Goal :
Load balance ADFS 3.0 using Netscaler
Prepare your ADFS 3.0 :
ADFS 3.0 by default activates SNI in it’s network bindings. Netscaler supports SNI in the front-side serving clients and users, however Netscaler doesn’t support SNI yet to connect to the back-end servers and services. So we changed the bindings of ADFS 3.0 by using the next PowerShell commands :
Verify the bindings :
1 |
netsh http show sslcert |
Change the bindings :
1 |
netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY |
Where
- IPAddress:port =
listening IP address for ADFS requests. eg. “0.0.0.0:443″ for all addresses - certhash =
copy and paste value from previous show command - appid =
copy and paste value from previous show command including {}’s
Note : By the way if you change these settings it also allows for client OS’es or Browser that doesn’t support SNI (like Windows XP) to use ADFS 3.0.
Configure your Netscaler
Configure your netscaler traditionally as you would configure LB with SSL-Offloading, below a sample config extracted from ns.conf :
1 2 3 4 5 6 7 8 9 10 |
add serviceGroup svcgrp-ssl-ADFS SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED add lb vserver lb-https-ADFS SSL 0.0.0.0 0 -persistenceType SSLSESSION -cltTimeout 180 add cs vserver cs-https-ADFS-FDS-PORTAL SSL 172.30.16.10 443 -cltTimeout 180 -caseSensitive OFF add cs policy Pol_adfs.blubird.be -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"adfs.blubird.be\")" bind lb vserver lb-https-ADFS svcgrp-ssl-ADFS bind cs vserver cs-https-ADFS-FDS-PORTAL -policyName Pol_adfs.blubird.be -targetLBVserver lb-https-ADFS -priority 100 |
Configure a monitor for the ADFS service :
1 |
add lb monitor mon-https-ADFS3 HTTP-ECV -send "GET /federationmetadata/2007-06/federationmetadata.xml" -recv "adfs.blubird.be/adfs/services/trust" -LRTM ENABLED -secure YES |
Some extra’s for next time :
- Remove the requirement for the user to specify a domain name
- Let the Netscaler decide if Windows Integrated Authentication is allowed or not. (playing with HTTP Headers – User-Agent)
Sources
http://hindenes.com/trondsworking/2014/03/25/adfs-3-0-windows-xp-fail/
Cross Ref. Post
http://democenter.wordpress.com/2014/09/08/load-balancing-ssl-offloading-adfs-3-0/
Thanks Koen! Great info.
We’ve got a similar config although we aren’t doing SSL offload with the Netscaler. We’re working on setting up a monitor for the two ADFS Proxy boxes trying to use your above information and the federationmetadata.xml file, but the monitor goes red immediately. We can bring up the file directly accessing the published ADFS URL, but we’re not sure exactly how this works with the proxies. By this I mean going to http://proxyserveraddress/federationmetadata/… doesn’t bring up the xml)
Hi,
Netscaler only supports SNI in the front-end for the moment, not to the back-end.
If you execute the steps in “Prepare your ADFS 3.0”, you allow connections without requiring SNI. And this way you can integrate it with your Netscaler.
Cheers,
Koen
Hi Koen. Great guide.
How would you set up a monitor against 2012 R2 Web Application Proxy (WAP)?
Cheers for the info, just used it for reference in configuring our ADFS server.
One thing that tripped me up – the netsh commands as provided need to be executed at the cmd prompt, not PowerShell. PowerShell will interpret the curly braces as a code block and so the netsh command will return the error ‘The parameter is incorrect.’.
Hi Koen,
thank you for sharing this. I was looking to use Netscaler for ADFS but the Citrix WhitePaper with AAA and Kerberos seems to be tricky. I follow your guide and yes, it rocks !
Nice guide. Thanks.
On our environment I noticed that using “/federationmetadata/2007-06/federationmetadata.xml” on monitor generates lot of warnings like these to ADFS server event log:
“The Federation Service was unable to create the federation metadata document as a result of an error.
Document Path: /federationmetadata/2007-06/federationmetadata.xml
Additional Data
Exception details:
System.Net.HttpListenerException (0x80004005): The specified network name is no longer available
at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result)”
That why I’m using these settings on my environment which looks to do same thing without warnings.
– Send String: “/adfs/ls/IdpInitiatedSignOn.aspx”
– Receive String: adfs service name
Great article!
Do not forget to disable SSL3 on the servicegroup! (had some issues here).
Great Read!
I’ve got a similar setup, I’ve made an External VIP for Load-balancing the WAP servers and then another for external ADFS requests from the WAP to the Internal ADFS servers, though when running through the config wizard to add the WAP server as a Proxy, it times out- can’t talk to the ADFS boxes via the VIP i made which was a simple basic LB.
Any ideas or do i have to config it direct to the ADFS box just for initial config, then remove it and have it route via the VIP going forward?