A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience
- Computers that sign in from inside the on-premises network connect to the AD FS proxy IP address, and a forms-based authentication prompt appears. However, an Integrated Windows Authentication experience is expected.
- Computers that sign in from inside the on-premises network and then try to connect to the AD FS proxy service are denied because of firewall settings.
- The split-brain internal DNS resolution isn't set up for the domain in which the AD FS service resides.
- AD FS service name resolution wan't set in the split-brain internal DNS resolution of the on-premises environment.
Step 1: Establish the split-brain DNS zone in internal DNSTo do this, follow these steps on the on-premises DNS server:
- Open the DNS Management Console. To do this, open Administrative Tools, and then double-click DNS.
- In the left navigation pane, expand DNS, expand the server name, and then click Forward Lookup Zones.
- If there's no entry that's displayed for the DNS zone within which the AD FS service endpoint is hosted, create the zone. To do this, right-click Forward Lookup Zones, and then select New Zone.
- Complete the wizard. When you do this, select Primary Zone, and then name the zone for the DNS domain of the AD FS server.
Warning Completing this step effectively stops on-premises computers from resolving server names to public IP addresses by using the DNS server that resolves public requests for the domain. Any extranet service endpoints that have to be used by on-premises clients must have an A record created within the split-brain DNS configuration to enable the connection.
Step 2: Advertise the AD FS service endpoint in the split-brain DNS domainIn the DNS Management Console that you opened earlier, follow these steps:
- Browse to and then select the DNS zone for the domain of the AD FS server.
- Right-click the domain name, and then select New Host (A or AAAA).
- Enter the following values:
- Name: The AD FS service name
- IP address: The on-premises private IP address of the AD FS Federation Service farm.
Step 3: Clear the DNS cache on the server and client to test the solution
- In the DNS Management Console that you opened earlier, right-click the server name, and then click Clear Cache.
- On the client computer, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run As Administrator.
- Type the following command, and then press Enter:Ipconfig /flushdns
Without this configuration, all AD FS clients will be serviced by the same IP address when they connect to the AD FS service, whether they are connected from the on-premises network or are accessing remotely from an Internet location. This limits the seamless authentication experience possible for on-premises, Active Directory-authenticated clients, because the AD FS Proxy Service that is exposing the AD FS service to the Internet does not expect the accessing client to be able to provide an Integrated Windows Authentication response without a prompt (because remote computers are not authentication to Active Directory).
To overcome this limitation, it's desirable to override the default name resolution that is given to on-premises clients by creating an identically named domain in on-premises DNS. Because the DNS distributed architecture returns the first response that is found to a forward lookup query, this effectively masks the public DNS domain advertisements for that domain for all on-premises client computer requests because their requests are usually handled by on-premises DNS servers first.
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Article ID: 2715326 - Last Review: 12/12/2014 09:52:00 - Revision: 14.0
- o365 o365a mosdal4.5 o365e o365022013 o365m KB2715326