Load Balancing AD FS 2012 R2 3.0 and Web Application Proxy With Netscaler

Recently I had to set up load balancing for Microsoft Active Directory Federation Services (ADFS) 3.0 environment. There is not a whole lot of information out there on load balancing of ADFS 3.0. Most of the guides and documentation that are out there today are based on ADFS 2.0

The diagram below illustrates a typical ADFS deployment scenario utilizing hardware load balancers such as Netscaler or F5 appliances.


Why you need to do this.
Server Name Indication (SNI) is a feature of SSL TLS and both Web Application Proxy and AD FS 2012 R2 use it to enable simpler deployment and remove networking prerequisites. Some client applications don’t support SNI but there is an easy way to workaround this using a fallback certificate. In this blog we will explain what SNI is, how it works and what to do if you have non-SNI capable clients.

In this case the client (i.e. the Netscaler) does not support SNI for back end services. hence the requirements below. The proxy servers will only reply if the host header is present and will not respond directly via IP address. One of the main issues with the load balancing of the latest ADFS is that it doesn’t bind the certificate or service to the IP address.

ADFS Server & Proxy Server Configuration
On each of the ADFS servers and Web Application Proxy Servers for the ADFS services you will need to do the following.

    1. Open PowerShell
    2. Run the following command in the PowerShell Window
      1. netsh http show sslcert
    3. Review the output of the command and notate the following field

    1. Certificate Hash
    2. Application ID – Copy including brackets
  1.  Run the following command in the PowerShell Window
    1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY
      1. Fields
        1. IPAddress:port such as for example
          1. note will bind to all IP addresses on server. Can use specific IP
        2. certhash – copied from netsh http show sslcert
        3. appid – copied from netsh http show sslcert
      2. Note: On several of the systems that I ran the powershell command on I had to put single quotes around the appid before and after the brackets Without the bracket the error was “The Parameter is incorrect”
        1. Example of this would be below
          1. netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid='<appid>’ certstorename=MY

Netscaler Configuration.
You will need to create attach the monitor to either the services or service groups for ADFS 3.0 Servers & Proxy Servers. In my case all services & service groups were configured for SSL Bridge

ADFS Monitor Configuration

add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

ADFS Proxy Monitor Configuration – Note the addition of the custom header. This is required for the proxy server configuration

add lb monitor mon-https-ADFS3-PROXY HTTP-ECV -customHeaders “host: adfs3.website.comrn” -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs3.website.com/adfs/services/trust” -LRTM ENABLED -secure YES

Replace website adfs3.website.com with your particular company website.

You can find more information below at the following links

ADFS is used in a variety of services and I hope you found this helpful. Now signing off.

3 Responses to Load Balancing AD FS 2012 R2 3.0 and Web Application Proxy With Netscaler

  1. Thanks, worked a treat…..

  2. I had big problems enabling the LB with SSL. I did the SNI stuff for ADFS and everything, and I couldn't get it running. There was a lot of SCHANNEL errors in the ADFS eventlogs and the NetScaler network trace just told me that the connection was reset by the ADFS server. I got a tip from #citrix / IRC to disable the TLSv12 from the Service Group containing the ADFS servers and that did it for me!

  3. I am little confused. Do we need the SSL_Bridge on Service Groups or should we avoid it all together. Would Proxy probe shown above work with a basic SG like the following ?
    add serviceGroup adfs_be_443_sg TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 60 -svrTimeout 60 -CKA NO -TCPB NO -CMP NO
    add serviceGroup adfs_be_49443_sg TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip YES -useproxyport YES -cltTimeout 60 -svrTimeout 60 -CKA NO -TCPB NO -CMP NO
    I am planning to use Proxy probe shown above on the Proxy VIP and http (/adfs/probe) on the BE ADFS VIP.