ADFS site configured for Integrated Auth continually prompts for password when DNS hostname is a CNAME

I have bad habits by some accounts.  I like CNAMEs. In my mind, they allow for easy changes to the DNS namespace without having to remember IPs, and in that way create simplicity. But they are invariably frowned upon for various reasons, they create additional DNS traffic, aren’t compatible with other record types on the same namespace (MX for instance).

I’ve run into a case where use of a CNAME breaks expected functionality. In an environment using Active Directory Federation Services, if the hostname of the federation service resolves to a CNAME, Windows Integrated Authentication will not work.  As an example:

A        ->

The federation service hostname as configured in ADFS is and the actual servername of the federation server is You attempt to access a URL of the federation service under the namespace, and instead of being authenticated transparently you are prompted for a username and password as below.


Repeated attempts to enter the password fail, eventually resulting in a 401 page. Replacing the DNS CNAME with an A that points to the same IP resolves this issue. Config as below:

A  ->
A        ->

This is documented, though not as a bug, and I would not expect it to be fixed.

KB2461628 – Note resolution #4


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: