none
Multiple ADFS 3.0 Farms in Single Domain RRS feed

  • Question

  • Can anyone expand more on what it takes to add an additional ADFS 3.0 farm to the same domain, without harming the existing farm?

    The reason for two separate farms would be to have separate WIASupportedUserAgents settings in each farm, one supporting external clients by having a limited number of browser user agent settings and the other supporting internal clients by having many browser user agents to efficiently allow for SSO on internal company owned devices while simultaneously forms-based non-SSO authentication for BYOD on external facing network.

    Ideally, both farms would share the same FQDN and DNS would resolve the IP differently for external vs internal clients (split-domain DNS). 

    Needing two farms is assuming that all servers in the farm share the WIASupportedUserAgents setting and therefore individual farm server nodes cannot have a unique setting.

    Thanks!

    Tuesday, January 24, 2017 1:43 PM

Answers

  • It's no problem to have additional ADFS-services within the same domain, but I'm a bit uncertain regarding the same FQDN etc. My first thought is that I would not recommend to have a setup like that.

    Why don't you instead allow many WIASupportedUserAgents on your service and then have other claims or force another authentication policy when users connect from outside your corporate network?
    I do not see any reason why to have dual federation-services for your purpose.

    Tuesday, January 24, 2017 4:39 PM

All replies

  • It's no problem to have additional ADFS-services within the same domain, but I'm a bit uncertain regarding the same FQDN etc. My first thought is that I would not recommend to have a setup like that.

    Why don't you instead allow many WIASupportedUserAgents on your service and then have other claims or force another authentication policy when users connect from outside your corporate network?
    I do not see any reason why to have dual federation-services for your purpose.

    Tuesday, January 24, 2017 4:39 PM
  • A good suggestion, thanks for the reply!    I will need to look into what it takes to force another authentication policy for users accessing ADFS over the internet.   I don't wish to have a second farm, but presently it's the only theory for allowing Chrome, Firefox, IE and Edge to use SSO internally, while not impacting external users on BYOD PC's or Mobile Devices which SSO would fail.    When SSO fails on ADFS 3.0, it reverts to the http authentication popup box instead of the forms based authentication screen which is problematic, especially on mobile devices. Thanks again! 
    Tuesday, January 24, 2017 5:46 PM