Name Resolution Requirements for Federation Servers

Updated: January 31, 2008

Applies To: Windows Server 2008

When clients on the corporate network attempt to access an Active Directory Federation Services (AD FS)-secured application, they must first authenticate to a federation server. One way to authenticate is to have the corporate network clients access a local federation server through Windows Integrated authentication.

So that successful name resolution through Windows Integrated authentication on local federation servers can occur, Domain Name System (DNS) in the corporate network of the account partner must be configured for a new host record that will resolve the fully qualified domain name (FQDN) host name of the federation server to the IP address of the federation server cluster.

In the following illustration, you can see how this task is accomplished for a given scenario. In this scenario, Microsoft Network Load Balancing (NLB) provides a single cluster FQDN name and a single cluster IP address for an existing federation server farm.

DNS configuration for federation servers

For information about how to configure a cluster IP address or cluster FQDN using NLB, see Specifying the Cluster Parameters (

For information about how to configure corporate DNS for a federation server, see Add a Host (A) Resource Record to Corporate DNS for a Federation Server.

For information about how to configure federation server proxies in the perimeter network, see Name Resolution Requirements for Federation Server Proxies.

Community Additions