After enabling AD Federation Service (ADFS) you are being refered to your internal domain


After entering your federated domain account in a browser, are you being redirected to your internal domain name (e.g. adfs.contoso.local) instead of public domain name (e.g. adfs.publicdomain.com)?

  • RDP to your ADFS server
  • Install and open the Windows Azure Active Directory Powershell, for more details see this blog post
  • Execute “Get-MsolFederationProperty –DomainName” with your external domain name e.g. “adfs.myexternaldomain.com”
     

PS C:\Windows\system32> Get-MsolFederationProperty -DomainName adfs.myexternaldomain.com


Source                          : ADFS Server
ActiveClientSignInUrl           :
https://adfs.contoso.local/adfs/services/trust/2005/usernamemixed
FederationServiceDisplayName    : Contoso Corporation
FederationServiceIdentifier     :
http://adfs.contoso.local/adfs/services/trust
FederationMetadataUrl           :
https://adfs.contoso.local/adfs/services/trust/mex
PassiveClientSignInUrl          :
https://adfs.contoso.local/adfs/ls/
PassiveClientSignOutUrl         :
https://adfs.contoso.local/adfs/ls/   

  <more stuff here, not listed>

  

  • The output above is likely to be listing output referencing to your local (internal) domain name.
  • Open AD FS management, go to “Edit Federation Service Properties”

image

  • Change the references from the internal domain name to the public domain names.
    • If this is already the correct information, continue with the following steps anyway.
  • Hit OK and close AD FS management
  • In the PowerShell window, execute a Update-MsolFederatedDomain –domainname “adfs.myexternaldomain.com”

image

Check by using “Get-MsolFederationProperty -DomainName adfs.myexternaldomain.com” or your browser to see if you are being redirected to the correct URL this time.

Consider leaving a reply in case this post helped you. Thanks!


Comments (4)

  1. ris says:

    Can I use different DNS namespaces for Internal VS External Access? Something like Internally ADFS endpoint is "int.contoso.com" and externally called "ext.internet.net" ? I was hoping I can with SAN certs and additional DNS zones to host the respective
    A records.

  2. Pieter says:

    Hi Ris, yes that should work as long as the DNS is arranged accordingly.

  3. Anonymous says:

    My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise

  4. DaveC4 says:

    If my UPN suffix is my internal domain (user@contoso.local), would this allow SSO to work externally for (user@contoso.com)? Or would we have to change UPN suffixes?