Back
Featured image of post Microsoft AD FS behind a Load Balancer

Microsoft AD FS behind a Load Balancer

A friend called me today with a urgent question:

Why did our Load Balancer shows all Nodes in our AD FS Farm as down?

The answer is a bit complicated: AD FS (Active Directory Federation Services) doesn’t answer correct to the bind/probe and therefore, the Load Balancer marks the Server(s) as down. The Problem is Layer 6/7 and based on how Microsft handles SSL for SNI (Server Name Indication) within AD FS. WAP (Web Application Proxy) handles that, but most load balancers have an issue with that.

Here is what you do (in a regular, but elevated, Shell):

netsh
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY

Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert

The 443 instance is for the regular AD FS Business, Port 49443 is used for device registration. You might not need that if you want use Device Registration in AD FS.

Run this on all nodes of you AD FS Farm and you will see, that they will be marked as available within a few seconds.

I tested this with NGINX as Reverse Proxy (But just to see if it works), and I use it with HAProxy since a while and never had any issue with it. And I use AD FS a lot!

I know a few customers who use this with KEMP and F5 as Load Balancers in front of AD FS.

I published a Gist for that a while ago: