Article ID: 2715326 - View products that this article applies to.
When you sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune by using a single sign-on (SSO)-enabled user ID, the connection to Active Directory Federation Services (AD FS) does not behave as expected. The connection fails together with one of the following results:
These symptoms can be caused by a faulty split-brain DNS configuration that is required for correct internal and external name resolution of DNS services. One of the following causes is most likely:
To resolve this issue, follow these steps:
Step 1: Establish the split-brain DNS zone in internal DNSTo do this, follow these steps on the on-premises DNS server:
Step 2: Advertise the AD FS service endpoint in the split-brain DNS domainIn the DNS Management Console that you opened earlier, follow these steps:
Step 3: Clear the DNS cache on the server and client to test the solution
Split-brain DNS is a common configuration that's used to make sure that on-premises client computers resolve a server name to internal IP addresses, even though public DNS resolution resolves the same service name to a completely different public IP address. When you set up AD FS for on-premises service, this configuration is needed to make sure that on-premises client computers’ authentication experience to the AD FS service is handled differently (by the AD FS Federation Service farm) than external client computers that are being serviced by the AD FS Proxy Service.
Without this configuration, all AD FS clients will be serviced by the same IP address when they connect to the AD FS service, whether they are connected from the on-premises network or are accessing remotely from an Internet location. This limits the seamless authentication experience possible for on-premises, Active Directory-authenticated clients, because the AD FS Proxy Service that is exposing the AD FS service to the Internet does not expect the accessing client to be able to provide an Integrated Windows Authentication response without a prompt (because remote computers are not authentication to Active Directory).
To overcome this limitation, it's desirable to override the default name resolution that is given to on-premises clients by creating an identically named domain in on-premises DNS. Because the DNS distributed architecture returns the first response that is found to a forward lookup query, this effectively masks the public DNS domain advertisements for that domain for all on-premises client computer requests because their requests are usually handled by on-premises DNS servers first.
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2715326 - Last Review: July 9, 2014 - Revision: 12.0