question

THeron-5142 avatar image
0 Votes"
THeron-5142 asked ·

ADFS re-directs to an office365 home page instead of my organization's external page and internal calls to ADFS STS end up on generic IIS landing page

99.9% of my experience up to this point is in on-site/on-premise Active Directory, not Azure, so forgive this question.

I built a small Active Directory integrated to Azure Active Directory lab, integrated with the web domain zero365.net (you may visit it, it's just a GoDaddy "web builder site" that took all of 5 minutes to build.)

From inside my Active Directory domain network, on any domain-joined machine's web browser, if I navigate to http://login.microsoftonline.com, and enter in someusername@zero365.net, ADFS authentication mechanism kicks in, asking me for a username, after I feed it an internal on-premise AD username I get successfully re-directed to https://www.office.com/?auth=2, an Office 365 home page. Looking good, right? A vanilla Active Directory to Azure Active Directory / Office 365 environment. Though I would prefer to ultimately land at http://zero365.net instead, but this is not my question.

The question is, from internal, if I navigate to htttp://fs.zero365.net, (fs.zero365.net is a hostname of my internal ADFS server, hosting the STS), I get taken to the below IIS page. A little confused here, as I thought that would also kick in a re-direction to an authentication challenge and ultimate re-direction to my external page at http://zero365.net. My actual internal Active Directory domain is dev.local, and the Active Directory integrated DNS for that hosts an internal zone for zero365.net just so internal clients can hit the ADFS servers for any calls to fs.zero365.net. (To make things more self-explanatory in the futurealt text, I will rename fs.zero365.net to sts.zero365.net. But that's for another day.)


azure-active-directoryazure-webappsazure-ad-connectazure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered ·
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The described issue looks definitely like a Split-DNS issue.

If the intended use of ADFS is for Office 365 only, I recommend using AAD Connect Passthrough Authentication to reduce the on-premises complexity.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ThomasStensitzki You need to use https://fs.zero365.net/adfs/ls/idpinitiatedsignon to go to ADFS Authentication page.

Note: On Windows Server 2016 and later, this page is disabled by default and needs to be enabled by using following command:

 Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

If you want to redirect to http://zero365.net after authentication, your web application must be federated with ADFS and configured to redirect to http://zero365.net after successful authentication. for more information, please search for "ADFS Deep Dive" on https://techcommunity.microsoft.com.

Also, you should not name any of the actual computer accounts in the ADFS farm fs.zero365.net, which will cause a duplicate SPN issue and break integrated Windows Authentication.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.