1

We have had a 2012 R2 ADFS farm deployed for some time.

When changing the web theme for the ADFS config today, I have noticed I was unable to connect to the secondary server in our farm from my workstation using its FQDN.

The primary server I can connect to without issue (other than the fact the certificate isn't valid using the internal FQDN). When diagnosing, I have found that if I log into the secondary server and use localhost, it works fine, so is only remote connections with an issue.

I can see some ADFS events that suggest the secondary server is indeed servicing authentication requests, but I am now worried that any device relying on forms based auth won't work when the primary server is down for maintenance. I have tried rebooting the server, checking to ensure the firewall is not blocking ports, and am now unsure on what else could be the problem.

There doesn't seem to be an IIS installation of any kind for me to look at settings, so am at a loss. Can anyone offer any suggestions on why I can't connect to this secondary server remotely?

Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31
James Edmonds
  • 1,653
  • 10
  • 36
  • 58

1 Answers1

1

With the help of Pierre from here, the answer was:

It's because of SNI. The Hostname in the HTTP header has to be the name of the farm to reach it.

If you want to test if your second server works, on your workstation, create an entry in your HOSTS file with:

For example, if the IP address of your ADFS servers are 10.0.0.1 and 10.0.0.2. The IP of the cluster is 10.0.0.3. And the name of the farm is adfs.contoso.com, create an entry like:

10.0.0.2 adfs.contoso.com

James Edmonds
  • 1,653
  • 10
  • 36
  • 58