ADFS Site Resilience

Jean-Luc Ch 176 Reputation points

For a customer, we configured an ADFS farm, with 2 nodes, exposed the Interned with WAP.
On each site, we have one ADFS Server and one WAP.

We used DNS RoundRobin for federation services publication. We plan to use Load balancing.

Each WAP server can contact each ADFS server.

When the primary ADFS server is inaccessible, internal authentication works fine, but external authentication failed (through WAP).

How can I build High Availibility?



Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,220 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Jean-Luc Ch 176 Reputation points

    Any suggestion? Any reference documentation?

    0 comments No comments

  2. 9704244848 186 Reputation points


    How can I build High Availibility?

    I think the problem is DNS Round Robin. Because it randomly reply on every request one ip address. But the dns protocol can not check, if the server or application behind the ip address ist online.

    The only safe way for this is to implement a physikal or virtual load balancer in your enviroment. We setuped your szenario for few weeks with a high aviable Load Balancer. AD FS over WAP works in every failure scenario (eg. primary ad fs server ist down).


  3. 9704244848 186 Reputation points

    Look first in to the windows event log on the secondary AD FS server. Do you see entries from type error / warning at the timestamp you try the authentication?
    Does the authentication work over the secondary inside your trusted network (LAN) without WAP? So we can differentiate whether ADFS or WAP is the problem.