cancel
Showing results for 
Search instead for 
Did you mean: 

ADFS load balancing using CNAME record but against MS guide lines?

NadJ
Nimbostratus
Nimbostratus

We would like to load balance our ADFS using our BigIP load balancer. I'm not a networking guy or expert on BigIP so forgive me for any omissions/inaccuracies.

 

The standard practice to load balance any Windows based service is to:

  1. Create a subzone of your DNS domain zone in question, e.g. lb.contoso.com
  2. Make the LBs authorative for this zone (i.e. they become the name servers)
  3. Within your contoso.com DNS zone, create a CNAME record of adfs.contoso.com mapping it to adfs.lb.contoso.com
  4. And finally configure your nodes inside BigIP

 

However, MS explcitly state not to create a CNAME record for ADFS (and some other services too). Here is the snippet from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements (AD FS 2016 Requirements). It says (see line in bold):

 

DNS Requirements

  • For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS server.
  • For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web Application Proxy servers or the Web Application Proxy server.
  • Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load balancer for the AD FS servers or the AD FS server. This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using the HOSTS file.
  • For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation service name.
  • For user certificate authentication on port 443, "certauth.<federation service name>" must be configured in DNS to resolve to the federation server or web application proxy.
  • For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be configured to resolve to the federation server or web application proxy.

 

ADFS seems to be a popular and common service that is load balanced by BigIP appliances, but doesn't the method we have to use in BigIP contradict the above MS recommendation? Or is there something happening behind the scene which is transforming the request or performing some other magic to essentially make it look like a non CNAME based request?

 

I would be extremely grateful for any input, thoughts or ideas. Thank you

0 REPLIES 0