locked
ADFS Same FQDN and Service Name RRS feed

  • Question

  • We have on prem ADFS server and we are thinking to deploy WAP in on prem environment for external users to access our O365 services.

    While ADFS server deployment we kept FQDN and Federation service name same.

    So I wanna confirm that for WAP deployment is it necessary to have different FQDN and service name?

    Or for publishing current ADFS server is it necessary to have different FQDN and service name?


    Thursday, June 28, 2018 10:53 PM

All replies

  • Hello,

    You can't have a different servicename, the WAP server configuration will have to use the same adfs service name and ssl certificate. example adfs.company.com. keep in mind that your service name must be publicly accessible with a valid ssl certificate if you want external users to access it. The SSL service communication certificate on the WAP and backend ADFS servers must be using the same service name for a trust to be established.

    Hope this helps.


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Saturday, June 30, 2018 10:58 PM
  • I do understand that while deploying WAP we have to use same service name.

    But my question is different.

    What I want to know is that, our ADFS server is configured in a way that its FQDN and service name both are same. Right now we are thinking to deploy WAP server in our environment.

    So I want to know is it necessary to have different FQDN and Service name in ADFS server for deploying WAP or we can still deploy WAP with our current ADFS server configuration (same FQDN and service name) ???

    Monday, July 2, 2018 11:38 AM
  • If you have deployed the internal federation service with the same FQDN and serivce-name you have done it wrong! That might cause some issues due to duplicate/same SPN etc.

    FQDN of ADFS-servers should be one thing and the name of the federation service itself another name.

    However, as Isaac said, the WAP is only kind of a "dummy"-server and you will not configure any FQDN on the WAP since its an external (DMZ) server that will remain in a local workgroup. 
    In the wizard for configuration WAP you need to type the name of the federation service so the WAP will be able to talk over port 443 against that name back to the internal ADFS-servers.

    So just make sure your WAP server is able to talk over 443 and perhaps 49443 to you internal ADFS-servers.

    Monday, July 2, 2018 11:54 AM
  • Hello, are you saying that your AD FS server name is the same as your Federation Service name and you didn't get any SPN errors?

    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Tuesday, July 3, 2018 6:11 AM
  • Isaac yeah we have AD FS server name and Service name same and we didn't get any SPN error.

    Just need to confirm that can we deploy WAP using same ADFS server or for WAP it is necessary to have different ADFS server name and service name?

    Tuesday, July 3, 2018 11:42 AM
  • If you have deployed the internal federation service with the same FQDN and serivce-name you have done it wrong! That might cause some issues due to duplicate/same SPN etc.

    FQDN of ADFS-servers should be one thing and the name of the federation service itself another name.

    However, as Isaac said, the WAP is only kind of a "dummy"-server and you will not configure any FQDN on the WAP since its an external (DMZ) server that will remain in a local workgroup. 
    In the wizard for configuration WAP you need to type the name of the federation service so the WAP will be able to talk over port 443 against that name back to the internal ADFS-servers.

    So just make sure your WAP server is able to talk over 443 and perhaps 49443 to you internal ADFS-servers.


    So it means we don't need to worry about current AFDS server, WAP will work with ADFS server although it has same FQDN and service name?
    Tuesday, July 3, 2018 11:45 AM
  • Hello,

    For all my years as a consultant and working with ADFS, I have not seen a situation were the server (ADFS Host) name is the same as the service name. This can result to many issues down the road if you decide to add another server to the farm, it might result to DNS resolution issues as the A name for the  internal service name will also be that of a host server.

    Recommendation is for you to go ahead and correct that now by change your service name not to be the same as the ADFS OS machine name.

    And because of the way WAP works, you can't use a different service name from the backed ADFS. 

    hope that helps,

    Regards,


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>


    • Edited by Isaac Oben Tuesday, July 3, 2018 9:45 PM
    Tuesday, July 3, 2018 9:43 PM
  • Just don't use the same name for your farm as you do for ADFS server. 

    This breaks Kerberos, this is not tested and validated by Microsoft. You are shooting yourself on the foot with this one. Even if things seem to work now, they will be no guarantee that it actual does in all scenario not that it will continue to work in the future.

    Add an additional node to your farm (if that works) and get rid of the node having the same name of the farm.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, July 4, 2018 1:19 PM