Monday, February 20, 2017

ADFS and SNI

SNI, or Server Name Indicator, is an extension to TLS (Transport Layer Security, the evolutionary child of SSL/Secure Socket Layer) that permits multiple certificates (and therefore encrypted sessions) to be bound to the same TCP port.

Starting with ADFS v3.0 (aka ADFS for Windows Server 2012R2), Microsoft uses SNI by default. On the whole, this has little impact on most users of ADFS, but for one small, important subset: users that sit behind reverse proxy or hardware SSL-offload devices.

Readers of this blog know that I use the Citrix NetScaler VPX Express as a reverse proxy for my home lab; until I tried to stand up an ADFS server (running Server 2016) behind it—I'm going to start digging into Office 365 in a serious way and want the most seamless user experience—I'd never had a problem with it.

I just could NOT figure out why the ADFS system was immediately rejecting connections via NetScaler, while it was perfectly happy with local connections.

I knew things were problematic as soon as I did packet captures on the NetScaler: the [SYN]-[SYN, ACK]-[Client Hello] were immediately followed by [RST, ACK] and a dropped connection.


Once I "fired up" a copy of Wireshark and pulled some captures at the ADFS host, however, I was able to compare the difference between the NetScaler-proxied connections that were failing, and on-prem connections that were successful.



At that point, I could explicitly compare the two different [Client Hello] packets and see if I could tell the difference between the two...

Unfortunately, I started with comparing the protocols, ciphers and hash algorithms. It took a while to get the TLS1.2 setup just right to mimic the local connection, but no joy. But then I went after the extensions: only one extension was in the "misbehaving" [Client Hello]
There are a bunch of extensions in the "working" [Client Hello]:
holy crap

To make my task easier, I switched back to google-fu to see if I could narrow down the search; voila!

I found an article that talked about handling ADFS clients that don't support the SNI extension, and the lightbulb went on: my browsers do SNI, but with the NetScaler acting as a proxy SNI support is disabled by default.

Luckily there are two fixes:
  1. Update the ADFS server with a "blanket" or "fallback" binding for the ADFS service (see https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/)
  2. Update the NetScaler service entry (in the SSL Parameters section) to support SNI for the expected client hostname.
I went with the latter; that way I don't modify any more of the ADFS host than necessary, and because the NetScaler is essentially acting as a client while it's doing its proxy duties, that seemed to make the most sense.

Within a minute of adding the SNI extension, the ADFS system worked as expected.

25 comments:

  1. hey. Love your site content.
    I'm a bit of a newby on Netscaler and like you want to test at home.
    I want to be able to have 3 (SSL traffic) rediected. 1 storefront, 2 ADFS, 3 autodiscover. I want to test a hybrid exchange (2010) and O365 migration.

    ANY help would be greatly appreciated

    ReplyDelete
  2. Canon EOS M100 Right here is the perfect website for anyone who wants to understand this topic. You know a whole lot its almost tough to argue with you (not that I actually would want to…HaHa). You definitely put a fresh spin on a topic which has been written about for ages. Excellent stuff, just great!

    ReplyDelete
  3. Nice Information , Thanks For The Great Content

    Get started to Install, Setup, Connect, Print from your 123 hp setup printers. Easy to Download driver & Printer software from HP Envy,HP Officejet,HP Officejet Pro,HP Deskjet Printer Setup Driver Installation

    For More Support

    123.hp.com/Setup|123hp com/oj8049|123.hp.com/oj3830|123.hp.com/oj4650 | 123.hp.com/Setup ojpro|
    ojpro6968|

    ojpro6970|

    123.hp.com/ojpro6968|123.hp.com/ojpro6970|123.hp.com/ojpro6978|123.hp.com/ojpro8600|123.hp.com/ojpro8710|123.hp.com/ojpro8720

    ReplyDelete
  4. White Marquee Party Hire Adelaide is an Adelaide owned Party Hire Company

    ReplyDelete
  5. I am always looking online for ideas that can help me...Thank you very much.. Visa for Turkey US citizen? Yes, it is possible for a US citizen to get a Turkey visa. All you have to do is apply online for Turkey e Visa for which the form is easily filled.

    ReplyDelete
  6. What a great explanation in yours posts.. International travelers who wish to travel to Azerbaijan for tourism and business purpose need to apply for Azerbaijan electronic visa through e visa application.

    ReplyDelete
  7. Attractive component of the material. I just stumbled across your web site and accession capital to say that I really enjoyed your site. With just a few clicks, foreign nationals can apply for a Kenya online visa application from their home. Fill the form with accurate and complete information about the passenger's data.

    ReplyDelete
  8. Thanks for sharing excellent information. Keep sharing such useful information.. Visa extension India, Government of India has provided an easy-to-use method to apply for an Indian visa extension (FRRO Visa Extension) through a simple online application form.

    ReplyDelete
  9. I like your blog a lot. Thanks... Indian e visa fees for Australian citizens, Australian citizens can be checked online Indian e visa fee. Apply for Indian visa from Australia online and pay Indian e visa fee , Indian e visa Fee depends on your nationality and your visa type.

    ReplyDelete
  10. I appreciate your efforts... Thanks for this article... keep it up... The question is India issuing tourist visas? Good news for international travelers India started issuing tourist visas again and travelers have more time to explore India because the Indian government restored long-term visas.

    ReplyDelete