Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,923 questions
A little vague but you may need to deploy split brain DNS
ADFS re-directs to an office365 home page instead of my organization's external page and internal calls to ADFS STS end up on generic IIS landing page
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 99%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
T-Heron
1
Reputation point
99.9% of my experience up to this point is in on-site/on-premise Active Directory, not Azure, so forgive this question.
I built a small Active Directory integrated to Azure Active Directory lab, integrated with the web domain zero365.net (you may visit it, it's just a GoDaddy "web builder site" that took all of 5 minutes to build.)
From inside my Active Directory domain network, on any domain-joined machine's web browser, if I navigate to http://login.microsoftonline.com, and enter in someusername@zero365.net, ADFS authentication mechanism kicks in, asking me for a username, after I feed it an internal on-premise AD username I get successfully re-directed to https://www.office.com/?auth=2, an Office 365 home page. Looking good, right? A vanilla Active Directory to Azure Active Directory / Office 365 environment. Though I would prefer to ultimately land at http://zero365.net instead, but this is not my question.
The question is, from internal, if I navigate to htttp://fs.zero365.net, (fs.zero365.net is a hostname of my internal ADFS server, hosting the STS), I get taken to the below IIS page. A little confused here, as I thought that would also kick in a re-direction to an authentication challenge and ultimate re-direction to my external page at http://zero365.net. My actual internal Active Directory domain is dev.local, and the Active Directory integrated DNS for that hosts an internal zone for zero365.net just so internal clients can hit the ADFS servers for any calls to fs.zero365.net. (To make things more self-explanatory in the future
, I will rename fs.zero365.net to sts.zero365.net. But that's for another day.)
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-01-11T23:52:08.99+00:00 -
TStensitzki 11 Reputation points MVP2020-01-20T07:23:30.603+00:00 The described issue looks definitely like a Split-DNS issue.
If the intended use of ADFS is for Office 365 only, I recommend using AAD Connect Passthrough Authentication to reduce the on-premises complexity.
Sign in to comment -
-
AmanpreetSingh-MSFT 56,666 Reputation points2020-01-20T08:05:24.81+00:00 anonymous user You need to use https://fs.zero365.net/adfs/ls/idpinitiatedsignon to go to ADFS Authentication page.
Note: On Windows Server 2016 and later, this page is disabled by default and needs to be enabled by using following command:
Set-AdfsProperties –EnableIdpInitiatedSignonPage $TrueIf you want to redirect to http://zero365.net after authentication, your web application must be federated with ADFS and configured to redirect to http://zero365.net after successful authentication. for more information, please search for "ADFS Deep Dive" on https://techcommunity.microsoft.com.
Also, you should not name any of the actual computer accounts in the ADFS farm fs.zero365.net, which will cause a duplicate SPN issue and break integrated Windows Authentication.
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.