How to Enable the Edge Security Pack (ESP) With ADFS on the LoadMaster
Scope
In this Knowledge Base we will discuss how to enable the LoadMaster to act as a full-on Proxy for your ADFS using ESP. This is a very useful feature in that you can now potentially remove your WAP (Web Application Proxy) Servers.
Note: Currently IOS devices, will need to authenticate twice when using the mobile Office Application. This is because ADFS requires Forms Based Authentication for mobile devices running MS Office Application. When we connect to ADFS we send a Kerberos Ticket but in this case, ADFS ignores the ticket.
Please ensure in Step 3 that you also have Forms Based Enabled for Intranet.
Configuration
1. Configure "Client Side Authentication".
I will be using "Forms Based" with "LDAP" In this KB I'm not going to specifically show you how to configure your "Client Side Authentication" as there are numerous options available, such as "RSA Two Factor Authentication" and "Radius" etc..
For more information on how to configure, please see this link to our ESP Doc
2. Configure "Server Side Authentication"
Server Side Authentication will need to be set to "KCD" (Kerberos Constrained Delegation). Please see the following link.
3. Configure ADFS for KCD
Because your "Server Side Configuration" will be using Kerberos Tickets, you need to configure your ADFS Servers to accept these tickets.
Navigate to your ADFS Server > Server Manager > Tools > ADFS Manager > Authentication Policies > Primary Authentication > Edit > Intranet.
Enable Window Authentication
If you to still receive an ADFS logon Form after entering your credentials on the LoadMaster, please run Powershell on your ADFS and enter
Set-AdfsProperties -IntranetUseLocalClaimsProvider $true
4. Create Kerberos SPN Service Account
This is an additional step required that is not included in your Kerberos Document. It is required so that the AD will now encrypt your Kerberos Ticket using Service Account Credentials and not the credentials of the ADFS Server.
- Navigate to your Active Directory > Users and Computers > New User
e.g ADFSPool
NOTE: If Kerberos is already used internally with ADFS, you will need to use that Service Account.
- Navigate to your AD Command Line and enter
"SetSPN -a HTTP/ADFS_SERVER_FQDN domain\ADFS Service Account"
e.g "SetSPN -a http/adfs-1.kemptest.com kemptest\ADFSPool" Without Quotes.
5. Password Reset Link
In the event that an administrator resets a clients Password, the client will enter the new Password within the Logon Form from the LoadMaster. We will then forward the credentials to your AD. Once we receive a specific Response Code we will provide a "User Password Change URL" to the client.
- Enable Password Reset on ADFS
https://blogs.msdn.microsoft.com/samueld/2015/05/13/adfs-2012-r2-now-supports-password-change-not-reset-across-all-devices/
- Navigate to your ADFS VS > ESP > "User Password Change URL" enter e.g
https://adfs.kemptest.com/adfs/portal/updatepassword/
You will also need to enter your "User Password Change Dialog Message" and add your "Password Change URL" (/adfs/portal/updatepassword/) to your "Pre-Authorization Excluded Directories".
6. Change Browser User-Agent
If you are using a browser other than Internet Explorer, you will need to add a content rule to the LoadMaster. Otherwise, you will receive a second Logon Form from your ADFS.
- Navigate to your LoadMaster WUI. Then go to Rules and Checking > Create New Rule
Rule Name = ADFS_Browser
Rule Type = Replace Header
Header Field = User-Agent
Match String = /^.*/
Replaced Value = Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Create Rule
Navigate to your VS > Advanced Properties > HTTP Header Modifications > Request Rules.
Select Rule from Dropdown
Related Articles
ESP With Remote Desktop (RD) Web Access
Guillaume De Maré
Hello,
I am trying to get this setup configured, but I was wondering, the KDC username that we need to input is the one running the ADFS server?