Forum Discussion

Nath's avatar
Nath
Icon for Cirrostratus rankCirrostratus
Jun 19, 2018

ADFS PROXY TRUST NOT WORKING

Hi experts, We are in a deployment of ADFS Load Balancing. So we will replace wap using bigip.

 

We've configured it using iApps ADFS, however when we try to enter username and password to establish trust there is an error say's can't connect to ADFS.

 

Not sure if this has something to do with FW or ADFS config but when we try to look the pcap 3WHS is complete but after bigip sends Client Hello ADFS server sent rst packet.

 

Would you guys know what is the issue on this or have you encounter this before?

 

We will continue our tshooting tomorrow and will try to allow all traffic from f5 to adfs, and configure 1pool member(adfs server) only as part of isolation.

 

Thanks.

 

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
cloud

5 Replies

Sort By
  • Chris_Zhang's avatar
    Chris_Zhang
    Ret. Employee
    Oct 31, 2018

    I ran into the same issue and the problem is that the SSL Client Hello sent by the BIG-IP must include Server Name Indication as an extension. To do this, create a server SSL profile and populate 'Server Name' option.

     

  • F5beginner_3849's avatar
    F5beginner_3849
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2019

    Hello,

     

    did you solve this problem, if yes, please share with me, I have a same issue.

     

    Thank you

     

  • Nath's avatar
    Nath
    Icon for Cirrostratus rankCirrostratus
    Mar 22, 2019

    You need to check carefully the SNI and the server name of the AD Server.

     

  • F5beginner_3849's avatar
    F5beginner_3849
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2019

    Hi Nathaneil0227,

     

    I have already checked ADFS Server, but I do not know, what should be the SNI? Should there be FQDN of ADFS ?

     

    Thank you

     

  • Nath's avatar
    Nath
    Icon for Cirrostratus rankCirrostratus
    Mar 22, 2019

    Hi on the wizard configuration of adfs, there is a part where you will input the ad fqdn that the bigip will establish adfs trust. That is the item that you need to check carefully.