AD FS Device Registration CNAME records

I researched all over but couldn't find an answer, I am hoping someone can help me or lead me to a solution/answer. I have two (2) AD FS farm in the same Active Directory domain. I will call them sts.contoso.com and sts-test.contoso.com. I need to setup/enable
device registration on both. First the sts-test and then the sts. Everywhere I have read it says to use EnterpriseRegistration.contoso.com for DNS/CNAME. Can I use any another name other than EnterpriseRegistration? The issue I am facing is that both my AD
FS uses same internal DNS at contoso.com. so if I create a CNAME EnterpriseRegistration.contoso.com and link to sts-test.contoso.com, then I will not be able to create another CNAME EnterpriseRegistration.contoso.com and link to sts.contoso.com.
can I modify this DNS suffix to say EnterpriseRegistration1.contoso.com and EnterpriseRegistration2.contoso.com? Will this work?
Thanks
Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

Hi Isaac.. no I don't believe that's possible.. I'd suggest using another (subordinate) zone, e.g. test.contoso.com and then placing the appropriate records beneath, or using a different domain. There's nothing that binds the chosen AD FS domain name to
the AD domain per se, so it could even be foo.com, assuming the appropriate zone is registered for internal and external (internet) use.
http://blog.auth360.net

Similar Messages

  • "SOME" devices can resolve the ALIAS (CNAME record) for a device, but not the REAL name (A record) - Why? How do I fix this?

    I'm running the DNS server role on Windows Server 2012 R2 on a physical machine on my home network.
    My AD is configured with a non-registered name - let's say it's "home.acme.ca" and the DNS server is configured to host that zone.  I also configured a 2nd zone in the DNS server called "myinf.acme.ca".  They both run on a physical
    server with an IP of 192.168.1.10
    The DHCP server on my Cable Modem is configured to hand out 192.168.1.10 as the only DNS server to every device on my network.  On my servers (with static IP addresses), 192.168.1.10 is configured as the only DNS server available for them. 
    I took the DNS servers from my Cable Provider and configured a Forwarder on my server to send name resolution requests to them only if my DNS server can not answer the request - basically for any name resolution request that does not end with ".home.acme.ca"
    or ".myinf.acme.ca"
    The "home.acme.ca" zone is populated with 'A' records for all of the physical and virtual servers and PC's on my network.
    The "myfin.acme.ca" zone is populated with 'CNAME' records that point directly to the 'A' record in "home.acme.ca" - for example, I have a serve named s000abc123ww.home.acme.ca with an 'A' record providing an IP address of 192.168.1.20 and
    I created a 'CNAME' (alias) record named 'webserver.myinf.acme.ca' which points to the 'A' record 's000abc123ww.home.acme.ca'
    2 of my 6 machines can resolve the alias but not the real name of the server!
    .10 is the Domain Controller.  All of the other machines (except .98) are members of the home.acme.ca domain.
    I attempted to ping 's000abc123ww.home.acme.ca' AND 'webserver.myinf.acme.ca' on the following 6 computers.  I used the fully qualified name in all cases.
    4 of the below machines are able to resolve BOTH names.  The other 2 can resolve the Alias but not the real name!
    I don't understand how this is possible, but I would like to fix it...!!!  Please help?
    .10 - Server 2012 R2 (Physical) -  Hosts Active Directory and DNS.
    .20 - Server 2012 R2 (Virtual)   -  Runs SQL Server
    .21 - Server 2012 R2 (Virtual)   -  Runs Apache
    .22 - Server 2012 R2 (Virtual)  -   Runs Apache.  This is the device I am trying to ping (s000abc123ww)
    .98 - Windows 7 (Physical)
    .99 - Windows 7  (Virtual)
    .21 (which is configured nearly identically to .20 and .22) can resolve and ping the Alias, but not the real name.
    .98 can also resolve and ping the Alias, but not the real name.
    The rest of the machines can resolve and ping both the alias and the real name.
    All of the Virtual Machines are running under Hyper-V on the .10 physical server.
    All the devices are on the same subnet.
    Thank in advance to anyone who can help me understand and correct this problem!
    Jim

    Hi,
    CNAME resource records are recommended for use in the following scenarios:
    • When a host that is specified in an A resource record in the
    same zone needs to be renamed
    • When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual A resource records) that provide the same
    service, for example, a group of redundant Web servers
    Therefore please try to create your CNNAM record in the same zone and try again.
    The related KB:
    Adding, Changing, and Deleting Resource Records
    http://technet.microsoft.com/en-us/library/cc779020(v=ws.10).aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • ADFS Device Registration

    I have one application proxy and one adfs server. Right now normal sso works (utilizing Office 365 services). I am trying to configure two-factor using device registration. I was able to join an internal computer using Workplace join.
    I am trying to install an iPhone that's connected to the public internet. I can get to the otaprofile fine, but when I click install I get an error saying "A connection to the server could not be established." I ran the update command on my proxy
    server. Backend servers are enabled and initialized.
    In my certificate, I added enterpriseregistration as a SAN. My common name is sts.companyname.com. Public dns is CName from enterpriseregistration to sts. STS is A-record points to proxy server. Proxy server is using hosts file to get internal servers.
    Any thoughts? Am I missing something?
    -- Michael

    Hello,
    please see
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/195399e6-b5dd-46cf-a351-228bd62b24d8/adfs-specific-question-post-on-the-adfs-forum?forum=winserverDS
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • How do I skip the Device Registration Portal for Cisco ISE web portal

    I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!

    Hello Scoot,
    you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self  registration.
    I hope this works for you

  • Sybase device registration

    Hello,
    we are at the beginning of evaluating the sybase unwired plattform and stuck in the following situation.
    we created a MBO, deployed it to the supserver, generated the iOS code, included it in your app and now trying to connect to the server with the following settings:
    DEVICE:
    ServerName: myServer.local  (the sup is running in a VM)
    ServerPortSetting: 5001
    CompanyIDSetting: 0
    UserNameSetting: supAdmin
    ActivationCodeSettings: 123
    URL Prefix: /tm?cid=%cid%
    SCC- Device Registration:
    Activation user name: supAdmin
    Server name: myServer
    Port: 5001
    FarmID: 0
    Activation Code: 123
    For the connect we use the following code:
    SUPConnectionProfile* cp = [iMAM_IMAMDB getSynchronizationProfile];
         [cp setDomainName:@"default"];
              // Set log level
         [MBOLogger setLogLevel:LOG_INFO];
         if (![iMAM_IMAMDB databaseExists]) {
              [iMAM_IMAMDB createDatabase];
         CallbackHandler* databaseCH = [CallbackHandler newInstance];
         [iMAM_IMAMDB registerCallbackHandler:databaseCH];
         [iMAM_IMAMDB startBackgroundSynchronization];
         NSInteger stat = [SUPMessageClient start];
         if (stat == kSUPMessageClientSuccess) {
              while([SUPMessageClient status] != STATUS_START_CONNECTED){
                   [NSThread sleepForTimeInterval:0.2];
                   NSLog(@"wait for connection to the sup server!");
              [iMAM_IMAMDB beginOnlineLogin:@"supAdmin" password:@"s3pAdmin"];
              while([iMAM_IMAMDB getOnlineLoginStatus].status == SUPLoginPending){
                   [NSThread sleepForTimeInterval:0.2];
                   NSLog(@"wait for connection to the sup server!");
    the problem is, that we are currently not leaving the first while loop, means we do not get a connection to the supserver. In the scc i do not see any incoming requests of my device - "Activation still pending"
    Any clue what causes this strange behaviour?
    Are there any further sybase monitoring capabilities which helps me to get more information about this?
    In general the sybase scc can be reached by the device, which means that that the tcp channel is open.
    We are running on sybase 1.5.5 and iOS 4.2.
    Looking forward to share my experiences with you here.
    Jens

    Hi, try to use same server name in scc (myServer.local).
    The program run on the device or on the simulator? Try to telnet myServer.local on port 5001
    If still not work try this:
    if (result == kSUPMessageClientSuccess) {
              [iMAM_IMAMDB asyncOnlineLogin:@"supAdmin"
    password:@"s3pAdmin"];
              while([databaseCH loginSuccessCount] < 1) {
    [NSThread sleepForTimeInterval:1];
    [window addSubview:navController.view];
    [window makeKeyAndVisible];
    } else
    [self showNoTransportAlert:result];
    Edited by: Alessandro Iannacci on Apr 6, 2011 10:43 AM

  • ISE 1.2 device registration with MAB only, no client provisioning

    Hello,
    Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
    I do not want to push certificates or native supplicant profiles to client devices.
    I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
    Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
    Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
    Am i really obliged to use native supplicant provisioning to register my device ?
    GN

    Hi
    Device Registration web auth is a process where you can configure user without client provisioning.
    In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
    1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
    2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
    3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
    4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
    5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
    6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

  • ISE 1.2 Guest Portal - Device registration portal

    Hello,
    I have a problem with the following setup:
    - Cisco ISE 1.2 (latest patch)
    - Cisco WiSM with 7.0.220.0 (first generation)
    I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
    We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
    Please can someone help me to find a solution for this problem?
    Thank you in advance.

    I know this might be reaching, but have you turned off the My Devices portal?
    If so, an idea of the different settings you have already tried might help.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE 1.2 Device registration problem

    I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
    I cannot seem to find any information on those errors from the manuals.
    What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
    ISE 1.2

    Hi Harri,
    What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
    If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
    https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
    Therefore if you are using the custom portal, can you instead try with a default portal?
    Thanks,
    Aastha

  • Ise 1.2 Device Registration not auto filling the MAC field

    Hello
    I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
    Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
    90% of the users doesnt know what a MAC adress is, or where to find it.
    Greetings
    Steven

    Peter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
    Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration.  This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address.  This was a very limited feature introduced in 1.0.
    This feature should not be confused with the DRW or NSP flows for device registration.  For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7.  However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users.  That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
    I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices.  This makes future cleanup easier and maintains them separately from employee RegisteredDevices.  ISE 1.2 ERS API can be used to programmatically  to delete these endpoints periodically.
    Hope that helps to clarify.

  • ISE 1.2: Employee with personal device registration

    Hi experts,
    I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
    but looking for a detailed configuration to get following to work:
    Employee's have access to the network with their corporate devices. No problem
    Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
    II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
    Does anyone have a detailed configuration or link how to achieve that?
    Thanks,
    Frank

    Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
    If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
    Hope this helps!
    Thank you for rating helpful posts!

  • Unable to run the application via DNS CName record.

    I have  Windows Server 2008R2 running an application that connects to a database via a DNS CNAME record. The application was working fine until after yesterday when it could no longer
    connect to the database. The database server is up and running without any issues. You have verified remote connectivity to the database server from your workstation.
    How would you troubleshoot the issue and what are the steps to resolve it?

    It might be that the application does not support using aliases for DNS resolution. You will need to contact your application developer/vendor for assistance.
    To make sure that DNS resolution works properly from the infrastructure level, you can simply use
    nslookup and make sure that the resolution is done properly.
    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Get Active Directory User Last Logon
    Create an Active Directory test domain similar to the production one
    Management of test accounts in an Active Directory production domain - Part I
    Management of test accounts in an Active Directory production domain - Part II
    Management of test accounts in an Active Directory production domain - Part III
    Reset Active Directory user password

  • ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page

    I recently upgraded to ISE 1.3.  We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1.  We are running 7.6 as 8.0 was unstable with ISE1.2.1.  The device registration redirect page worked fine with these same devices in ISE 1.2.1.  Is there a work around short of turning off registration?  The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.

    Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
    I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
    ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
    Patrick

  • Query in Device Registration Criteria

    Hello,
    I need some more details regarding Device Registration Criteria. When I access the transaction SDOE_DEV_REGISTER, by default only the attribute name 'USER' is Mandatory. With this setting when I register a application on client, it registers for any available device.
    I understand that I can make more parameters mandatory for device registration in the above transaction and this is fine.
    However I see a potential problem with this. Say I am installing my application(using Custom Client) at a customer site who is already using some SAP Specific Standard Application. Now in this case its quite possible that the mandatory parameters for registration are different for SAP Standard Application and my custom application.
    How can we handle such scenarios? Any help will be appreciated.
    Regards,
    Shubham

    Hi Shubham,
    Basically device registration parameters are for identifying the correct logical device for the physical device based on the values of the parameters specified at the time of registration.
    This is not application specific as at the time of registration you might be not aware of the application that is going to be installed (unless you use setup package).
    So by default only user name is considered for registration, which is under the assumption that each user uses only one physical device..
    Each applications internally uses device attributes for distribution criteria. The value for these attributes  need not be set from the device at the time of registration. Infact these must be set via receiver generation so that you can avoid wrong values entered by application users during registration. So it doesn't matter what other applications (say SAP standard apps or other vendor apps) asks for device registration parameters, because these varies from one customer to another.
    So now what is required is a unique way to identify the correct device, if a single user uses more than one device..  You can choose any other device attribute (either standard or custom; ) say for example device_type and set different values for the different usages. You can then instruct your end user to enter the value as per the device type they have..
    Hope this clears all your doubts...
    Regards
    Ajith

  • Automatic device registration

    I am using ISE 1.2. I have to configure automatic device registration through Guest Portal. 
    The issue is that whenever a guest logs in for first time, he needs to enter the device mac address manually. Is there any method so the ise will automatically notice device's mac address and automatically populate it in "Device ID" field on Device Registration Portal  
    Regards,
    Aditya

  • ISE device registration webauth with wlc 7.0 lwa

    Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
    Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
    Thanks.

    Hi,
    The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
    For your reference here is the item in the New Features section of the 7.2 WLC release notes:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
    thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • DBUS Error

    Hello Everyone,        I today did a clean install of Arch but im getting a error while boot up.Its with the "dbus" daemon.The error im getting is as follows:- [root@Rajiv-Nair rajiv]# /etc/rc.d/dbus restart :: Stopping D-BUS system messagebus       

  • Todays date plus a set number of days

    I know I'm just having a brain fart here, this has got to be easier than I'm making it. Essentially, I have a variable bit of text that I need to display todays date + 10 days. Getting todays date and formatting it are simple I know: var today_date:D

  • Value table as search help

    Hi Experts, I am new to WebDynpro ABAP. I want to assign a search help to one of the UI elements in WebDynpro ABAP component. The search help is attached as a value table in a domain LAND1. Now while creating an attribute i am creating it from a data

  • How to handle E1 Purchases & Sales in SAP B1

    Hi all, How to handle E1 Purchases and Sales in SAP Business One. Kindly advise, if possible provide me the documents. Regards, Vikram

  • Move PSE 7 from laptop to ultrabookwithout CD drive

    How can this be done?