By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.

0

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx).

ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server.

The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server.

Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them.

We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing?

Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.

Topics
ComputeSecurity, Identity, & Compliance
Tags
Website ProvisioningSecurity, Identity, & ComplianceAWS Directory ServiceWindows Provisioning
Language
English
AWS-User-4415410
asked 2 years ago546 views
1 Answer
0

Hello! According to your description, you might be running into either DNS resolution issues or the traffic being blocked by the instance. Please do a nslookup on a separate EC2 instance for the domain name the ADFS website has. If you cannot resolve it, that would explain the issue you are having. If the Managed AD DNS can resolve it, you might need to set a conditional forwarder to ensure the DNS traffic for the zone is sent to the VPC's Route 53 resolver (which is VPC Network address +2, so for example if your VPC is 10.0.0.0/16 then the DNS is 10.0.0.2)

If you are able to resolve it, then check the security groups, network acl's and route table. Ensure that TCP 443 is allowed. You can run this Powershell command to validate connectivity:

test-netconnection <domain or IP address of ADFS> -port 443

AWS
SUPPORT ENGINEER
Francisco_L
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content