locked
Is ADFS and Azure Traffic Manager a supported scenario (DNS CNAME)? RRS feed

  • Question

  • Hello everybody,

    we're planning a global AD FS implementation in different continents at one of our customers. There will be an ADFS Server in the US, another one in Europe and at least one in China. We will use one central DNS name for accessing the ADFS Farm "logon.<customer>.com". The AD FS servers will be in a farm configuration using an Windows Internal Database (WID).

    Now we want to load balance the client access to the AD FS farm. Is it possible to use "Azure Traffic Manager" for load balancing the client access to the AD FS farm? "Azure Traffic Manager" is using a DNS CNAME entry. There is a KB article that states that DNS CNAMES are not supported for the AD FS farm access.

    -------------

    • Problem: "Domain Name System (DNS) resolution of the AD FS service endpoint was performed through CNAME record lookup instead of through an A record lookup."
    • Solution by MS: "Use DNS management tools to replace each DNS Alias (CNAME) record that's used for the federation service with a DNS address (A) Record"
    • Link: https://support.microsoft.com/en-us/kb/2461628

    -------------

    But we found other Blog Posts and forum threads where Azure Traffic Manager was used together with AD FS.

    Is this a supported scenario by Microsoft?

    Thanks in advance,
    Phil

    Tuesday, May 10, 2016 10:26 AM

Answers

  • AD FS is commonly deployed with a DNS split brain approach. Traffic Manager is only active on the external side.

    Using CNAME records for your internal facing DNS record is a big NO NO as it doesn't play nice with Kerberos.

    On the external side (public IP, Internet) Kerberos is not in play and you can use a CNAME record with no problems whatsoever.


    http://setspn.blogspot.com

    • Marked as answer by foxyphil Tuesday, February 28, 2017 7:55 AM
    Monday, February 27, 2017 6:50 PM
    • http://www.michev.info/Blog/Post/38/Why-you-should-not-use-CNAME-record-for-your-Azure-hosted-AD-FS-servers
    • https://blogs.technet.microsoft.com/abizerh/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs/
    • https://blogs.technet.microsoft.com/rmilne/2014/04/28/how-to-install-adfs-2012-r2-for-office-365/
    • https://blogs.technet.microsoft.com/askpfeplat/2014/11/23/adfs-deep-dive-planning-and-design-considerations/
    • http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx

    TL;DR, unsupported to use a CNAME and it can cause kerberos problems.


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, May 13, 2016 2:07 AM
  • This article from MS recommends Azure Traffic Manager and subsequent CNAME for the federation service URL.

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-adfs-in-azure-with-azure-traffic-manager

    Have CNAMEs now come into support?

    • Marked as answer by foxyphil Tuesday, February 28, 2017 7:55 AM
    Tuesday, February 14, 2017 11:53 AM

All replies

  • I am also very interested in an official support statement from Microsoft on this topic.  I have AD FS configured and working very well with Traffic Manager for authentication to Office 365 and I believe this is a really good and cost effective solution if it is supported.  

    I have been very hesitant to implement this scenario in a production environment due to the statement in the article you referenced.  I am not sure if this may cause issues for other workloads or authentication methods that I am not testing.  The referenced article does not provide any detail as to why AD FS fails with CNAME records, so I would like to see an explanation for exactly what fails (and why) if the AD FS name is resolved through a CNAME record.  As long as the certificate matches the name being resolved, it seems that this should work.

    Thanks!!

    Eddy

    Friday, May 13, 2016 12:37 AM
    • http://www.michev.info/Blog/Post/38/Why-you-should-not-use-CNAME-record-for-your-Azure-hosted-AD-FS-servers
    • https://blogs.technet.microsoft.com/abizerh/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs/
    • https://blogs.technet.microsoft.com/rmilne/2014/04/28/how-to-install-adfs-2012-r2-for-office-365/
    • https://blogs.technet.microsoft.com/askpfeplat/2014/11/23/adfs-deep-dive-planning-and-design-considerations/
    • http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx

    TL;DR, unsupported to use a CNAME and it can cause kerberos problems.


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Friday, May 13, 2016 2:07 AM
  • This article from MS recommends Azure Traffic Manager and subsequent CNAME for the federation service URL.

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-adfs-in-azure-with-azure-traffic-manager

    Have CNAMEs now come into support?

    • Marked as answer by foxyphil Tuesday, February 28, 2017 7:55 AM
    Tuesday, February 14, 2017 11:53 AM
  • AD FS is commonly deployed with a DNS split brain approach. Traffic Manager is only active on the external side.

    Using CNAME records for your internal facing DNS record is a big NO NO as it doesn't play nice with Kerberos.

    On the external side (public IP, Internet) Kerberos is not in play and you can use a CNAME record with no problems whatsoever.


    http://setspn.blogspot.com

    • Marked as answer by foxyphil Tuesday, February 28, 2017 7:55 AM
    Monday, February 27, 2017 6:50 PM