Name resolution requirements for ADFS-enabled Web servers

  • Article

Applies To: Windows Server 2003 R2

Before a Web browser client can contact an Active Directory Federation Services (ADFS)–enabled Web server over the Internet, the Web browser must first use Domain Name System (DNS) to resolve the Web server’s host name to the actual IP address for an ADFS-enabled Web server that is located in a perimeter network. The following standard DNS tree-walking processes accomplish name resolution to federated applications:

  1. The browser client contacts a top-level-domain DNS server on the Internet to resolve the fully qualified domain name (FQDN) of the target Web site that was typed into the browser.

  2. The top-level-domain DNS server resolves the FQDN by providing the client with the IP address for the DNS server that is authoritative for the DNS domain that is specified in the Web site address.

    Note

    In the federated world of ADFS, this DNS server is the DNS server that is located in the perimeter network of the resource partner organization.

  3. Using values that are stored in preconfigured host address (A) resource records, the perimeter DNS server resolves the target FQDN to the IP address of the ADFS-enabled Web server and then provides that information back to the client.

For more information about how the DNS process works, see How DNS Works (https://go.microsoft.com/fwlink/?LinkId=74637).

Configuring perimeter DNS

DNS is required for successful name resolution across the Internet to an ADFS-enabled Web server. DNS must be configured for a new host record that will resolve the IP address of the Web server cluster (if the Web servers are farmed) to a single Web server IP address and DNS host name. You configure DNS in the perimeter network of the resource partner.

In the following illustration, you can see how to configure the perimeter DNS so that it contains a single host (A) record for ws (ws.treyresearch.net) and so that it points to the IP address of the ADFS-enabled Web server cluster in the perimeter network. In this scenario, Network Load Balancing (NLB) provides a single, cluster FQDN name and a single, cluster IP address for an existing ADFS-enabled Web server farm.

DNS configuration for AD FS-enabled Web servers

For more information about how to configure a cluster IP address or a cluster FQDN using Microsoft NLB technology, see Specifying the Cluster Parameters (https://go.microsoft.com/fwlink/?LinkId=74651).

For more information about how to configure perimeter DNS, see Add a host (A) record to perimeter DNS for an ADFS-enabled Web server.