locked
ADFS SSO between internal domain and dmz domain RRS feed

  • Question

  • Hello!

    Im fairly new system administrator and seeking best practice for a scenario that follows:

    We have two domains: ad.company.com and dmz.company.com

    dmz.company.com has a server lets say host.dmz.company.com that hosts multiple public websites and applications, and recently one of those applications needs to be used internally by the company. Url to the portal is different from the one thats used publicly. Everything is on windows server and IIS.

    I need to develop SSO against our internal ad.company.com active directory so that internal users can use the application with minimum effort. What are the minimum requirements to do that using ADFS? Applications runs on browser.

    dmz.company.com is windows server 2012 R2 currently without ADFS and ad.company.comwindows server 2016 with ADFS 4.0

    Ive been reading bunch of articles about AD FS  (technet and blogists) but it feels kinda hard to grasp what are the minimum requirements to make this work, as i dont want to open dmz too much into the internal network..

    Edit: the app is claims aware

    Thank you!


    Sunday, October 7, 2018 8:52 AM

All replies

  • If the app is claim aware, configure it to use your ADFS as an Identity Provider.

    ADFS should be installed on a member server of the domain where the users are (if the domain have a bi-directional AD trust, then it could be a member of any of the domains).

    Then create a relying party trust for your app in ADFS.

    Install a WAP server.

    Until here, pretty straight forward (but please do tell us if you are stuck on one of these steps, we can help you out).

    Then it is the tricky part, the DNS resolution.

    Clients connected internally are using an internal DNS. Make sure the FQDN of your ADFS farm (let say adfs.company.com - note that it has to be on a public namespace) resolves to the internal IP address of your ADFS server.

    Clients connected externally are using public DNS servers. Make sure the FQDN of your ADFS farm (the same name as internally - hence the requirement to belong to a public namespace) resolves to the public IP address of your WAP server.

    This is what we refer in our docs as a split-brain DNS (or split-horizon). It is explained here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_7

    The same DNS trick has to apply for your applications. Depending on the clients location, the DNS resolution will be different. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 1:35 PM