ADFS 3.0 problems

0

Hi all,

I followed the documentation on how to setup ADFS with a Kemp, but I can't get it to work. When I try to connect to an ADFS link like the metadata link, I just get a "page can't be displayed" error. I've verified that ADFS works when bypassing the load balancer, but no luck when going through it. The configuration I'm confused on the most is the SNI host name. Am I supposed to specify one of the federation servers as the host name?

6 comments

Avatar
0
derkiely

Could be routing related, is L7 transparency enabled on the VS? If so disable it or change your RS's default gateway. Do you see the actual HTTP error or does it timeout?

Avatar
0
jcortez

Transparency is disabled. I just got a timeout. I ended up entering the federation service FQDN as the SNI hostname and that did the trick. Now im working on getting the WAP connected. Thank you for your help.

Avatar
0
Pierluigi Rendina

Hi, I'm facing a similar issue. I got no problem to bring up the Internal Farm but even following the step by step, no way to have up the Proxy Farm. And apart from Caching and Compression, the rest is basically the same.
Do you have any tips?

Avatar
0
jcortez

@pierluigi.rendina. Are you referring to proxy communication internally? I had to configure the load balancer to allow the virtual services to use their own gateway instead of the global configuration. I had the VS use the IP of the firewall as the gateway. That did it for me.

Avatar
0
Pierluigi Rendina

Hi,
what I meant is that even following Kemp instructions, status is always red, no way to bring up the VS. On the contrary, the Internal ADFS worked immediately following the same instructions. So if the instructions to setup the Proxy are wrong, I wonder where the culprit is.

Avatar
0
Paul Crotty

You need at least firmware 7.1-18b for compatibility with ADFS 3.0.

You need to specify the SNI hostname in the health check as well as in the SSL Acceleration properties in order for ADFS 3.0 to function properly. Also enable HTTP/1.1 under real server health checks and specify your SNI hostname there.