In recent posts, I’ve been flicking between two configuration states on two different trunks:
- Federated Trunk A
- Non-Federated Trunk B
I’ve been using two ADFS instances in the back-end, testing various combinations using the mythical sts.mydomain.com and sts1.mydomain.com endpoints.
There is one limitation that becomes very clear during testing:
an AD FS instance may be used by a single trunk only
AD FS instances cannot be shared across trunks. What !@#!.. that’s crazy!! Well, not really.. When you consider that UAG is proxying federation services endpoints, this does make a lot of sense. We cannot arbitrarily share instances of our federation service across different trunks, because that goes against the very nature of a federated trust. It can be represented in one and only one place. When we try and share the same service across multiple trunks, UAG chucks out the following message:
The AD FS authentication server ‘AD FS 2.0 …" is used in more than one trunk: TrunkA, TrunkB. Configure the UAG to use the AD FS 2.0 authentication server in one trunk only.
Which reminds me of something else I needed to post………………………