So we're finally moving to Windows Server 2019 from 2008 R2 and the new ADFS requirements are that ADFS stays behind a firewall and the Web Application Proxy will be exposed and forward any authentication requests to the actual ADFS server. So far so good.
But our initial ADFS setup did not use subdomains. So we don't have the luxury of just moving eg. sts.domain.com to a new server. Our web server, database server and ADFS server were all responding to www.domain.com. ADFS v2 was an application under IIS after all. Poor planning, but here we are.
So now we have 2 new production servers both running Windows Server 2019. One exposed to the internet running the Web Application Proxy and the actual ADFS server behind a firewall. All the settings, relying party trusts and claims providers have all been migrated with Microsofts bundled scripts. All good. But our ADFS is behind a firewall and the ADFS is configured to respond to www.domain.com and the federation service identifier is equally www.domain.com/adfs/services/trust.
If i set it all up with sts.domain.com externally pointing to the WAP and internally they both think the ADFS is sts.domain.com it works just fine. I can connect, it fetches metadata and lists Claims Providers.
But when i try the same trick with www.domain.com it fails.
So I've been trying to fool the ADFS server and edited hosts files so the ADFS server thinks it's www.domain.com and the web app proxy also thinks that the ADFS server is www.domain.com internally. But obviously still responding to web requests on www.domain.com on the external interface. But when i do that the WAP refuses to connect to the ADFS server.
What gives?
