Load balancing – SSL Offloading – ADFS 3.0

Goal :

Load balance ADFS 3.0 using Netscaler

Prepare your ADFS 3.0 :

ADFS 3.0 by default activates SNI in it’s network bindings. Netscaler supports SNI in the front-side serving clients and users, however Netscaler doesn’t support SNI yet to connect to the back-end servers and services. So we changed the bindings of ADFS 3.0 by using the next PowerShell commands :

Verify the bindings :
netsh http show sslcert

Change the bindings :
netsh http add sslcert ipport=<IPAddress:port> certhash=<certhash> appid=<appid> certstorename=MY

<IPAddress:port> = listening IP address for ADFS requests. eg. “″ for all addresses
<certhash> = copy and paste value from previous show command
<appid> = copy and paste value from previous show command including {}’s

Note : By the way if you change these settings it also allows for client OS’es or Browser that doesn’t support SNI (like Windows XP) to use ADFS 3.0.

Configure your Netscaler

Configure your netscaler traditionally as you would configure LB with SSL-Offloading, below a sample config extracted from ns.conf :

add serviceGroup svcgrp-ssl-ADFS SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED
add lb vserver lb-https-ADFS SSL 0 -persistenceType SSLSESSION -cltTimeout 180
add cs vserver cs-https-ADFS-FDS-PORTAL SSL 443 -cltTimeout 180 -caseSensitive OFF
add cs policy Pol_adfs.blubird.be -rule “HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\”adfs.blubird.be\”)”
bind lb vserver lb-https-ADFS svcgrp-ssl-ADFS
bind cs vserver cs-https-ADFS-FDS-PORTAL -policyName Pol_adfs.blubird.be -targetLBVserver lb-https-ADFS -priority 100

Configure a monitor for the ADFS service :

add lb monitor mon-https-ADFS3 HTTP-ECV -send “GET /federationmetadata/2007-06/federationmetadata.xml” -recv “adfs.blubird.be/adfs/services/trust” -LRTM ENABLED -secure YES

Some extra’s for next time :

Remove the requirement for the user to specify a domain name

Let the Netscaler decide if Windows Integrated Authentication is allowed or not. (playing with HTTP Headers – User-Agent)

Sources :


Cross Ref. Post :


%d bloggers like this: