Name Resolution Requirements for Federation Servers
Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
When client computers on the corporate network attempt to access an application or Web service that is protected by Active Directory Federation Services (AD FS) 2.0, they must first authenticate to a federation server. One way to authenticate is to have the corporate network clients access a local federation server through Windows Integrated Authentication.
So that successful name resolution through Windows Integrated Authentication on local federation servers can occur, Domain Name System (DNS) in the corporate network of the account partner must be configured for a new host (A) resource record that will resolve the fully qualified domain name (FQDN) host name of the federation server to the IP address of the federation server cluster.
In the following illustration, you can see how this task is accomplished for a given scenario. In this scenario, Microsoft Network Load Balancing (NLB) provides a single cluster FQDN name and a single cluster IP address for an existing federation server farm.
For information about how to configure a cluster IP address or cluster FQDN using NLB, see Specifying the Cluster Parameters (http://go.microsoft.com/fwlink/?LinkId=75282).
For information about how to configure corporate DNS for a federation server, see Add a Host (A) Resource Record to Corporate DNS for a Federation Server.
For information about how to configure federation server proxies in the perimeter network, see Name Resolution Requirements for Federation Server Proxies.