question

ChristophOnMicrosoft avatar image
0 Votes"
ChristophOnMicrosoft asked piaudonn answered

ADFS (WAP) not recoginzing/handling as internal traffic

Have a WAP with ADFS (4.0). All traffic (internal and external) is going through the same WAP. The internal traffic is not recoginized as such. If I change the autehntication mode internally to certificate and WIA only, it still shows me the form (WAP/ADFS and client are on same subnet). If I remove the form authentication on the external authentication mode, the form is gone. Why does my WAP/ADFS handle all traffic as external? Do I need to to change something on the x-forwarded-for?

Thanks,
Chris

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered

Internal traffic is not supposed to hit the WAPs. The internal clients must use the ADFS farm directly (or through a load balancer, but a load balancer that redirects the traffic directly to the ADFS servers and not he WAPs).

In order to achieve this, the easier solution is to have a split-brain DNS (aka split-horizon). Let say the ADFS server IP is 10.0.0.1, the WAP IP is 1.1.1.1 and the FQDN of your ADFS deployment is adfs.contoso.com. When internal clients are using the internal DNS servers, they should resolve adfs.contoso.com into 10.0.0.1 and when clients are using the public DNS for the same record, they should resolve adfs.contoso.com into 1.1.1.1. This is also listed here in the Network section.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.