locked
ADFS Cert for Mulitple Domains RRS feed

  • Question

  • We have an external domain for email, web, etc named domainA.com.  We have a different internal domain for Active Directory named DomainB.city.  How do I get a SSL cert for ADFS for both the internal and external doamins?

    Rob Nunley

    Thursday, September 20, 2018 9:33 PM

Answers

  • You don't need this.

    There is only 1 URL for your ADFS farm and as soon as you want external clients to connect to it, it has to be a public name. So you get a cert for adfs.domainA.com or with a SAN for that namespace (that can also be a wildcard SAN), then you create a split brain DNS in your environment to make sure that your internal clients resolve adfs.domainA.com to the local IP address of your ADFS farm and you configure your external DNS to have external client resolving the same name to the public IP address of your WAP server farms (ADFS proxies).

    This is listed here under network requirements section:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements  


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Jorrk Friday, September 21, 2018 8:36 AM
    • Marked as answer by rnunley Monday, September 24, 2018 10:53 PM
    Thursday, September 20, 2018 9:56 PM

All replies

  • You don't need this.

    There is only 1 URL for your ADFS farm and as soon as you want external clients to connect to it, it has to be a public name. So you get a cert for adfs.domainA.com or with a SAN for that namespace (that can also be a wildcard SAN), then you create a split brain DNS in your environment to make sure that your internal clients resolve adfs.domainA.com to the local IP address of your ADFS farm and you configure your external DNS to have external client resolving the same name to the public IP address of your WAP server farms (ADFS proxies).

    This is listed here under network requirements section:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements  


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Jorrk Friday, September 21, 2018 8:36 AM
    • Marked as answer by rnunley Monday, September 24, 2018 10:53 PM
    Thursday, September 20, 2018 9:56 PM
  • Thanks!

    Rob Nunley

    Monday, September 24, 2018 10:53 PM