Tony Scotton Posted January 15, 2016 Share Posted January 15, 2016 Hi All, VPX ver - NS11.0.62.10.nc ADFS 3 server - Server 2012 R2 Pre - Reqs External SSL Cert for Public facing URL applied to NS TLV 1.2 enabled on the required NS services \ vSrv Created 2 servers under LB Created 2 services under Services (1 for each server to test different Monitors - more on this below) Created 1 LB vSrv Created 1 CS vSrv Created 1 CS Policy CS Policy bound to CS vSrv (Target LB vSrv selected, but have also tried creating an Action) SNI enabled on CS vSrv SSL Cert bound to CS vSrv DNS Alias created for the NS CS VIP (cc-adfs.mydomain.com) Trying to access https://cc-adfs.mydomain.com/adfs/ls/adpinitiatedsignon.aspx results in the page eventually timing out. Changing the DNS Alias to use the primary ADFS server and the Signon page is displayed straight away. Running a trace on the NetScaler and opening it in Wireshark and limiting the dataset to have my primary ADFS server as the ip.src and ip.dst I can see that there doesn't appear to be a "Client Hello" sent and the request back from the ADFS server is a Reset. - see attachment CS-erro.png Running the same test when using my local PC and the DNS alias pointing to the primary ADFS server - I can see a "Client Hello" and further comms over TCP and TLSv1.2 - See Attachment Client-PC.png I have read quite a lot of information and will paste the links in a follow up post as my clipboard is playing up atm. Removing ALL of the above and then creating a standard LB service (therefore removing the Context Switching part) and running the same diagnostic checks I can see in WireShark that the NetScaler sends a "Client Hello" but gets back the same RESET from the ADFS server. - See Attachment LB-err.png Any pointers would be greatly appreciated. Point 2 - Monitors for ADFS I have read quite a lot on which are the best monitors to use for ADFS 3, and would like to know what people are using as I get varying success depending on the monitor (the Service showing as down) More in Post 2 if I can get my Clipboard working Link to comment Share on other sites More sharing options...
Joumlrn Reitwieszligner Posted January 19, 2016 Share Posted January 19, 2016 Hi, why do you use content-switching when you just want to load-balance two ADFS-server in your internal network? your second question: I'm using the following monitor: add lb monitor MON-ADFS HTTP -httpRequest “HEAD /adfs/probe” -respCode 200 -LRTM ENABLED -secure NO -destPort 80 -netProfile <NETPROFILE> (from https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/ ) Link to comment Share on other sites More sharing options...
Tony Scotton Posted January 25, 2016 Author Share Posted January 25, 2016 OK, a Little more information, as stated above I read quite a lot before starting the config of the ADFS service. below are a few linkshttp://discussions.citrix.com/topic/339412-netscaler-cslb-and-microsoft-adfs-in-2012-r2/https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdfhttp://www.netscalerrocks.com/netscaler/load-balance-adfs-3-0-using-netscaler/https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/Here is information relating to SNI - http://support.citrix.com/article/CTX125798I had the AD person check the ADFS servers and report back the details of the netsh http show sslcert and they appear to be OK, looks like this was taken care of as part of the ADFS indtallation as the AD person certinaly didn't manually add the entries in via a command line.Back to the NetScaler.I initially tried to setup the ADFS as a standard Load Balancer (Same as what I would do for say LB my DDC's or SF servers), however as per the screen shot attached on the Opening Post the ADFS servers send back a reset to the NetScaler after the inital "Hello Client" request.There wasn't much else that I could change from a Load Balancing perspective, so the next thing I tried was to bind the same Server certificate as a SNI aswell and retest (same results)Next I removed the server certfiicate and left the SNI cert in place and retested. Same result.A bit more reading, and I came across this (http://www.netscalerrocks.com/netscaler/load-balance-adfs-3-0-using-netscaler/) and this article decribes setting up a Content Switching Virtual Server, so i configured the CS policy and server and retested. The result was similar, only that the NS didn't appear to send the "Hello Client" request but the ADFS servers still sent back a Reset and the transmission is resent.I am going to remove the ADFS configuration and start from the ground up, so any bullet point steps to follow would be greatly appreciated, similar to the below1 - Install cert2 - LB, add servers, create Mon, create vSrv (bind cert etc)etcRegarding the Monitor, Thank you I have this set already against my individual services which show as UP, however I seem to remember that using similar settings to that as a Service Group Monitor, the service then showed as "down" - I may not be remembering that quite right though (far to many days between setting it up, testing and then coming back and writing this discussion)..I do remember having 2 or 3 different monitors and trying different permutations seeing which appear to be the best, I don't ever remember the below working,add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “My-adfs.domain.com/adfs/services/trust” -LRTM ENABLED -secure YES So went withadd lb monitor mon_adfs_svr1_http HTTP -respCode 200 -httpRequest "HEAD /adfs/probe" -LRTM ENABLED -interval 20 MIN -resptimeout 15 MIN -downTime 30 MIN -destIP "My-IP of server1" -destPort 80 Link to comment Share on other sites More sharing options...
Stefan Wendrich1709156509 Posted January 25, 2016 Share Posted January 25, 2016 i think you must add the default certificate for the iis. because ADFS uses SNI and netscaler cannot SNI to backend. Here is a good guide https://netscalerrocks.com/netscaler/load-balance-adfs-3-0-using-netscaler/ Link to comment Share on other sites More sharing options...
Tony Scotton Posted January 27, 2016 Author Share Posted January 27, 2016 Thanx Stefan, As mentioned in my post, I read that guide prior to undertaking the work and can confirm the certificate from the ADFS server has been used and bound to the ADFS Load Balanced Virtual Server. With the certificate I tried binding it as a std server cert, a SNI cert and both a Server and SNI cert, no difference relating to comms back to the Windows Server 2012 R2 ADFS server. Link to comment Share on other sites More sharing options...
Tony Scotton Posted February 2, 2016 Author Share Posted February 2, 2016 Anyone ?? I don't need the full code (although if you have it within your ns.conf then feel free to copy and paste it) but some simple list 1. install ADFS cert 2. create ADFS server entries 3. create ADFS service group (or services) 4. Create LB vsrv (bind cert) 5. etc etc. I have followed numerous posts (NetScaler Rocks etc) and each time the NetScaler seems to receive back a RST from the ADFS server (as seen in trace logs). I'm sure it is something simple that is missing but would appreciate some guidance as to what it can be. Link to comment Share on other sites More sharing options...
Network Support1709157302 Posted October 8, 2017 Share Posted October 8, 2017 were you able to fix this issue ? If yes, can you please share the workaround/solution that you applied ? Link to comment Share on other sites More sharing options...
CarlStalhood Posted October 8, 2017 Share Posted October 8, 2017 NetScaler 11.1+ supports SNI on back-end. Edit your service or service group. Edit SSL Parameters. Check box for SNI, and enter the common name. Link to comment Share on other sites More sharing options...
Dominic Herrmann1709156919 Posted June 3, 2019 Share Posted June 3, 2019 I had the same issue. I could solve it by deleting my 2 internal ADFS servers, deleted the servicegroup an although the vServer. Netscaler VPX 12.1 51.19.nc I've created a serviceGroup with SSL_Bridge and the correspondig vServer with SSL Bridge. Works now. Regards Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now