Starting with ADFS v3.0 (aka ADFS for Windows Server 2012R2), Microsoft uses SNI by default. On the whole, this has little impact on most users of ADFS, but for one small, important subset: users that sit behind reverse proxy or hardware SSL-offload devices.
Readers of this blog know that I use the Citrix NetScaler VPX Express as a reverse proxy for my home lab; until I tried to stand up an ADFS server (running Server 2016) behind it—I'm going to start digging into Office 365 in a serious way and want the most seamless user experience—I'd never had a problem with it.
I just could NOT figure out why the ADFS system was immediately rejecting connections via NetScaler, while it was perfectly happy with local connections.
I knew things were problematic as soon as I did packet captures on the NetScaler: the [SYN]-[SYN, ACK]-[Client Hello] were immediately followed by [RST, ACK] and a dropped connection.
Once I "fired up" a copy of Wireshark and pulled some captures at the ADFS host, however, I was able to compare the difference between the NetScaler-proxied connections that were failing, and on-prem connections that were successful.
At that point, I could explicitly compare the two different [Client Hello] packets and see if I could tell the difference between the two...
Unfortunately, I started with comparing the protocols, ciphers and hash algorithms. It took a while to get the TLS1.2 setup just right to mimic the local connection, but no joy. But then I went after the extensions: only one extension was in the "misbehaving" [Client Hello]
To make my task easier, I switched back to google-fu to see if I could narrow down the search; voila!
I found an article that talked about handling ADFS clients that don't support the SNI extension, and the lightbulb went on: my browsers do SNI, but with the NetScaler acting as a proxy SNI support is disabled by default.
Luckily there are two fixes:
- Update the ADFS server with a "blanket" or "fallback" binding for the ADFS service (see https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/)
- Update the NetScaler service entry (in the SSL Parameters section) to support SNI for the expected client hostname.
I went with the latter; that way I don't modify any more of the ADFS host than necessary, and because the NetScaler is essentially acting as a client while it's doing its proxy duties, that seemed to make the most sense.
Within a minute of adding the SNI extension, the ADFS system worked as expected.
hey. Love your site content.
ReplyDeleteI'm a bit of a newby on Netscaler and like you want to test at home.
I want to be able to have 3 (SSL traffic) rediected. 1 storefront, 2 ADFS, 3 autodiscover. I want to test a hybrid exchange (2010) and O365 migration.
ANY help would be greatly appreciated
Great Article
ReplyDeleteCyber Security Projects
projects for cse
Networking Projects
JavaScript Training in Chennai
JavaScript Training in Chennai
Canon EOS M100 Right here is the perfect website for anyone who wants to understand this topic. You know a whole lot its almost tough to argue with you (not that I actually would want to…HaHa). You definitely put a fresh spin on a topic which has been written about for ages. Excellent stuff, just great!
ReplyDeletehttps://wikidemy.ir
ReplyDeletehttps://wikidemy.ir
https://wikidemy.ir
https://wikidemy.ir
https://wikidemy.ir
https://wikidemy.ir
https://wikidemy.ir
https://softwarecosts.com
ReplyDeletehttps://softwarecosts.com
https://www.webtargetedtraffic.com
ReplyDeletehttps://www.webtargetedtraffic.com
شرکت تصفیه آب صنعتی
ReplyDeleteNice Information , Thanks For The Great Content
ReplyDeleteGet started to Install, Setup, Connect, Print from your 123 hp setup printers. Easy to Download driver & Printer software from HP Envy,HP Officejet,HP Officejet Pro,HP Deskjet Printer Setup Driver Installation
For More Support
123.hp.com/Setup|123hp com/oj8049|123.hp.com/oj3830|123.hp.com/oj4650 | 123.hp.com/Setup ojpro|
ojpro6968|
ojpro6970|
123.hp.com/ojpro6968|123.hp.com/ojpro6970|123.hp.com/ojpro6978|123.hp.com/ojpro8600|123.hp.com/ojpro8710|123.hp.com/ojpro8720
Best Event Hire in Adelaide Region.
ReplyDeleteEvent Hire in Adelaide
White Marquee Party Hire Adelaide is an Adelaide owned Party Hire Company
ReplyDeletetoptan iç giyim tercih etmenizin sebebi kaliteyi ucuza satın alabilmektir. Ürünler yine orjinaldir ve size sorun yaşatmaz. Yine de bilinen tekstil markalarını tercih etmelisiniz.
ReplyDeleteDigitürk başvuru güncel adresine hoşgeldiniz. Hemen başvuru yaparsanız anında kurulum yapmaktayız.
tutku iç giyim Türkiye'nin önde gelen iç giyim markalarından birisi olmasının yanı sıra en çok satan markalardan birisidir. Ürünleri hem çok kalitelidir hem de pamuk kullanımı daha fazladır.
nbb sütyen hem kaliteli hem de uygun fiyatlı sütyenler üretmektedir. Sütyene ek olarak sütyen takımı ve jartiyer gibi ürünleri de mevcuttur. Özellikle Avrupa ve Orta Doğu'da çokça tercih edilmektedir.
yeni inci sütyen kaliteyi ucuz olarak sizlere ulaştırmaktadır. Çok çeşitli sütyen varyantları mevcuttur. iç giyime damga vuran markalardan biridir ve genellikle Avrupa'da ismi sıklıkla duyulur.
iç giyim ürünlerine her zaman dikkat etmemiz gerekmektedir. Üretimde kullanılan malzemelerin kullanım oranları, kumaşın esnekliği, çekmezlik testi gibi birçok unsuru aynı anda değerlendirerek seçim yapmalıyız.
iç giyim bayanların erkeklere göre daha dikkatli oldukları bir alandır. Erkeklere göre daha özenli ve daha seçici davranırlar. Biliyorlar ki iç giyimde kullandıkları şeyler kafalarındaki ve ruhlarındaki özellikleri dışa vururlar.
I am always looking online for ideas that can help me...Thank you very much.. Visa for Turkey US citizen? Yes, it is possible for a US citizen to get a Turkey visa. All you have to do is apply online for Turkey e Visa for which the form is easily filled.
ReplyDeleteWhat a great explanation in yours posts.. International travelers who wish to travel to Azerbaijan for tourism and business purpose need to apply for Azerbaijan electronic visa through e visa application.
ReplyDeleteAttractive component of the material. I just stumbled across your web site and accession capital to say that I really enjoyed your site. With just a few clicks, foreign nationals can apply for a Kenya online visa application from their home. Fill the form with accurate and complete information about the passenger's data.
ReplyDeleteThanks for sharing excellent information. Keep sharing such useful information.. Visa extension India, Government of India has provided an easy-to-use method to apply for an Indian visa extension (FRRO Visa Extension) through a simple online application form.
ReplyDeleteI like your blog a lot. Thanks... Indian e visa fees for Australian citizens, Australian citizens can be checked online Indian e visa fee. Apply for Indian visa from Australia online and pay Indian e visa fee , Indian e visa Fee depends on your nationality and your visa type.
ReplyDeleteI appreciate your efforts... Thanks for this article... keep it up... The question is India issuing tourist visas? Good news for international travelers India started issuing tourist visas again and travelers have more time to explore India because the Indian government restored long-term visas.
ReplyDeletebeykoz daikin klima servisi
ReplyDeleteçekmeköy beko klima servisi
ataşehir beko klima servisi
maltepe lg klima servisi
kadıköy lg klima servisi
maltepe alarko carrier klima servisi
üsküdar daikin klima servisi
pendik beko klima servisi
tuzla lg klima servisi
Good text Write good content success. Thank you
ReplyDeletetipobet
betmatik
kralbet
bonus veren siteler
mobil ödeme bahis
betpark
poker siteleri
kibris bahis siteleri
sultangazi
ReplyDeleteordu
mardin
bodrum
sincan
XİJB
çorum
ReplyDeleteantep
ısparta
hatay
mersin
ZQOU5
kıbrıs
ReplyDeleteedirne
muş
trabzon
balıkesir
AQ0B
salt likit
ReplyDeletesalt likit
dr mood likit
big boss likit
dl likit
dark likit
C32
salt likit
ReplyDeletesalt likit
RBCMVX
tokat
ReplyDeleteankara
trabzon
istanbul
izmir
izmit
kocaeli
8CF