Configuring Azure App Gateway v2 Backend Setting and Probe with ADFS VM server

Question

Configuring Azure App Gateway v2 Backend Setting and Probe with ADFS VM server

Roy Kim (Azure MVP) 191 MVP

I have a test environment with ADFS server in an azure VNET. I have deployed App Gateway v2 to same VNET.

I have other VMs that work well with app gateway v2 so backend health for those is good.

For getting App Gateway with ADFS working I have configured:

Backend Setting:

https 443,
"Backend server’s certificate is issued by a well-known CA": Yes. (Root cert is AAA certificate services by my research is trusted and well-known).
User's image

Health Probe: HTTPS, Host:<vm name>, Path:"/adfs/ls/idpinitiatedsignon" User's image

Backend Health Error:
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to the server. Check if application is running on correct port. To learn more visit - https://aka.ms/servernotreachable.

I tried VM connectivity troubleshooter to adfds VM. Ensure NSG is open and non blocking. No Firewall and UDR. I am pretty sure network traffic from within VM is fine. Remember I can get backend health no issues with other VMs.

I have tried many possible combinations of settings with probe, backend settings, listener, etc. Any suggestions to work with ADFS?
I have tried uploading Root Cert .cer file (in Backend Setting) but I don't know if that mattered. How to check if this is needed?

Can ADFS work with backend port http 80?
Where to troubleshoot for detailed errors?

Ganesh Patapati 10,540 Reputation points Microsoft External Staff Moderator

2025-05-22T18:33:13.7933333+00:00
Hello Roy Kim (Azure MVP)

I understand that you are facing issues with your Azure Application Gateway setup for ADFS. Here are a few things to check and try:

Backend Settings: Ensure the backend settings are configured correctly. You mentioned using HTTPS on port 443; verify that your ADFS server is set up to handle HTTPS requests on that port.

Health Probe Configuration: Since you have a custom health probe, ensure the configuration is as follows:

Protocol: Should be HTTPS.

Host: Use the FQDN for the ADFS server (instead of just the VM name).

Path: The specified path (/adfs/ls/idpinitiatedsignon) must be correct and accessible.

After configuring, test the probe to ensure it’s working correctly.

Verify that the ADFS VM allows inbound traffic on port 443. Sometimes, local firewall settings on the VM can block requests, so ensure that the ADFS service is responding correctly.

If you've uploaded the root certificate to the backend settings, confirm that it’s necessary. If ADFS is serving a certificate from a well-known CA, it's typically not needed unless you have specific configurations.

ADFS typically requires HTTPS for secure authentication; using HTTP (port 80) is not advisable and may lead to issues.

In the meantime, please try to check the connection trouble shooter in the application gateway and see the result. Also, in health probe configuration host place you can add the ADFS server IP and check once.

To troubleshoot further, check the Application Gateway access logs and ADFS logs for any specific error messages that could give insight into the connection issues.

Please share the below information for further investigation on the issue.

Can you confirm that the ADFS URL you’re using in the health probe is reachable from the Application Gateway?

Have you checked if the ADFS server is correctly processing requests on the specified path?

Could you provide any error logs or messages from ADFS that might indicate what's wrong?

What is the output of the health probe's test? Are there specific error codes or messages?

Is there any load balancer or additional security layer sitting in front of your ADFS server?

Hope the answer helps!

Please let us know do you have any further queries.

Please do consider to "up-vote" wherever the information provided helps you, this can be beneficial to other community members.
Roy Kim (Azure MVP) 191 Reputation points MVP

2025-05-25T02:48:46.4033333+00:00

Thanks you for response. I have resolved by setting the FQDN at the health probe. That is subdomain.domain.com. This FQDN is a DNS record in a public dns zone.

1 answer

Your answer

Roy Kim (Azure MVP) 191 Reputation points MVP

2025-05-25T02:48:46.4033333+00:00

Thanks you for response. I have resolved by setting the FQDN at the health probe. That is subdomain.domain.com. This FQDN is a DNS record in a public dns zone.

Answer 1

Ganesh Patapati 10,540 Microsoft External Staff Moderator

Hello @Roy Kim (Azure MVP)

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

Issue: Configuring Azure App Gateway v2 Backend Setting and Probe with ADFS VM server

Resolution: I have resolved by setting the FQDN at the health probe. That is subdomain.domain.com. This FQDN is a DNS record in a public dns zone.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Accepted answer

Ganesh Patapati 10,540 Reputation points Microsoft External Staff Moderator

2025-05-26T16:29:45.7166667+00:00

Hello @Roy Kim (Azure MVP)

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.
Ganesh Patapati 10,540 Reputation points Microsoft External Staff Moderator

2025-05-27T18:31:00.37+00:00

Hello @Roy Kim (Azure MVP)

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.
Ganesh Patapati 10,540 Reputation points Microsoft External Staff Moderator

2025-05-28T16:42:03.1066667+00:00

Hello @Roy Kim (Azure MVP)

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

Share via

Configuring Azure App Gateway v2 Backend Setting and Probe with ADFS VM server

1 answer

Your answer