Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ADFS Server 2019 setup

 

Information

 

Summary:

Customer needs to setup ADFS for window server 2019
The docs on kemp website are outdated and no longer applies for ADFS 2016+

Environment:

Product: Loadmaster

Version: Any

Platform: Any

Application: Microsoft ADFS v4 ADFS v5 +

Question/Problem Description:

 

Steps to Reproduce:  
Error Message:  
Defect Number: LM-2216
Enhancement Number:

 

Cause: Load Balancer requirements
  • The load balancer MUST NOT terminate SSL. AD FS supports multiple use cases with certificate authentication, which will break when terminating SSL. Terminating SSL at the load balancer is not supported for any use case.
  • Use a load balancer that supports SNI. In the event it does not, using the 0.0.0.0 fallback binding on your AD FS / Web Application Proxy server should provide a workaround.
  • Use the HTTP (not HTTPS) health probe endpoints to perform load balancer health checks for routing traffic. This avoids any issues relating to SNI. The response to these probe endpoints is an HTTP 200 OK and is served locally with no dependence on back-end services. The HTTP probe can be accessed over HTTP using the path '/adfs/probe'
    • http://<Web Application Proxy name>/adfs/probe
    • http://<AD FS server name>/adfs/probe
    • http://<Web Application Proxy IP address>/adfs/probe
    • http://<AD FS IP address>/adfs/probe
  • It is NOT recommended to use DNS round robin as a way to load balance. Using this type of load balancing does not provide an automated way to remove a node from the load balancer using health probes.
  • It is NOT recommended to use IP-based session affinity or sticky sessions for authentication traffic to AD FS within the load balancer. This can cause an overload of certain nodes when using legacy authentication protocol for mail clients to connect to Office 365 mail services (Exchange Online).
Resolution:

Changed customer health check on ADFS VIP to the above:

  1. Enabled SSL acceleration
  2. Disable persistence
  3. Enable SNI hostname with the proper ADFS hostname
  4. Use HTTP/80 health checks on /adfs/probe
Workaround:  
Notes:

https://support.kemptechnologies.com/hc/en-us/articles/10105380486413-AD-FS-v3

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements#BKMK_7


Was this article helpful?
0 out of 0 found this helpful

Comments