Jump to content
Welcome to our new Citrix community!

Load Balance ADFS 3 (Not proxy)


Tony Scotton

Recommended Posts

Hi All,

 

VPX ver - NS11.0.62.10.nc

ADFS 3 server - Server 2012 R2

 

Pre - Reqs

 

External SSL Cert for Public facing URL applied to NS

TLV 1.2 enabled on the required NS services \ vSrv

Created 2 servers under LB

Created 2 services under Services (1 for each server to test different Monitors - more on this below)

Created 1 LB vSrv

Created 1 CS vSrv

Created 1 CS Policy

 

 

CS Policy bound to CS vSrv (Target LB vSrv selected, but have also tried creating an Action)

SNI enabled on CS vSrv

SSL Cert bound to CS vSrv

 

DNS Alias created for the NS CS VIP (cc-adfs.mydomain.com)

 

Trying to access https://cc-adfs.mydomain.com/adfs/ls/adpinitiatedsignon.aspx results in the page eventually timing out.

 

Changing the DNS Alias to use the primary ADFS server and the Signon page is displayed straight away.

 

Running a trace on the NetScaler and opening it in Wireshark and limiting the dataset to have my primary ADFS server as the ip.src and ip.dst I can see that there doesn't appear to be a "Client Hello" sent and the request back from the ADFS server is a Reset. - see attachment CS-erro.png

 

Running the same test when using my local PC and the DNS alias pointing to the primary ADFS server - I can see a "Client Hello" and further comms over TCP and TLSv1.2 - See Attachment Client-PC.png

 

I have read quite a lot of information and will paste the links in a follow up post as my clipboard is playing up atm.

 

Removing ALL of the above and then creating a standard LB service (therefore removing the Context Switching part) and running the same diagnostic checks I can see in WireShark that the NetScaler sends a "Client Hello" but gets back the same RESET from the ADFS server. - See Attachment LB-err.png

 

Any pointers would be greatly appreciated.

 

Point 2 - Monitors for ADFS

 

I have read quite a lot on which are the best monitors to use for ADFS 3, and would like to know what people are using as I get varying success depending on the monitor (the Service showing as down)

 

 

More in Post 2 if I can get my Clipboard working

 

 

post-12537028-0-73797800-1452880204_thumb.png

post-12537028-0-76980200-1452880210_thumb.png

post-12537028-0-03578100-1452880216_thumb.png

Link to comment
Share on other sites

Hi,

 

why do you use content-switching when you just want to load-balance two ADFS-server in your internal network?

 

your second question: I'm using the following monitor:

 

add lb monitor MON-ADFS HTTP -httpRequest “HEAD /adfs/probe” -respCode 200 -LRTM ENABLED -secure NO -destPort 80 -netProfile <NETPROFILE>

 

(from https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/ )

Link to comment
Share on other sites

OK, a Little more information, as stated above I read quite a lot before starting the config of the ADFS service. below are a few links


http://discussions.citrix.com/topic/339412-netscaler-cslb-and-microsoft-adfs-in-2012-r2/

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf

http://www.netscalerrocks.com/netscaler/load-balance-adfs-3-0-using-netscaler/

https://www.citrix.com/blogs/2015/05/29/adfs-v3-on-windows-server-2012-r2-with-netscaler/

Here is information relating to SNI - http://support.citrix.com/article/CTX125798


I had the AD person check the ADFS servers and report back the details of the netsh http show sslcert and they appear to be OK, looks like this was taken care of as part of the ADFS indtallation as the AD person certinaly didn't manually add the entries in via a command line.


Back to the NetScaler.

I initially tried to setup the ADFS as a standard Load Balancer (Same as what I would do for say LB my DDC's or SF servers), however as per the screen shot attached on the Opening Post the ADFS servers send back a reset to the NetScaler after the inital "Hello Client" request.


There wasn't much else that I could change from a Load Balancing perspective, so the next thing I tried was to bind the same Server certificate as a SNI aswell and retest (same results)


Next I removed the server certfiicate and left the SNI cert in place and retested. Same result.


A bit more reading, and I came across this (http://www.netscalerrocks.com/netscaler/load-balance-adfs-3-0-using-netscaler/) and this article decribes setting up a Content Switching Virtual Server, so i configured the CS policy and server and retested. The result was similar, only that the NS didn't appear to send the "Hello Client" request but the ADFS servers still sent back a Reset and the transmission is resent.


I am going to remove the ADFS configuration and start from the ground up, so any bullet point steps to follow would be greatly appreciated, similar to the below


1 - Install cert

2 - LB, add servers, create Mon, create vSrv (bind cert etc)

etc


Regarding the Monitor, Thank you I have this set already against my individual services which show as UP, however I seem to remember that using similar settings to that as a Service Group Monitor, the service then showed as "down" - I may not be remembering that quite right though (far to many days between setting it up, testing and then coming back and writing this discussion)..


I do remember having 2 or 3 different monitors and trying different permutations seeing which appear to be the best, I don't ever remember the below working,

add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “My-adfs.domain.com/adfs/services/trust” -LRTM ENABLED -secure YES

 

So went with

add lb monitor mon_adfs_svr1_http HTTP -respCode 200 -httpRequest "HEAD /adfs/probe" -LRTM ENABLED -interval 20 MIN -resptimeout 15 MIN -downTime 30 MIN -destIP "My-IP of server1" -destPort 80

 

Link to comment
Share on other sites

Thanx Stefan,

 

As mentioned in my post, I read that guide prior to undertaking the work and can confirm the certificate from the ADFS server has been used and bound to the ADFS Load Balanced Virtual Server.

 

With the certificate I tried binding it as a std server cert, a SNI cert and both a Server and SNI cert, no difference relating to comms back to the Windows Server 2012 R2 ADFS server.

Link to comment
Share on other sites

Anyone ??

 

I don't need the full code (although if you have it within your ns.conf then feel free to copy and paste it) but some simple list

 

1. install ADFS cert

2. create ADFS server entries

3. create ADFS service group (or services)

4. Create LB vsrv (bind cert)

5. etc etc.

 

I have followed numerous posts (NetScaler Rocks etc) and each time the NetScaler seems to receive back a RST from the ADFS server (as seen in trace logs).

 

I'm sure it is something simple that is missing but would appreciate some guidance as to what it can be.

Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...