This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Have a WAP with ADFS (4.0). All traffic (internal and external) is going through the same WAP. The internal traffic is not recoginized as such. If I change the autehntication mode internally to certificate and WIA only, it still shows me the form (WAP/ADFS and client are on same subnet). If I remove the form authentication on the external authentication mode, the form is gone. Why does my WAP/ADFS handle all traffic as external? Do I need to to change something on the x-forwarded-for?
Thanks,
Chris
Internal traffic is not supposed to hit the WAPs. The internal clients must use the ADFS farm directly (or through a load balancer, but a load balancer that redirects the traffic directly to the ADFS servers and not he WAPs).
In order to achieve this, the easier solution is to have a split-brain DNS (aka split-horizon). Let say the ADFS server IP is 10.0.0.1, the WAP IP is 1.1.1.1 and the FQDN of your ADFS deployment is adfs.contoso.com. When internal clients are using the internal DNS servers, they should resolve adfs.contoso.com into 10.0.0.1 and when clients are using the public DNS for the same record, they should resolve adfs.contoso.com into 1.1.1.1. This is also listed here in the Network section.