locked
ADFS and WAP - WAP redirects to internal ADFS url RRS feed

  • Question

  • Hi all,

    we are introducing ADFS in our company in order to allow external users to access our tools with their accounts.

    These external urser don't have access to our internal network and for that reason we created the following environment in our lab (still testing at the moment):

    - 1 WAP server

    - 1 ADFS server

    The ADFS server is up and running and is accepting requests from federated domains in our internal network.

    WAP has been linked to ADFS and we configured on it a claim aware test app.

    Connecting to the app from our internal network works fine, but we are experiencing problems connecting from internet

    because when we access the application we are redirected to the ADFS internal url, which is not reachable from internet.

    As far as I understood WAP has been built to allow people outside the office network to login in tools inside the office network, so I'm sure I'm doing something wrong.

    Could you help me to look in the right direction?

    Many thanks.

    Friday, April 12, 2019 1:14 PM

Answers

  • Hello Marco,

    Your adfs service name should be unique across internal and external. example adfs.domainname.com and you should have an ssl certificate attached to this service name/domain name.

    That 5-c configurastion is correct. You are getting re-directed to the adfs internal IP because you are accessing it from within your intranet. Does your https://webserv1.contoso.com/claimapp have and external IP? If not try this.

    From external, go to  https://youradfs.domainname.com/adfs/ls/idpinitiatedSignOn.apsx , from the drop down menu, select the application and you should be able to access it that way.

    If you want you can by pass internal by changing your workstation host file by adding the external IP to adfs.domainname.com



    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, April 17, 2019 6:14 PM

All replies

  • Hello.

    How are you connecting from the internet? Make sue your adfs service name  has a public endpoint and reachable from the internet. Make sure you can resolve you service nanme, example adfs.domain.com from the internet. When you navigate to https://youradfs.domainname.com/adfs/ls/idpinitiatedSignOn.apsx what do you see? You should be a able to get a login prompt.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, April 16, 2019 5:18 AM
  • Hi Isaac,

    https://youradfs.domainname.com/adfs/ls/idpinitiatedSignOn.apsx works fine and I'm able to authenticate from the internal network.

    "youradfs.domainname.com" is pointing to an internal IP.

    Based on what you told me I understand I need to create a public endpoint for my ADFS server and allow http/https connections to it, which makes sense if we want to give access externally.

    But now my point is: if I need to publish my ADFS server, what's the WAP server needed for?

    I thought the WAP server was needed to protect the ADFS server from being publicly reachable from internet, but by creating a public endpoint for the ADFS we'll publish ADFS as well, isn't it?

    Thank you,

    Marco.


    Wednesday, April 17, 2019 7:42 AM
  • Hello,

    Yes, by design external access to ADFS will only occur through WAP. So you will need to NAT your public endpoint to port 443 on the WAP server. 

    The backend ADFS will not be published over the internet. To access ADFS related resourcces from the internet, a WAP is needed.

    Hope that helps,


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, April 17, 2019 3:51 PM
  • do you have a split dns for your zone?

    youradfs.domain.com from internet should point to wap / fw with nat what so ever

    youradfs.domain.com from internal should point to your adfs servers internal ip.



    Please remember to mark the replies as answers if they helped.


    • Edited by Proed Wednesday, April 17, 2019 4:08 PM
    Wednesday, April 17, 2019 4:08 PM
  • Hi Isaac,

    we already have a WAP server reachable from internet with a nat to its internal ip.

    Let me explain what I mean with an example:

    I followed this lab how-to https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/set-up-an-ad-fs-lab-environment#BKMK_9

    At point 5-c of "Configure the simple claims app in IIS"

    it says to point the app to the adfs metadata.

    I did so, but by doing that when I access the test application, I'm redirected to the adfs internal ip.

    Should I point the app to the WAP? How can I do that if, as far as I understood, the WAP doesn't have a metadata file?

    Thank you,

    Marco.

    Wednesday, April 17, 2019 5:52 PM
  • I'm actually working in a test lab using the file host to point to internal and external ips.

    Actually adfs is only reachable by example.internal.com

    And WAP is only reachable by example.public.com

    Your point is a good one, but I think the error I'm facing doesn't depend on dns resolution: I think I'm missing something about how to use adfs and wap.

    Wednesday, April 17, 2019 5:54 PM
  • Hello Marco,

    Your adfs service name should be unique across internal and external. example adfs.domainname.com and you should have an ssl certificate attached to this service name/domain name.

    That 5-c configurastion is correct. You are getting re-directed to the adfs internal IP because you are accessing it from within your intranet. Does your https://webserv1.contoso.com/claimapp have and external IP? If not try this.

    From external, go to  https://youradfs.domainname.com/adfs/ls/idpinitiatedSignOn.apsx , from the drop down menu, select the application and you should be able to access it that way.

    If you want you can by pass internal by changing your workstation host file by adding the external IP to adfs.domainname.com



    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, April 17, 2019 6:14 PM
  • Hi Isaac,

    ok I'll try with the external ip. That makes sense from a network point of view.

    But so, if we are going to have an adfs reachable by a public name, what's the scope of having a WAP server?

    I thought the WAP server was needed to protect the ADFS server from being publicly reachable from internet.

    Thank you,

    Marco.

    Friday, April 19, 2019 10:45 AM
  • Same FQDN doesn't not mean same server.

    You will have a split brain DNS. Internet requests for your FQDN will end up on the WAP, internal requests on your ADFS server: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-requirements#BKMK_7

    And there is nothing to public on the WAP for the ADFS URL. It works as-is.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 19, 2019 5:21 PM
  • I confirm I was able to resolve by using the same dns for WAP and ADFS.

    I missed this step in the documentation.

    Thank you for your help,

    Marco.

    Tuesday, April 23, 2019 3:42 PM