Upgrade conundrun RRS feed

  • Question

  • Hello all! We have a multi-server ADFS deployment with WAP nodes distributed globally for Geo load balancing purposes via AWS and Route53. We also have two firewall NLB clusters at HQ for internal and external operations. We are looking to upgrade from 2012R2 to 2016 to take advantage of some of the new features. The problem is that the Web Application Proxy starts with all 2016 nodes having the IDP page disabled and there does not seem to be a way to enable it from 2012R2. Our Geo load balance monitors work off of this as do certain legacy SSO sites.

    It seems that moving all 12 nodes into production, retiring the old nodes, upgrading the farm to ADFS 4, and then enabling IDP is the only way to move forward. This seems like a large amount of risk to assume in one change mgmt. Is there any better approach for this?

    Total side question on ADFS but it has always bothered me - So we have our two internal ADFS servers set us as an NLB. Our previous CIO stood up several nodes in other geographic reasons, but with DNS always pointing to the nodes at HQ, do these nodes actually do anything? Or is there magic sauce going on in the background I'm unaware of? (yeah too lazy to wireshark)

    Monday, July 17, 2017 3:53 PM

All replies

  • As you know, you can enable the idpinitiatedsignon.aspx page by PowerShell using 

    set-adfsproperties -EnableIdPInitiatedSignOnPage $True

    One of our customers has the same config as you via Route53 with Geo LB DNS. We went down the co-existence route, less hassle in the long run.

    On the other question, you can use pinpoint DNS zones. We do this with some of our customers to route authentication requests to local regional nodes. That helps reduce the impact as well concerning your previous reservation.

    What proportion of your users are Internet-based v Intranet?


    Monday, July 17, 2017 7:24 PM