AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.
We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx).
ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server.
The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server.
Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them.
We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing?
Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.
Hello! According to your description, you might be running into either DNS resolution issues or the traffic being blocked by the instance. Please do a nslookup on a separate EC2 instance for the domain name the ADFS website has. If you cannot resolve it, that would explain the issue you are having. If the Managed AD DNS can resolve it, you might need to set a conditional forwarder to ensure the DNS traffic for the zone is sent to the VPC's Route 53 resolver (which is VPC Network address +2, so for example if your VPC is 10.0.0.0/16 then the DNS is 10.0.0.2)
If you are able to resolve it, then check the security groups, network acl's and route table. Ensure that TCP 443 is allowed. You can run this Powershell command to validate connectivity:
test-netconnection <domain or IP address of ADFS> -port 443
Hello Francisco, thank you for your assistance on this question. You guided us to the right direction, and we ended up resolving the issue using the Route 53 Resolver Endpoints. We followed this article, https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/ .
AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.asked 2 months ago
[Announcement] Run Your Microsoft SharePoint and SQL Server Always On Availability Groups in the AWS Cloud More Easily by Using AWS Directory Service for Microsoft Active Directoryasked 5 years ago
Joining an AWS Managed Microsoft AD to an existing domainAccepted Answerasked a year ago
AWS Directory Serviceasked 5 months ago
Can Redshift authenticate to AWS Managed AD and how?Accepted Answerasked 2 years ago
AWS VPN Client - ADFS federationasked 3 months ago
ADFS Claims Mapping to Cognito User PoolsAccepted Answerasked 2 years ago
Can we extend OnPrem to Managed AD with trust then do migration with ADMTAccepted Answerasked a year ago
Enabling Identity Federation with AD FS 3.0 and Amazon AppStream 2.0asked 3 months ago
Invalid relayState in CognitoAccepted Answerasked 2 years ago