Deploying F5 with Microsoft ADFS

I thought I would fill in some information the
f5 deployment guide leaves out:

if you are deploying ADFS 2.0 on Server 2012 and the ADFS proxy role:  microsoft-adfs-dg.pdf
In Windows 2012 R2 ADFS, you don’t have the ADFS proxy role any more,
you use the Web Application Proxy (WAP) role service component of
the Remote Access role.

If you follow the F5 guide with Windows Server 2012 R2,
your ADFS and WAP pools will fail their health checks (monitors)
and the virtual server will not be brought online because the F5
will mistakenly believe that your pool servers are down.

In Windows Server 2012 R2, IIS and the Web server engine has a new
architecture that supports the SNI extension to TLS.
The connecting machine tells it what host name it’s trying to
connect to as part of the HTTPS session setup so that one IP address
can be used host multiple HTTPS sites with different certificates

The fact that Windows 2012 R2 uses SNI gets in the way of the HTTPS
health checks that the F5 ADFS 2.0 deployment guide has you configure.

Solutions:
1. You can work around it by replacing the HTTPS health checks with TCP
Half Open checks, which connect to the pool servers on the target TCP port and wait for the ACK. If they receive it, the server is marked up.

2. For long-term use, the HTTPS health checks are better; they allow
you to configure the health check to probe a specific URL and get
a specific response back before it declares a server in the pool is
healthy. This is better than ICMP or TCP checks which only check for
ping responses or TCP port responses. It’s totally possible for a
machine to be up on the network and IIS answering connections but
something is misconfigured with WAP or ADFS so it’s not actually a
viable service. Good health checks save debugging time.

The Best Way:
3. the right way is to read and follow this F5 DevCentral blog post
(https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni) to configure your BIG-IP device with a new SNI-aware monitor; you’re going to want it  for all of the Windows Server 2012 R2 Web servers you deploy over the next several years.

This process is a little convoluted – you have to upload a script to the F5 and pass in custom parameters. At the end of the day, you will have a properly configured monitor that not only supports SNI connections to the correct hostname, but uses the specific URI to ensure that the ADFS federation XML is returned by your servers.

An SNI-aware F5 monitor (from DevCentral)

 

As a side note, almost everyone seems to be calling the ADFS flavor on Windows Server 2012 R2 “ADFS 3.0.” Everyone, that is, except for Microsoft. It’s not a 3.0; as I understand it the biggest differences have to do with the underlying server architecture, not the ADFS functionality on top of it per se. So don’t call it that, but recognize most other people will. It’s just AD FS 2012 R2.

 

 

Resources:

microsoft-adfs-dg

SSL Termination with Web Application Proxy and AD FS 2012 R2

Active Directory Federation Services Overview

Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”

Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy”

Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”

Big-IP and ADFS Part 4 – “What about Single Sign-Out_” Big-IP and ADFS

Part 5 – “Working with ADFS 3

 

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.