How to select a federation service name?

The Federation Service Name must never equal any machine name in the Active Directory forest when you are deploying a AD FS 2.0 farm. This requirement is in place to allow Kerberos authentication to succeed for your Federation Service.

Scenario 1: Non-working scenario
The Federation Service Name is ADFS.POCOFFICE365.COM and the host names of the two Federation Servers in your farm are: ADFS.POCOFFICE365.COM and ADFS2.POCOFFICE365.COM. Kerberos authentication will fail because your AD FS 2.0 service account needs to have the following servicePrincipalName (SPN) registered: HOST/ADFS.POCOFFICE365.COM. Since you already have a computer in Active Directory named ADFS.POCOFFICE365.COM, the HOST/ADFS.POCOFFICE365.COM SPN is already registered to this computer account, which means that registering this SPN to your AD FS 2.0 service account is not an option.

Scenario 2: Working scenario
The Federation Service Name is SSO.POCOFFICE365.COM and the host names of the two Federation Servers in your farm are: ADFS.POCOFFICE365.COM and ADFS2.POCOFFICE365.COM. Kerberos authentication can succeed since your AD FS 2.0 service account can have the SPN HOST/SSO.POCOFFICE365.COM registered to it since neither the AD FS 2.0 servers nor any other account in the Active Directory forest have this SPN registered.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: