none
Azure Traffic Manager & ADFS 2012r2 RRS feed

  • Question

  • Hi All

    Ive installed ADFS 2012r2 (ADFS 3) on some VMs in Azure and I have Azure Traffic manager pointing to the ADFS WAP Cloud Service,

    But I keep getting Degraded mode.  Traffic Manager is doing the job with no issues.  Which is great.  

    I believe the issue is that TM is looking for a 200 reply from the WAP server.  The TM config is below.

    relative path and file name

    /adfs/ls/IdpInitiatedSignon.aspx

    Port 443.

    On the WAP I can brows to /adfs/ls/IdpInitiatedSignon.aspx 

    Has anybody come across this issue before?

    Thanks

    Spud

    Sunday, November 9, 2014 11:03 PM

Answers

  • Hi,

    Thanks for reaching out.

    This kind of issue is most often caused by a misconfiguration in the Traffic Manager settings--please verify the protocol (HTTP / HTTPS), Port, and Monitoring Path are correct.

    The second most common cause is misconfiguration of the service, such as firewall rules or ACLs that are blocking the Traffic Manager probes.  The best way to verify is to spin up a temporary Azure VM in a separate region, and point the browser at your endpoints (via the endpoint domain names, not the Traffic Manager domain name) using the protocol, port and monitoring path you've chosen.

    If that test fails, then there's a connectivity issue with how the application is configured.  If it passes, then there's an issue we need to look into further--please raise a support ticket in this case.

    Regards,

    Jonathan Tuliani

    Program Manager

    Azure Networking - DNS and Traffic Manager

    Monday, November 10, 2014 11:51 AM
    Moderator

All replies

  • Hi,

    Thank you for posting. I'm currently researching on this and will revert back to you with more information on this. Appreciate your patience.

    Regards,

    Manu Rekhar

    Monday, November 10, 2014 2:02 AM
    Moderator
  • Hi,

    Thanks for reaching out.

    This kind of issue is most often caused by a misconfiguration in the Traffic Manager settings--please verify the protocol (HTTP / HTTPS), Port, and Monitoring Path are correct.

    The second most common cause is misconfiguration of the service, such as firewall rules or ACLs that are blocking the Traffic Manager probes.  The best way to verify is to spin up a temporary Azure VM in a separate region, and point the browser at your endpoints (via the endpoint domain names, not the Traffic Manager domain name) using the protocol, port and monitoring path you've chosen.

    If that test fails, then there's a connectivity issue with how the application is configured.  If it passes, then there's an issue we need to look into further--please raise a support ticket in this case.

    Regards,

    Jonathan Tuliani

    Program Manager

    Azure Networking - DNS and Traffic Manager

    Monday, November 10, 2014 11:51 AM
    Moderator
  • Thanks for the reply guys.  The config looks good to me I will open a support request and i will update with my results.

    Thanks

    Monday, November 10, 2014 3:17 PM
  • Hi,

    Any update over the issue.

    Regards,

    Manu Rekhar

    Sunday, November 16, 2014 7:30 AM
    Moderator
  • I have the same issue...  Because the FQDN of the Traffic Manager isn't the same as the FQDN of the federated service (i.e. fs.domain.com) I don't believe the WAP will respond.

    So in other words, an incoming connection with a host header of:

    https://fs.domain.com/federationmetadata/2007-06/federationmetadata.xml

    would work fine (and return a HTTP 200) but a request for:

    https://trafficmgr01.trafficmanager.net/federationmetadata/2007-06/federationmetadata.xml

    would result in a dropped connection and a Degraded state from the Traffic Manager.


    Jonathan Hammond - Senior Systems Engineer - SICL Ltd

    Monday, November 17, 2014 4:11 PM
  • Having researched this further, I think this is due to SNI not being supported on the probe feature of the Traffic Manager (and the Load Balanced network as well).

    Jonathan Hammond - Senior Systems Engineer - SICL Ltd

    Tuesday, November 18, 2014 11:50 AM
  • Jonathan,

    I'm interested in converting my Azure-hosted ADFS proxies from a simple load-balanced availability set to a Traffic Manager config, but I'm unclear on a few things.  From what I can gather from seaspud's and your own posts, you guys have the traffic manager functioning properly, it's just the monitoring service that believes it to be in a degraded state?  I can't quite reconcile that since it seems that Traffic Manager wouldn't return any DNS records for endpoints it thought weren't accessible.  I would love a thorough explanation of how this can work (or confirmation that it actually doesn't) with an ADFS 3.0 farm.

    Thanks

    Phil

    Wednesday, November 19, 2014 3:50 PM
  • Without the Monitoring probe correctly connecting to the relevant services, I didn't think it would work either.  But seemingly it does (and I've tested connectivity with all possible permutations of ADFS and WAP being shutdown).

    I currently have both the Traffic Manager and Load Balanced Endpoints set in a Round Robin... This seemingly works fine.

    So the end-to-end architecture is something like this:

    ADFS Name (adfs.domain.com) -> TM -> DMZ Cloud Service -> LB Endpoints (SSL) -> WAP Servers -> Resolve adfs.domain.com CNAME to TM FQDN -> TM -> ADFS Cloud Service -> LB Endpoints (SSL) -> ADFS Servers.

    If that makes any sense at all.


    Jonathan Hammond - Senior Systems Engineer - SICL Ltd

    Wednesday, November 19, 2014 4:34 PM
  • After a bit more research, I see a way to get the monitoring service to respond with a "200", but I still think the ADFS authentications are going to fail based on the fact that we're using a CNAME instead of an record with Traffic Manager.

    In regards to the monitoring service, Microsoft pushed out a rollup (http://support.microsoft.com/kb/2975719/en-us) in August of 2014 that addresses this very issue.  A new HTTP-based (not HTTPS) site is created on the WAP under /adfs/probe (i.e. http://adfs.example.com/adfs/prob) that can be used for monitoring purposes and won't get fouled up by the lack of SNI support.

    Phil

    Wednesday, November 19, 2014 5:03 PM
  • I suppose to put this to bed, I'll just provide what I believe to be proof that Traffic Manager is not an option for load-balancing ADFS farm requests.  According to http://support.microsoft.com/kb/2461628/en-us, authentication requests will fail if ..

    • Domain Name System (DNS) resolution of the AD FS service endpoint was performed through CNAME record lookup instead of through an A record lookup.

    It definitely looks like Traffic Manager is not an option for this scenario.

    Wednesday, November 19, 2014 5:09 PM
  • I'm not sure that's relevant in this case Philip because we're not IIS (in 2012R2 AD FS) and I don't think we're using Kerberos.

    But we are using a CNAME, and it definitely is working!

    I've found the /adfs/probe setting, but I'm confused as to how this works when we're only defining a SSL-based endpoint, not a HTTP one.  Also you can't set a relative path for /adfs/probe on a Load Balanced Endpoint.


    Jonathan Hammond - Senior Systems Engineer - SICL Ltd

    Wednesday, November 19, 2014 5:54 PM
  • Actually, you CAN set up a path on a HTTP-based Load Balanced Endpoint.  My Mistake!

    Jonathan Hammond - Senior Systems Engineer - SICL Ltd

    Wednesday, November 19, 2014 5:56 PM
  • you can use the following path:

    http://<WAP VIP>/adfs/probe

    Wednesday, January 14, 2015 10:09 PM
  • There is some great info here, may I ask a simple question though? Why use the traffic manager at all? Doesn't having the WAP servers in an availability set and load balanced via public VIP/443 give the 99.95% uptime? I was under the impression that traffic manager would be used in the case you have servers spread across VNet's/Regions? Are you using it for some additional monitoring? 
    • Proposed as answer by Matthew_Green Thursday, October 29, 2015 5:47 PM
    • Unproposed as answer by Matthew_Green Thursday, October 29, 2015 5:47 PM
    Saturday, January 17, 2015 4:53 PM
  • Clients looking for site resiliency, whether it's because they're using Azure as a backup site or accounting for the risk of the Azure servers being down, would use TM. 
    Thursday, October 29, 2015 5:49 PM
  • If anyone is interested have outlined a solution on how to use Traffic monitor and monitor both the ADFS and WAP status at the same time. the article can be found here: http://www.gi-architects.co.uk/2017/01/traffic-manager-endpoint-monitor-and-adfs-adfsprobe/
    Friday, January 20, 2017 7:45 PM