locked
GET-ADFS Properties related question RRS feed

  • Question

  • The command GET-ADFSProperties only runs on the primary server. My question is that what would should be the output of the HostName and Identifier properties?. I intend to first try it on the primary server and then make the secondary sever the primary and then try it out on that. My assumption is that these 2 properties should show local server info.

    Friday, June 21, 2019 3:25 PM

Answers

  • Then you called your farm with the name of your FQDN server. 

    This isn't good. This break SSO as it will create a duplicate SPN.

    The name of your server must be different than the name of your ADFS farm.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 21, 2019 3:49 PM

All replies

  • HostName should be the FQDN of the farm (not the server).

    Identifier is the default unique identifier of your farm. It has a URI format something like: http://adfs.contoso.com/adfs/services/trust. Note that this is not an endpoint nor a URL. Your ADFS farm is not reachable on this. This is just an identifier, so no worry if you don't see https, it is not an issue.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 21, 2019 3:33 PM
  • thanks a lot for the reply. What is puzzling here is this:

    server 1:   https://SERVER1/adfs/ls/idpinitiatedsignon.aspx (secondary server)

    server 2: https://SERVER2/adfs/ls/idpinitiatedsignon.aspx   (primary server)

    we see hostname value as : SERVER1 with the get-adfsproperties command on the primary server.

    Also as i mentioned on my original post, the issue does not happen when we manually use the "sign in to one of the following sites". It only happens if we use the "Sign on to this site" option

    Friday, June 21, 2019 3:40 PM
  • Then you called your farm with the name of your FQDN server. 

    This isn't good. This break SSO as it will create a duplicate SPN.

    The name of your server must be different than the name of your ADFS farm.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 21, 2019 3:49 PM
  • thanks again for the valuable tip
    Friday, June 21, 2019 3:57 PM