on internal DNS server , so the same design needs to be implemented just the difference is instead of TMG this time we are using WAP. WAP are not domain joined as of best practice.
Thankyou Guys, for your response, does this above detail be of some use to make things clear.
You won't be able to use Windows Integrated Auth for internal users unless they are able to resolve adfs.company.com to the internal ADFS. To keep your setup, your DNS product would need to be able to respond with different records depending on where the client is located. I've heard that Server 2016 and latest versions of BIND may have something like that, but I have no experience with it, or whether it would do exactly what you need.
The simplest solution is to do as I suggested and implement a load balancer for your internal ADFS. NLB is included in Windows Server and doesn't cost anything, you would just configure it on your internal ADFS machines.
I'm unclear as to how your WAPs resolve adfs.company.com to your internal ADFS right now. Without a load balancer for them I don't see how it could be HA (I see how your DNS product could handle requests to the WAPs and be HA, but that's different).
The simplest solution is to do as I suggested and implement a load balancer for your internal ADFS. NLB is included in Windows Server and doesn't cost anything, you would just configure it on your internal ADFS machines.
I'm unclear as to how your WAPs resolve adfs.company.com to your internal ADFS right now. Without a load balancer for them I don't see how it could be HA (I see how your DNS product could handle requests to the WAPs and be HA, but that's different).
ASKER
Hi Footech,
Thanks for the response,
At present the WAP are resolving the internal ADFS because we kept a host entry on WAP's to point to internal ADFS. So each WAP will resolve the internal ADFS present on its site, and externally adfs.company.com is resolved through public DNS where there is a A record for each WAP, whenever one WAP server fails the DNS product will divert the traffic to the other WAP server on the other site.
Does this makes things clear?
Thanks for the response,
At present the WAP are resolving the internal ADFS because we kept a host entry on WAP's to point to internal ADFS. So each WAP will resolve the internal ADFS present on its site, and externally adfs.company.com is resolved through public DNS where there is a A record for each WAP, whenever one WAP server fails the DNS product will divert the traffic to the other WAP server on the other site.
Does this makes things clear?
You mean you have multiple sites, and each site has a single ADFS (internal)?
Sounds like you've created an active/passive setup where each pair of WAP and ADFS is a separate route (and each pair is in a different site). If the above is correct, would you require clients in one site to only communicate with the ADFS located in the same site?
Sounds like you've created an active/passive setup where each pair of WAP and ADFS is a separate route (and each pair is in a different site). If the above is correct, would you require clients in one site to only communicate with the ADFS located in the same site?
ASKER
Yes you are correct footech, we have single adfs on each sites and their respective WAP.
No we don't have that criteria of client in one site to only communicate with adfs located on the same site.
All the traffic will go to the primary site and if primary fails it will divert to secondary site.
No we don't have that criteria of client in one site to only communicate with adfs located on the same site.
All the traffic will go to the primary site and if primary fails it will divert to secondary site.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No offense to Radhakrishnan, but his post is only questions and the link provided goes to a non-existent page (I have no idea what was there before), so it can't be considered as any sort of answer.
I recommend #a42224653 as the answer as it's completely viable (and fairly standard).
I recommend #a42224653 as the answer as it's completely viable (and fairly standard).
ASKER
Hi Footech,
I have one more query regarding the question that I have put above, since TMG is used till date for publishing adfs 2 and does provide windows integrated authentication. Some of the article says that WAP is though to be a partial replacement of TMG, so if WAP is considered to be a replacement then why we aren't able to publish adfs through WAP and make use of integrated windows authentication. Please clearify this if you can or its by design of WAP that we can't have WIA at all
Thankyou,
Bikash
I have one more query regarding the question that I have put above, since TMG is used till date for publishing adfs 2 and does provide windows integrated authentication. Some of the article says that WAP is though to be a partial replacement of TMG, so if WAP is considered to be a replacement then why we aren't able to publish adfs through WAP and make use of integrated windows authentication. Please clearify this if you can or its by design of WAP that we can't have WIA at all
Thankyou,
Bikash
The WAP is specifically meant to present ADFS to the internet, and WIA isn't meant to be used over the internet. WIA is handled by the internal ADFS servers for clients connected to the same network (physically or via VPN).
What type of error the intranet users getting while accessing the ADFS site? is it keep asking password to enter? Do you have local DNS server on the network? Have you tried to add the site to trusted domain and checked?
You symptoms looks similar to this https://support.microsoft.com/en-us/help/303650/intranet-site-is-identified-as-an-internet-site-when-you-use-an-fqdn-o
Have a look and see if it works as expected.