in NetScaler, Traffic Management

Load balance ADFS 3.0 using Netscaler

Goal :

Load balance ADFS 3.0 using Netscaler

Prepare your ADFS 3.0 :

ADFS 3.0 by default activates SNI in it’s network bindings. Netscaler supports SNI in the front-side serving clients and users, however Netscaler doesn’t support SNI yet to connect to the back-end servers and services. So we changed the bindings of ADFS 3.0 by using the next PowerShell commands :

Verify the bindings :

Change the bindings :

Where

  • IPAddress:port =
    listening IP address for ADFS requests. eg. “0.0.0.0:443″ for all addresses
  • certhash =
    copy and paste value from previous show command
  • appid =
    copy and paste value from previous show command including {}’s

Note : By the way if you change these settings it also allows for client OS’es or Browser that doesn’t support SNI (like Windows XP) to use ADFS 3.0.

Configure your Netscaler

Configure your netscaler traditionally as you would configure LB with SSL-Offloading, below a sample config extracted from ns.conf :

Configure a monitor for the ADFS service :

Some extra’s for next time :

  • Remove the requirement for the user to specify a domain name
  • Let the Netscaler decide if Windows Integrated Authentication is allowed or not. (playing with HTTP Headers – User-Agent)

Sources

http://hindenes.com/trondsworking/2014/03/25/adfs-3-0-windows-xp-fail/

Cross Ref. Post

http://democenter.wordpress.com/2014/09/08/load-balancing-ssl-offloading-adfs-3-0/

What do you think?

Comment

  1. Thanks Koen! Great info.

    We’ve got a similar config although we aren’t doing SSL offload with the Netscaler. We’re working on setting up a monitor for the two ADFS Proxy boxes trying to use your above information and the federationmetadata.xml file, but the monitor goes red immediately. We can bring up the file directly accessing the published ADFS URL, but we’re not sure exactly how this works with the proxies. By this I mean going to http://proxyserveraddress/federationmetadata/… doesn’t bring up the xml)

    • Hi,

      Netscaler only supports SNI in the front-end for the moment, not to the back-end.
      If you execute the steps in “Prepare your ADFS 3.0”, you allow connections without requiring SNI. And this way you can integrate it with your Netscaler.

      Cheers,

      Koen

  2. Cheers for the info, just used it for reference in configuring our ADFS server.

    One thing that tripped me up – the netsh commands as provided need to be executed at the cmd prompt, not PowerShell. PowerShell will interpret the curly braces as a code block and so the netsh command will return the error ‘The parameter is incorrect.’.

  3. Hi Koen,

    thank you for sharing this. I was looking to use Netscaler for ADFS but the Citrix WhitePaper with AAA and Kerberos seems to be tricky. I follow your guide and yes, it rocks !

  4. Nice guide. Thanks.

    On our environment I noticed that using “/federationmetadata/2007-06/federationmetadata.xml” on monitor generates lot of warnings like these to ADFS server event log:
    “The Federation Service was unable to create the federation metadata document as a result of an error.
    Document Path: /federationmetadata/2007-06/federationmetadata.xml

    Additional Data

    Exception details:
    System.Net.HttpListenerException (0x80004005): The specified network name is no longer available
    at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size)
    at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result)”

    That why I’m using these settings on my environment which looks to do same thing without warnings.
    – Send String: “/adfs/ls/IdpInitiatedSignOn.aspx”
    – Receive String: adfs service name

  5. Great Read!

    I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.

    Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?

Webmentions

  • Citrix NetScaler v11 – How to setup your NetScaler as an AD FS proxy – blog – Alexander Ollischer | Citrix | Microsoft April 11, 2016

    Great Read!

    I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.

    Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?

  • QRG | Quick Reference Guide | Active Directory Federation Services | aka.ms/ADFSLinks – Allergic To Code April 11, 2016

    Great Read!

    I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.

    Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?

  • Load Balancing AD FS 2012 R2 3.0 and Web Application Proxy With Netscaler | P2Vme Blog: Virtually Everything April 11, 2016

    Great Read!

    I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.

    Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?

  • Load balancing – SSL Offloading – ADFS 3.0 | BB Democenter Blog - Belgium April 11, 2016

    Great Read!

    I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.

    Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?