Citrix ADC as AD FS Proxy

This article is about creating an AD FS Proxy from Citrix ADC (version 12). The AD FS Proxy is used to authenticate e.g. external SaaS applications or websites via AD FS. The following should be achieved by the AD FS Proxy:

• URL / DoS Protection
• Suitable external authentication (MFA, Forms instead of Kerberos)
• Account Lockout Protection
• Availability (Load Balancing)

What is AD FS ?

Active Directory Federation Services (AD FS) is a feature in the Windows Server operating system that allows identity information to be shared outside of the corporate network. Users can access applications (e.g. Office365, Salesforce.com, etc.) without being prompted to provide credentials again. These applications can be hosted locally, in the cloud, or even by other companies. The user accounts can be managed by the administrator in a single location, the Active Directory.

A normal deployment of AD FS for external clients consists of AD FS Proxy and AD FS Server. The AD FS Server is a member of the domain and perform the authentication. The AD FS Proxy is usually located in a separate network zone (DMZ) so that it can be reached externally and forward the requests inwards.

Request to a 3rd Party AD FS Proxy

Microsoft describes the requirements for a 3rd party AD FS proxy as follows:

• Body
  May not change the Body
• Request Header
  All headers must be given 1:1 to the backend. Own headers may be added
• No 302 Redirect
• URL /adfs/services/trust
  All responses to this URL must be returned 1:1
• URL /adfs/services/trust/mex
  Requests to this URL must be forwarded to the URL /adfs/services/trust/proxymex in the backend
• NTLM
  If the NTLM login is also to be used via the proxy, an affinity must be maintained, so that the following requests go to the same backend server
• HTTP Header (“X-MS-Proxy”) 
  For each request, this header must be added, so that the backend can see that the request came through a proxy and that the extranet configuration has to be used. This is required for the use of Account Lockout Protection.

Sequence of an AD FS authentication

To understand how AD FS works, let’s look at what happens when a federated user tries to log in to Office365:

1. A user tries to log in to Office365 with his User Principal Name (UPN)
2. The authentication platform checks the UPN and determines that the user is a federation identity. The authentication request is redirected to the user’s AD FS server. The platform knows the URL because a trust was previously set up between the AD FS Infrastructure and Office365 (Federation Trust).
3. The client connects to the AD FS Proxy and provides credentials.
4. The AD FS Proxy forwards the authentication request to the AD FS server.
5. The AD FS server verifies the credentials through the local Active Directory.
6. When the credentials have been verified, a domain controller returns a Kerberos token to the AD FS server.
7. The AD FS server ignores the Kerberos token and creates a new AD FS token, which it forwards to the AD FS Proxy.
8. The AD FS Proxy forwards the AD FS token to the client.
9. The client passes the AD FS token to Office365 and is authenticated.

Setup AD FS Proxy

In my guide, I configure a Citrix ADC (version 12) as an AD FS Proxy for external authentication.

Requirements

I assume the following things and do not go into detail about them:

• Citrix ADC with successful base configuration
• Internal and external DNS records for AD FS
• Certificates for DNS entries (wildcard certificates are the easiest)
• Configured AD FS infrastructure

Load Balancing

First, create a service group for your existing AD FS servers.

• In the Citrix ADC Navigation Panel, click Traffic Management> Load Balancing> Service Groups
• Click Add to create a new service group
• Give the service group a name (e.g. ADFS_SvcGroup) and select SSL for Protocol.
• Confirm the entry with OK

• In the following window, click on No Service Group Member and add the ADFS servers via Select (With IP or FQDN)

• In the Load Balancing Service Group window, click on the pencil icon in Settings and configure the following
  • Surge Protection (Selected)
  • Use Proxy Port (Selected)
  • Down State Flush (Selected)
  • HTTP Compression (Selected)
  • Client IP (Selected)
  • Header (X-MS-Forwarded-Client-IP)

Now a load balancing vServer is created for the AD FS Proxy.

• To do this, navigate to Traffic Management> Load Balancing> Virtual Servers
• Via Add, you add a new virtual server and configure the Basic Settings in the following window
  • Name (e.g. ADFS_LB_Server)
  • Protocol (SSL)
  • IP Address Type (Non Addressable)

• Select No Load Balancing Virtual Server Service Binding and connect the previously generated Service Group (ADFS_SvcGroup)
• Via No Server Certificate you connect your certificate for the AD FS Proxy (the simplest is a wildcard certificate)

Content Switching

Next, you will create the appropriate content switching components. First, the content switching policies. Please note that the given address (adfs.deyda.net) corresponds to the external DNS entry.

• In the Citrix ADC Navigation Panel, click Traffic Management> Content Switching> Policies
  
• Click Add to create a new content switching policy
  • Name (e.g. ADFS_CS_Policy_ADFS)
  • Expression (HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(“adfs.deyda.net”)&&HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/adfs”))
  • With Create you confirm the inputs

• Click Add again to create another content switching policy
  • Name (e.g. ADFS_CS_Policy_Metadata)
  • Expression (HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(“adfs.deyda.net”)&&HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“/FederationMetadata”))
  • Confirm the entry with Create

Now the Content Switching vServer is created, to which the IP address, that is entered in the external DNS entry (e.g adfs.deyda.net), is bound.

• In the Citrix ADC Navigation Panel, click Traffic Management> Content Switching> Virtual Servers
• Click Add to create a new content switching virtual server
  • Name (e.g. ADFS_CS_Server)
  • Protocol (SSL)
  • Target Type (NONE)
  • IP Address Type (IP Address)
  • IP Address (external IP address for the DNS entry)
  • Port (443)
• With OK you confirm the input

Now, the previously created Content Switching Policies (ADFS_CS_Policy_ADFS / ADFS_CS_Policy_Metadata) will be bound to the currently created Virtual Server (ADFS_CS_Server).

• In the opened Content Switching Virtual Server, click No Content Switching Policy Bound
• In the Policy Binding window, click Add Binding
  • Select Policy (ADFS_CS_Policy_ADFS)
  • Priority (100)
  • Goto Expression (END)
  • Invoke LabelType (None)
  • Target Load Balancing Virtual Server (ADFS_LB_Server)
• Click on Bind to confirm

• In the Policy Binding window, click Add Binding again
  • Select Policy (ADFS_CS_Policy_Metadata)
  • Priority (110)
  • Goto Expression (END)
  • Invoke LabelType (None)
  • Target Load Balancing Virtual Server (ADFS_LB_Server)
• Click on Bind to confirm

Rewrite

Now you have to create Rewrite Policies and Actions that need to be connected to the Load Balancer Virtual Server later.

• In the Citrix ADC Navigation Panel, click on App Expert> Rewrite> Actions
• Click Add to create a new Rewrite Action
  • Name (e.g. ADFS_Rewrite_ProxyHeader)
  • Type (INSERT_HTTP_HEADER)
  • Header Name (X-MS-Proxy)
  • Expression (“NETSCALER”)
• With Create you confirm the input

• Click Add again to create another new Rewrite Action
  • Name (e.g. ADFS_Rewrite_Mex)
  • Type (REPLACE)
  • Expression to choose target location (HTTP.REQ.URL.PATH_AND_QUERY)
  • Expression (“/adfs/services/trust/proxymex” + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_START_CHARS(“/adfs/services/trust/mex”).HTTP_URL_SAFE)
• With Create you confirm the input

• In the Citrix ADC Navigation Panel, click on App Expert> Rewrite> Policies
• Click Add to create a new Rewrite Policy
  • Name (e.g. ADFS_Rewrite_Policy_ProxyHeader)
  • Action (ADFS_Rewrite_ProxyHeader)
  • Expression (HTTP.REQ.URL.TO_LOWER.STARTSWITH(“/adfs”)
• With Create you confirm the input

• Click Add again to create another Rewrite Policy
  • Name (e.g. ADFS_Rewrite_Policy_Mex)
  • Action (ADFS_Rewrite_Mex)
  • Expression (HTTP.REQ.URL.TO_LOWER.STARTSWITH(“/adfs/services/trust/mex”)
• With Create you confirm the input

To bind the Rewrite Policies to the Load Balancer, open the created Load Balancer (ADFS_LB_Server) and click on Policies on the right side.

In the new tab Policies click on the + icon.

Then you configure the Policy Type.

• Choose Policy (Rewrite)
• Choose Type (Request)
• Confirm with Continue

• Select Policy (ADFS_Rewrite_Policy_ProxyHeader)
• Priority (100)
• Goto Expression (NEXT)
• Invoke LabelType (None)
• Continue with Bind

• Select Policy (ADFS_Rewrite_Policy_Mex)
• Priority (110)
• Goto Expression (END)
• Invoke LabelType (None)
• Continue with Bind

Test of the AD FS Proxy

You can use the following addresses to test the AD FS Proxy.

https://adfs.deyda.net/adfs/ls/idpinitiatedsignon.htm

https://adfs.deyda.net/FederationMetadata/2007-06/FederationMetadata.xml

Troubleshooting

If the pages can not be opened from the outside, in my experience, the most common mistake is the binding of the certificates.

To fix this, open a PowerShell window as an administrator on an ADFS machine and enter the following command:

From the display of the SSL Certificate bindings you copied out the following lines:

• Certificate Hash
• Application ID
• Certificate Store Name

Then you enter the following command to bind the existing certificate to all addresses of the server (the brackets are replaced completely with the respective value):

Example:

This command must then be executed on all ADFS machines.