I found a Citrix article about ADFS 3.0 that refer to the fact that Netscaler doesn't support the sni feature for the backend server that is used in ADFS 3.0 which is most likely causing headache to ADFS 3.0 users.
http://support.citrix.com/article/CTX125798
The citrix article refer you to this microsoft article that talk about a way to partially disable the SNI feature for ADFS 3.0...
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
Here's the code and some comments :
*********
Begin Starting Notes *******
This config is for Netscaler 10.1 (Currently at Build 129.11 but it's been working with previous 10.1. build)
Your Netscaler must be licensed for "AAA - Traffic management" and it must be enable under settings -> "Configure Basic Features" (Authentication, Authorization and Auditing)
Your ADFS URL must be reachable by DNS externally (you can't authenticate using IP address, it has to be a DNS name, worst case scenario you can edit your host file temporarily for testing)
you need to have an external IP address available to Setup the Reverse Proxy
If you have multiple domain, you can easily repeat the config for the second domain and add the 2nd LDAP policy to the authentication Vserver with a different priority
Example: bind authentication Vserver vs_Auth.Company.com -policy Subdomain2.Company.com -priority 110
The domain settings in the Netscaler is not related to the AD domain but to the domain in the FQDN url (i.e.: email domain, If your internal domain is company.local and your website is company.com then the domain you set in the Netscaler is company.com)
********* End Starting Notes *******
********* Begin configuration code *******
enable ns feature AAA LB CS SSL SSLVPN REWRITE RESPONDER
add serviceGroup SG_LDAP_CORP_389 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp1 389 -CustomServerID "\"None\""
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp2 389 -CustomServerID "\"None\""
add lb vserver LB_LDAP_CORP TCP 192.168.1.79 389 -persistenceType NONE -cltTimeout 9000
bind lb vserver LB_LDAP_CORP SG_LDAP_CORP_389
add authentication ldapAction LDAP-LB_LDAP_corp -serverIP 192.168.1.79 -authTimeout 5 -ldapBase "DC=corp,DC=Company,DC=com" -ldapBindDn netscaler@corp.Company.com -ldapBindDnPassword TypeThePasswordForTheAccountHere -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 4 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy corp.Company.com ns_true LDAP-LB_LDAP_corp
add authentication vserver vs_Auth.Company.com SSL 192.167.233.32 443 -AuthenticationDomain Company.com
bind authentication vserver vs_Auth.Company.com -policy corp.Company.com -priority 100
set tm sessionParameter -SSO ON
add serviceGroup SG_ADFS_HTTPS SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_ADFS_HTTPS ADFS_Server1 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS ADFS_Server2 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS -monitorName https-ecv
add lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SSL 192.167.233.30 443 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -AuthenticationHost auth.Company.com -Authentication ON
bind lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SG_ADFS_HTTPS
bind ssl vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest -certkeyName Company-wildcard
*************** This part is related to RSA and is optional but we require that user authenticate using their AD password AND RSA token, make sure the LDAP part works fine before adding secondary authentication ***************
add serviceGroup SG_RSA_1645 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_RSA_1645 RSA-AM-Server1 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 RSA-AM-Server2 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 -monitorName ping
add lb vserver LB_RSA-AM RADIUS 192.168.1.14 1645 -persistenceType SOURCEIP -timeout 700 -cltTimeout 120
bind lb vserver LB_RSA-AM SG_RSA_1645
add authentication radiusAction LB_RSA-AM_srv -serverIP 192.168.1.14 -serverPort 1645 -radKey YourRadiusSharedSecretHere -encrypted
add authentication radiusPolicy Radius-Company ns_true LB_RSA-AM_srv
bind authentication vserver vs_Auth.Company.com -policy Radius-Company -priority 100 -secondary
********* End configuration code *******
*************** Begin Ending Notes ***************
For LDAP authentication action, you have to create a standard user (no special right required except "password never expire") for the netscaler to use this account to log in to the LDAP server and check for the user credential. The GUI offer an option to test the LDAP credential to make sure the connection works.
The Domain you set on your ADFS_Proxy_replacement and on your Auth.company.com MUST MATCH with the domain in the URL your users are sent for the ADFS authentication. My ADFS is setup as fs.company.com, this is the name clients will connect to, and so it must be resolvable via DNS externally.
Fs.company.com must resolve to your LB_ADFS_Proxy_Replacement_FullAuth_Forest
*************** Finish Ending Notes ***************
This config is for Netscaler 10.1 (Currently at Build 129.11 but it's been working with previous 10.1. build)
Your Netscaler must be licensed for "AAA - Traffic management" and it must be enable under settings -> "Configure Basic Features" (Authentication, Authorization and Auditing)
Your ADFS URL must be reachable by DNS externally (you can't authenticate using IP address, it has to be a DNS name, worst case scenario you can edit your host file temporarily for testing)
you need to have an external IP address available to Setup the Reverse Proxy
If you have multiple domain, you can easily repeat the config for the second domain and add the 2nd LDAP policy to the authentication Vserver with a different priority
Example: bind authentication Vserver vs_Auth.Company.com -policy Subdomain2.Company.com -priority 110
The domain settings in the Netscaler is not related to the AD domain but to the domain in the FQDN url (i.e.: email domain, If your internal domain is company.local and your website is company.com then the domain you set in the Netscaler is company.com)
********* End Starting Notes *******
********* Begin configuration code *******
enable ns feature AAA LB CS SSL SSLVPN REWRITE RESPONDER
add serviceGroup SG_LDAP_CORP_389 TCP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 9000 -svrTimeout 9000 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp1 389 -CustomServerID "\"None\""
bind serviceGroup SG_LDAP_CORP_389 DomainControllerCorp2 389 -CustomServerID "\"None\""
add lb vserver LB_LDAP_CORP TCP 192.168.1.79 389 -persistenceType NONE -cltTimeout 9000
bind lb vserver LB_LDAP_CORP SG_LDAP_CORP_389
add authentication ldapAction LDAP-LB_LDAP_corp -serverIP 192.168.1.79 -authTimeout 5 -ldapBase "DC=corp,DC=Company,DC=com" -ldapBindDn netscaler@corp.Company.com -ldapBindDnPassword TypeThePasswordForTheAccountHere -encrypted -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -nestedGroupExtraction ON -maxNestingLevel 4 -groupNameIdentifier samAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
add authentication ldapPolicy corp.Company.com ns_true LDAP-LB_LDAP_corp
add authentication vserver vs_Auth.Company.com SSL 192.167.233.32 443 -AuthenticationDomain Company.com
bind authentication vserver vs_Auth.Company.com -policy corp.Company.com -priority 100
set tm sessionParameter -SSO ON
add serviceGroup SG_ADFS_HTTPS SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_ADFS_HTTPS ADFS_Server1 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS ADFS_Server2 443 -CustomServerID "\"None\""
bind serviceGroup SG_ADFS_HTTPS -monitorName https-ecv
add lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SSL 192.167.233.30 443 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180 -AuthenticationHost auth.Company.com -Authentication ON
bind lb vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest SG_ADFS_HTTPS
bind ssl vserver LB_ADFS_Proxy_Replacement_FullAuth_Forest -certkeyName Company-wildcard
*************** This part is related to RSA and is optional but we require that user authenticate using their AD password AND RSA token, make sure the LDAP part works fine before adding secondary authentication ***************
add serviceGroup SG_RSA_1645 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
bind serviceGroup SG_RSA_1645 RSA-AM-Server1 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 RSA-AM-Server2 1645 -CustomServerID "\"None\""
bind serviceGroup SG_RSA_1645 -monitorName ping
add lb vserver LB_RSA-AM RADIUS 192.168.1.14 1645 -persistenceType SOURCEIP -timeout 700 -cltTimeout 120
bind lb vserver LB_RSA-AM SG_RSA_1645
add authentication radiusAction LB_RSA-AM_srv -serverIP 192.168.1.14 -serverPort 1645 -radKey YourRadiusSharedSecretHere -encrypted
add authentication radiusPolicy Radius-Company ns_true LB_RSA-AM_srv
bind authentication vserver vs_Auth.Company.com -policy Radius-Company -priority 100 -secondary
********* End configuration code *******
*************** Begin Ending Notes ***************
For LDAP authentication action, you have to create a standard user (no special right required except "password never expire") for the netscaler to use this account to log in to the LDAP server and check for the user credential. The GUI offer an option to test the LDAP credential to make sure the connection works.
The Domain you set on your ADFS_Proxy_replacement and on your Auth.company.com MUST MATCH with the domain in the URL your users are sent for the ADFS authentication. My ADFS is setup as fs.company.com, this is the name clients will connect to, and so it must be resolvable via DNS externally.
Fs.company.com must resolve to your LB_ADFS_Proxy_Replacement_FullAuth_Forest
*************** Finish Ending Notes ***************
Hi - does this config work ok for full Outlook and Lync clients?
RépondreEffacerI have not tested if this ADFS setup work with the full outlook and Lync client as we're not using ADFS to authenticate external Outlook or Lync client since they are on premise and not in the cloud. We're using this to authenticate only using passive ADFS to log in O365 and other federated partner. Outlook services are authenticated by our netscaler using AAATM either as Form base (OWA/ECP) or 401 Auth (ActiveSync, EWS). As for Lync it was deployed with the Lync Edge before we started using ADFS or doing authentication on the Netscaler.
RépondreEffacerHi, can you please share your ActiveSync configuration on the Netscaler using AAA? Thanks
RépondreEffacerHi, can you please share your ActiveSync configuration on the Netscaler using AAA? Thanks
RépondreEffacerI posted a new blog article with the exchange configuration on my Netscaler.
Effacer