Forum Discussion
NimbostratusAD FS 2012 R2 and F5 Load Balancing
I am running into some issues with configuring AD FS 2012 R2 with the F5s. I am hosting the SSL certificate on the AD FS 2012 R2 servers and have set up the port 443 virtual service with "none" for the Http Profile. I can authenticate normally now (I could not when the Http Profile was set to http) but when I attempt to utilize certificate authentication it does not work. This requires port 49443 in this version of AD FS. I created a pool that contains ADFSBox1:49443 as the only member. I then created a virtual server using port 49443 and the same IP address of my 443 virtual server. It attempts to do the certificate authentication portion of it but fails and I get a "Internet Explorer cannot display the webpage" message.
I have been able to verify that that it's working on the AD FS side by using a host record on my test machine. I force it resolve the DNS name to the IP address of the AD FS Server and all functions work without issue there. When I remove the host record and it again resolves the DNS name to the F5 it again has issues. Does anyone have experience load balancing AD FS 2012 R2 (3.0)? Do I need to point 49443 virt to the server's 443 pool?
3 Replies
Arnaud_LemaireEmployee
hi Alex, could yo utry to use a browser add on like httpfox or iewatch to see if you don't have any kind of strange redirection during discussion ?
- Kevin_Stewart
Interesting. Are you attempting to offload and re-encrypt SSL on the F5 for this traffic. The WWW-Authenticate header in the response almost suggests that the server is expecting some other form of identity assertion other than user certificate.
Alex_Church_170I did manage to configure this to work correctly. The key was to set the health monitor on the 49443 pool to use "TCP" instead of "HTTP". That setting combined with changing the HTTP Profile to "None" allowed the requests to be processed normally.
