locked
Publish multiple ADFS as application on Web Application Proxy RRS feed

  • Question

  • Hello,

    Has anyone tried to publish 2 adfs servers (different AD DS forests) on one web application proxy? 

    I know web proxy can be connected to just 1 adfs (farm), but I want to publish second one as a published application. There's no issue when doing that, but once I try to access a Sharepoint that's authenticated on the seconds ADFS, I just get a blank page from it

    Tuesday, April 4, 2017 8:27 AM

Answers

  • WAP servers do not need to be domain joined.

    One WAP server can report ONLY to one ADFS farm. The ADFS farm can have several nodes, but only one farm.

    And it's not even a question that it is supported or not. It is technically not possible. When you install the WAP you have to configure what ADFS farm it belongs too.

    Now if you have another ADFS farm, you can "technically" publish the URL of a service with is in fact "proxied" by another WAP. But that's theory stuff and highly impractical.

    So let's say you have 2 ADFS farms. FarmA and FarmB. If you install a WAP server, you will have to tell during the installation process to which farm it belongs, let's say FarmA. Then you can publish the FarmB through the WAP of FarmA. BUT IT WILL NOT SERVE AS A WAP. It will not be a proper ADFS proxy but just a classic web proxy. And users connecting to FarmB through the WAP of FarmA will be seen as internal users by the ADFS nodes of FarmB. So kinda useless for authentication policy and security enhancement such as Extranet Lockout Policy since those work only when the ADFS nodes is aware that the users is coming from a WAP server.

    Hope this helps.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 4, 2017 5:33 PM

All replies

  • A WAP server can connect to only one ADFS farm. This farm can be composed of several ADFS server (which are all on the same domain). What config do you have?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 4, 2017 7:10 PM
  • I have 2 farms:

    - One is highly available: adfs.contoso.com  (2 adfs servers <-> 2 proxies - all with NLB)

    - second is a single servers: adfs.fabrikam.com (1 adfs server <-> 1 proxy) 

    I wanted to migrate applications from second farm to the HA.

    Apps published on the HA farm:

    - sharepoint.contoso.com

    - adfs.contoso.com (when configuring CRM IFD, it's suggested to publish ADFS also on the proxy)

    - adfs.fabrikam.com (from a different active directory forest -> doesn't work) - connection/routing/etc is OK

    Maybe it will start to work when I disconnect the single proxy connected to adfs server? 

    Thursday, April 6, 2017 7:52 AM
  • Anyone? I can provide more info if needed
    Monday, April 10, 2017 10:49 AM
  • "adfs.contoso.com (when configuring CRM IFD, it's suggested to publish ADFS also on the proxy)" this is incorrect, can you point me to the documentation you used?

    What is the experience and error messages you get when you can it does not work? You cannot display the page? You have an authentication error?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 26, 2017 2:27 PM
  • Hi Pierre, Please can you confirm that there is no supported configuration for multiple ADFS farms in different domains to utilise a single WAP farm that is not domain joined in a DMZ? Thanks
    Wednesday, August 2, 2017 11:23 AM
  • WAP servers do not need to be domain joined.

    One WAP server can report ONLY to one ADFS farm. The ADFS farm can have several nodes, but only one farm.

    And it's not even a question that it is supported or not. It is technically not possible. When you install the WAP you have to configure what ADFS farm it belongs too.

    Now if you have another ADFS farm, you can "technically" publish the URL of a service with is in fact "proxied" by another WAP. But that's theory stuff and highly impractical.

    So let's say you have 2 ADFS farms. FarmA and FarmB. If you install a WAP server, you will have to tell during the installation process to which farm it belongs, let's say FarmA. Then you can publish the FarmB through the WAP of FarmA. BUT IT WILL NOT SERVE AS A WAP. It will not be a proper ADFS proxy but just a classic web proxy. And users connecting to FarmB through the WAP of FarmA will be seen as internal users by the ADFS nodes of FarmB. So kinda useless for authentication policy and security enhancement such as Extranet Lockout Policy since those work only when the ADFS nodes is aware that the users is coming from a WAP server.

    Hope this helps.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 4, 2017 5:33 PM