Enable KEMP Edge Security Pack (ESP) With ADFS

Scope

In this KB we will discuss how to enable the Load Master to act as a full on Proxy for your ADFS using ESP. This is a very useful feature in that you can now potentially remove your WAP (Web Application Proxy) Servers.

Configuration 

1. Configure "Client Side Authentication".

I will be using "Forms Based" with "LDAP" In this KB I'm not going to specifically show you how to configure your "Client Side Authentication" as there are numerous options available, such as "RSA Two Factor Authentication" and "Radius" etc..

For more information on how to configure, please see this link to our ESP Doc https://support.kemptechnologies.com/hc/en-us/articles/203125029-Edge-Security-Pack-ESP-

 

2. Configure "Server Side Authentication"

Server Side Authentication will need to be set to "KCD" (Kerberos Constrained Delegation). Please see the following link. https://support.kemptechnologies.com/hc/en-us/articles/203860275-Kerberos-Constrained-Delegation

3. Configure ADFS for KCD

Because your "Server Side Configuration" will be using Kerberos Tickets, you need to configure your ADFS Servers to accept these tickets. 

Navigate to your ADFS Server > Server Manager > Tools > ADFS Manager > Authentication Policies > Primary Authentication > Edit > Intranet.

Enable Window Authentication

If you to still receive an ADFS logon Form after entering your credentials on KEMP, please run Powershell on your ADFS and enter

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

 

 

 

4. Create Kerberos SPN Service Account 

   This is an additional step required that is not included in your Kerberos Document. It is required so that         your AD will now encrypt your Kerberos Ticket using Service Account Credentials and not the credentials     of your ADFS Server.

  •    Navigate to your Active Directory > Users and Computers > New User

            e.g ADFSPool

  •   Navigate to your AD Command Line and enter 

  "SetSPN -a HTTP/ADFS_SERVER_FQDN  domain\ADFS Service Account" 

   e.g  "SetSPN -a http/adfs-1.kemptest.com kemptest\ADFSPool"   Without Quotes.

 

5. Password Reset Link

   In the Event that an administrator resets a clients Password, the client will enter the new Password within   the KEMP Logon Form. We will then forward the credentials to your AD. Once we receive a specific   Response Code we will provide a "User Password Change URL" to the client. 

  •  Navigate to your ADFS VS > ESP > "User Password Change URL" enter e.g 

 https://adfs.kemptest.com/adfs/portal/updatepassword/

 You will also need to enter your "User Password Change Dialog Message" and add your "Password   Change URL" (/adfs/portal/updatepassword/)  to your "Pre-Authorization Excluded Directories".

  

       

6. Change Browser User-Agent

If you are using a Browser other than Internet Explorer, you will need to add a content rule to the Load Master. Otherwise you will receive a second Logon Form from your ADFS. 

 

  • Navigate to your KEMP > Rules and Checking > Create New Rule

Rule Name = ADFS_Browser

Rule Type  = Replace Header

Header Field = User-Agent

Match String = /^.*/

Replaced Value = Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Create Rule

 

 Navigate to your VS > Advanced Properties > HTTP Header Modifications > Request Rules.

Select Rule from Drop down

 

Was this article helpful?

0 out of 0 found this helpful

Comments