Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to Enable the Edge Security Pack (ESP) With ADFS on the LoadMaster

Scope

In this Knowledge Base we will discuss how to enable the LoadMaster to act as a full-on Proxy for your ADFS using ESP. This is a very useful feature in that you can now potentially remove your WAP (Web Application Proxy) Servers.

Note: Currently IOS devices, will need to authenticate twice when using the mobile Office Application. This is because ADFS requires Forms Based Authentication for mobile devices running MS Office Application. When we connect to ADFS we send a Kerberos Ticket but in this case, ADFS ignores the ticket. 

Please ensure in Step 3 that you also have Forms Based Enabled for Intranet. 

Configuration 

1. Configure "Client Side Authentication".

I will be using "Forms Based" with "LDAP" In this KB I'm not going to specifically show you how to configure your "Client Side Authentication" as there are numerous options available, such as "RSA Two Factor Authentication" and "Radius" etc..

For more information on how to configure, please see this link to our ESP Doc

 ESP-DOC

 

2. Configure "Server Side Authentication"

Server Side Authentication will need to be set to "KCD" (Kerberos Constrained Delegation). Please see the following link.

 KCD-DOC

3. Configure ADFS for KCD

Because your "Server Side Configuration" will be using Kerberos Tickets, you need to configure your ADFS Servers to accept these tickets. 

Navigate to your ADFS Server > Server Manager > Tools > ADFS Manager > Authentication Policies > Primary Authentication > Edit > Intranet.

Enable Window Authentication

If you to still receive an ADFS logon Form after entering your credentials on the LoadMaster, please run Powershell on your ADFS and enter

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

 

 

 

4. Create Kerberos SPN Service Account 

   This is an additional step required that is not included in your Kerberos Document. It is required so that the AD will now encrypt your Kerberos Ticket using Service Account Credentials and not the credentials of the ADFS Server.

  •    Navigate to your Active Directory > Users and Computers > New User

            e.g ADFSPool

NOTE: If Kerberos is already used internally with ADFS, you will need to use that Service Account. 

  •   Navigate to your AD Command Line and enter 

  "SetSPN -a HTTP/ADFS_SERVER_FQDN  domain\ADFS Service Account" 

   e.g  "SetSPN -a http/adfs-1.kemptest.com kemptest\ADFSPool"   Without Quotes.

 

5. Password Reset Link

   In the event that an administrator resets a clients Password, the client will enter the new Password within the Logon Form from the LoadMaster. We will then forward the credentials to your AD. Once we receive a specific Response Code we will provide a "User Password Change URL" to the client. 

password_exp.png

  • Enable Password Reset on ADFS

https://blogs.msdn.microsoft.com/samueld/2015/05/13/adfs-2012-r2-now-supports-password-change-not-reset-across-all-devices/

  •  Navigate to your ADFS VS > ESP > "User Password Change URL" enter e.g 

 https://adfs.kemptest.com/adfs/portal/updatepassword/

 You will also need to enter your "User Password Change Dialog Message" and add your "Password   Change URL" (/adfs/portal/updatepassword/)  to your "Pre-Authorization Excluded Directories".

  

       

6. Change Browser User-Agent

If you are using a browser other than Internet Explorer, you will need to add a content rule to the LoadMaster. Otherwise, you will receive a second Logon Form from your ADFS. 

 

  • Navigate to your LoadMaster WUI. Then go to Rules and Checking > Create New Rule

Rule Name = ADFS_Browser

Rule Type  = Replace Header

Header Field = User-Agent

Match String = /^.*/

Replaced Value = Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Create Rule

 

 Navigate to your VS > Advanced Properties > HTTP Header Modifications > Request Rules.

Select Rule from Dropdown

 

Related Articles

 ESP With Remote Desktop (RD) Web Access


Was this article helpful?
0 out of 0 found this helpful

Comments

Avatar

Guillaume De Maré

Hello, 

I am trying to get this setup configured, but I was wondering, the KDC username that we need to input is the one running the ADFS server? 

0