This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS Cert for Mulitple Domains

Question
0

Sign in to vote

We have an external domain for email, web, etc named domainA.com. We have a different internal domain for Active Directory named DomainB.city. How do I get a SSL cert for ADFS for both the internal and external doamins?

Rob Nunley

Thursday, September 20, 2018 9:33 PM

Answers

0

Sign in to vote
You don't need this.

There is only 1 URL for your ADFS farm and as soon as you want external clients to connect to it, it has to be a public name. So you get a cert for adfs.domainA.com or with a SAN for that namespace (that can also be a wildcard SAN), then you create a split brain DNS in your environment to make sure that your internal clients resolve adfs.domainA.com to the local IP address of your ADFS farm and you configure your external DNS to have external client resolving the same name to the public IP address of your WAP server farms (ADFS proxies).

This is listed here under network requirements section:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Jorrk Friday, September 21, 2018 8:36 AM
- Marked as answer by rnunley Monday, September 24, 2018 10:53 PM
Thursday, September 20, 2018 9:56 PM

All replies

0

Sign in to vote
You don't need this.

There is only 1 URL for your ADFS farm and as soon as you want external clients to connect to it, it has to be a public name. So you get a cert for adfs.domainA.com or with a SAN for that namespace (that can also be a wildcard SAN), then you create a split brain DNS in your environment to make sure that your internal clients resolve adfs.domainA.com to the local IP address of your ADFS farm and you configure your external DNS to have external client resolving the same name to the public IP address of your WAP server farms (ADFS proxies).

This is listed here under network requirements section:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Jorrk Friday, September 21, 2018 8:36 AM
- Marked as answer by rnunley Monday, September 24, 2018 10:53 PM
Thursday, September 20, 2018 9:56 PM
0

Sign in to vote

Thanks!
Rob Nunley

Monday, September 24, 2018 10:53 PM