Monday, February 20, 2017

ADFS and SNI

SNI, or Server Name Indicator, is an extension to TLS (Transport Layer Security, the evolutionary child of SSL/Secure Socket Layer) that permits multiple certificates (and therefore encrypted sessions) to be bound to the same TCP port.

Starting with ADFS v3.0 (aka ADFS for Windows Server 2012R2), Microsoft uses SNI by default. On the whole, this has little impact on most users of ADFS, but for one small, important subset: users that sit behind reverse proxy or hardware SSL-offload devices.

Readers of this blog know that I use the Citrix NetScaler VPX Express as a reverse proxy for my home lab; until I tried to stand up an ADFS server (running Server 2016) behind it—I'm going to start digging into Office 365 in a serious way and want the most seamless user experience—I'd never had a problem with it.

I just could NOT figure out why the ADFS system was immediately rejecting connections via NetScaler, while it was perfectly happy with local connections.

I knew things were problematic as soon as I did packet captures on the NetScaler: the [SYN]-[SYN, ACK]-[Client Hello] were immediately followed by [RST, ACK] and a dropped connection.


Once I "fired up" a copy of Wireshark and pulled some captures at the ADFS host, however, I was able to compare the difference between the NetScaler-proxied connections that were failing, and on-prem connections that were successful.



At that point, I could explicitly compare the two different [Client Hello] packets and see if I could tell the difference between the two...

Unfortunately, I started with comparing the protocols, ciphers and hash algorithms. It took a while to get the TLS1.2 setup just right to mimic the local connection, but no joy. But then I went after the extensions: only one extension was in the "misbehaving" [Client Hello]
There are a bunch of extensions in the "working" [Client Hello]:
holy crap

To make my task easier, I switched back to google-fu to see if I could narrow down the search; voila!

I found an article that talked about handling ADFS clients that don't support the SNI extension, and the lightbulb went on: my browsers do SNI, but with the NetScaler acting as a proxy SNI support is disabled by default.

Luckily there are two fixes:
  1. Update the ADFS server with a "blanket" or "fallback" binding for the ADFS service (see https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/)
  2. Update the NetScaler service entry (in the SSL Parameters section) to support SNI for the expected client hostname.
I went with the latter; that way I don't modify any more of the ADFS host than necessary, and because the NetScaler is essentially acting as a client while it's doing its proxy duties, that seemed to make the most sense.

Within a minute of adding the SNI extension, the ADFS system worked as expected.

27 comments:

  1. hey. Love your site content.
    I'm a bit of a newby on Netscaler and like you want to test at home.
    I want to be able to have 3 (SSL traffic) rediected. 1 storefront, 2 ADFS, 3 autodiscover. I want to test a hybrid exchange (2010) and O365 migration.

    ANY help would be greatly appreciated

    ReplyDelete
  2. Canon EOS M100 Right here is the perfect website for anyone who wants to understand this topic. You know a whole lot its almost tough to argue with you (not that I actually would want to…HaHa). You definitely put a fresh spin on a topic which has been written about for ages. Excellent stuff, just great!

    ReplyDelete
  3. Trading has become easier and comfortable with online trading applications.
    Advanced trading apps in India

    ReplyDelete
  4. Nice Information , Thanks For The Great Content

    Get started to Install, Setup, Connect, Print from your 123 hp setup printers. Easy to Download driver & Printer software from HP Envy,HP Officejet,HP Officejet Pro,HP Deskjet Printer Setup Driver Installation

    For More Support

    123.hp.com/Setup|123hp com/oj8049|123.hp.com/oj3830|123.hp.com/oj4650 | 123.hp.com/Setup ojpro|
    ojpro6968|

    ojpro6970|

    123.hp.com/ojpro6968|123.hp.com/ojpro6970|123.hp.com/ojpro6978|123.hp.com/ojpro8600|123.hp.com/ojpro8710|123.hp.com/ojpro8720

    ReplyDelete
  5. White Marquee Party Hire Adelaide is an Adelaide owned Party Hire Company

    ReplyDelete
  6. toptan iç giyim tercih etmenizin sebebi kaliteyi ucuza satın alabilmektir. Ürünler yine orjinaldir ve size sorun yaşatmaz. Yine de bilinen tekstil markalarını tercih etmelisiniz.

    Digitürk başvuru güncel adresine hoşgeldiniz. Hemen başvuru yaparsanız anında kurulum yapmaktayız.

    tutku iç giyim Türkiye'nin önde gelen iç giyim markalarından birisi olmasının yanı sıra en çok satan markalardan birisidir. Ürünleri hem çok kalitelidir hem de pamuk kullanımı daha fazladır.

    nbb sütyen hem kaliteli hem de uygun fiyatlı sütyenler üretmektedir. Sütyene ek olarak sütyen takımı ve jartiyer gibi ürünleri de mevcuttur. Özellikle Avrupa ve Orta Doğu'da çokça tercih edilmektedir.

    yeni inci sütyen kaliteyi ucuz olarak sizlere ulaştırmaktadır. Çok çeşitli sütyen varyantları mevcuttur. iç giyime damga vuran markalardan biridir ve genellikle Avrupa'da ismi sıklıkla duyulur.

    iç giyim ürünlerine her zaman dikkat etmemiz gerekmektedir. Üretimde kullanılan malzemelerin kullanım oranları, kumaşın esnekliği, çekmezlik testi gibi birçok unsuru aynı anda değerlendirerek seçim yapmalıyız.

    iç giyim bayanların erkeklere göre daha dikkatli oldukları bir alandır. Erkeklere göre daha özenli ve daha seçici davranırlar. Biliyorlar ki iç giyimde kullandıkları şeyler kafalarındaki ve ruhlarındaki özellikleri dışa vururlar.

    ReplyDelete
  7. I am always looking online for ideas that can help me...Thank you very much.. Visa for Turkey US citizen? Yes, it is possible for a US citizen to get a Turkey visa. All you have to do is apply online for Turkey e Visa for which the form is easily filled.

    ReplyDelete
  8. What a great explanation in yours posts.. International travelers who wish to travel to Azerbaijan for tourism and business purpose need to apply for Azerbaijan electronic visa through e visa application.

    ReplyDelete