ADFS proxy not working

Question

We have F5 hardware load balancer which do the load balancing job for ADFS proxy server requests with certificates configured in F5, We have replaced SHA 1 certiifcates with SHA2 (sha256)certificates both on servers &amp; as well in F5 post that external users are not able to login to ADFS relying party applicatons whereas internal one's working fine&nbsp;
Internal request---F5(No Certificate)---ADFS 3.0 (Hosted 2012 R2) servers
External request--F5(Certificate)---ADFS proxy servers (Hosted on 2012 R2 servers)---ADFS servers&nbsp;
In ADFS proxy servers, we are finding many CIPHER errors which came after certificate renewal. Post roll back to old certificate errors are gone&nbsp;
Currently on F5 it is configured with default Cipher settings, Can someone have any idea whether it require any changes related to CIpher suite&nbsp;
If i change the Cipher suite will it impact other VIP's&nbsp;
Log Name: System&nbsp;
Source : Schannel&nbsp;
Event ID: 36888&nbsp;
Time : 6/15/2015 10.01 AM&nbsp;
Level : Error&nbsp;
User : System&nbsp;
Computer : abc&nbsp;
Description:  A fatal alert was generated and sent to remote endpoint. This may result in termination of connection. The TLS protocol defined fatal error code is 40. The windows Schannel error state is 1205&nbsp;
Log Name: System&nbsp;
Source : Schannel&nbsp;
Event ID: 36874&nbsp;
Time : 6/15/2015 10.01 AM&nbsp;
Level : Error&nbsp;
User : System&nbsp;
Computer : abc&nbsp;
Description:  An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed&nbsp;

boneyard · Answer

i have some experience with windows server not liking TLS1.2 yet, you could try with a cipher like !TLSv1_2:DEFAULT&nbsp;

ryannnnnnnnn · Answer

we are in the process of configuring servers for ADFS and i came across this issue last week. our ADFS proxies sit behind a couple of units running 11.6 (i had to disable TLS1.2 in the server SSL profile in order to get things working), while our internal ADFS servers sit behind a couple of units running 10.2.3 (no issues).

boneyard · Answer

10.2.3 supports a limited number of ciphers with TLS1.2, it might be those don't cause issues.&nbsp;

lars_forsgren · Answer

We have 11.4.1 on both external (proxy connection) and internal F5.
The problem is only on the external one.
If we connect an ADFS proxy directly to internet the problem goes away.
Can it have something to to with the SNI part?
That is only used in the proxy configuration.
The communication between proxy and internal ADFS (through F5) is not SNI configured in my setup.&nbsp;

larsf_210108 · Answer

We have 11.4.1 on both external (proxy connection) and internal F5.
The problem is only on the external one.
If we connect an ADFS proxy directly to internet the problem goes away.
Can it have something to to with the SNI part?
That is only used in the proxy configuration.
The communication between proxy and internal ADFS (through F5) is not SNI configured in my setup.&nbsp;

Forum Discussion

ADFS proxy not working

7 Replies

Recent Discussions

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

(How) can I get two client certificates in one APM session?

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Related Content

ADFS Proxy, APM, ASM Craziness

How Proxy SSL works on BIG-IP

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

SSL PROXY