You should not be exposing ADFS directly to the internet. See https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs. We also have guides on how to migrate off ADFS https://techcommunity.microsoft.com/t5/community-events-list/microsoft-workshops-how-to-successfully-migrate-away-from-ad-fs/m-p/3668480 & https://www.microsoft.com/en-us/security/business/identity-access/upgrade-adfs
Can log into ADFS internally but not externally
Hi Everyone,
I have an ADFS server built internal to my environment, it federates to a SaaS platform that we use for CRM. When on internal do our domain the federation works fine, but when outside of the domain there is no response from the server. Interestingly, when outside of the domain I can ping both the IP and the DNS name of the ADFS server and I can telnet to the server on 443 and 80. But when I try to access the URL to the SaaS or to our DNS name it times out. We do not use a DMZ and internally I modify the hosts file on each machine so that they don't try to resolve externally first. Any thoughts here.
Thanks,
Brandon
2 answers
Sort by: Most helpful
-
Mark Morowczynski 251 Reputation points Microsoft Employee
2023-01-22T14:43:39.8333333+00:00 -
Sreejith Reghunathan Pillai 20 Reputation points
2023-01-31T13:57:59.4333333+00:00 First, I would suggest running a packet capture from the internal network and from the external network to see if there is a difference in the traffic being sent. This will help you identify if there is a firewall rule or routing issue that may be preventing the traffic from reaching the ADFS server. If there is no difference in the traffic, then it could be an issue with the ADFS server itself. I would suggest checking the event logs on the ADFS server to see if there are any errors that could be related to the issue. Additionally, you may want to check to make sure that the SSL certificate is configured correctly and that the DNS entries for the ADFS server are properly configured.