Hello,
I’m having a hard time making this work.
My setup involves two Federation Servers that are now load balanced by another solution (that’s a Kemp LoadMaster) that I need to move off that to HAProxy.
AD FS uses port 443 for it’s portal and Forms/GSSAPI authentication and port 49443 for Certificate Authentication.
The problem I have is that the portal on port 443 works flawlessly while the endpoint on port 49443 doesn’t.
The client can access the service on port 49443 and talk to the backend but the application inside the portal fails stating that it didn’t receive the certificate information it needed. Point is the client is never asked to show a certificate (the browser never asks for it). If i point the clients directly to one of the servers or through the existing load balancer everything works.
It’s like if HA Proxy is dropping some information while doing the proxying and I can’t understand what.
Sorry I’m new to HAProxy and I can’t explain myself better. Can somebody help me shed some light on this?
Following is the configuration relevant to this:
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
stats show-desc
stats show-legends
option httplog
option dontlognull
option log-separate-errors
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
#CavanaSystems Public Wildcard Certificate Store
#---------------------------------------------------------------------
crt-store cavanasystems_wildcard
crt-base /etc/haproxy/certs
key-base /etc/haproxy/certs
load crt cavanasystems_wildcard_2025.pem key cavanasystems_wildcard_2025.key ocsp-update on alias cert_2025
#---------------------------------------------------------------------
#AD FS HTTP Frontend
#---------------------------------------------------------------------
frontend adfs_portal_internal_cavanasystems_com
description Active Directory Federation Services Portal HTTP Frontend
bind 10.88.18.222:443 ssl crt "@cavanasystems_wildcard/cert_2025"
bind [2001:67c:d68:83::222]:443 ssl crt "@cavanasystems_wildcard/cert_2025"
default_backend adfs_federation_servers
option forwardfor if-none
#---------------------------------------------------------------------
#AD FS HTTP Backend
#---------------------------------------------------------------------
backend adfs_federation_servers
description Active Directory Federation Services Portal HTTP Backend
balance roundrobin
server itmil01pstsv01 [2001:67c:d68:83::16]:443 check port 80 ssl ca-file /etc/haproxy/certs/ca_store/ sni ssl_fc_sni # sni req.hdr(host)
# server itmil01pstsv02 [2001:67c:d68:83::17]:443 check port 80 ssl ca-file /etc/haproxy/certs/ca_store/ sni req.hdr(host) # sni ssl_fc_sni
option forwardfor if-none
option httpchk GET /adfs/probe
#---------------------------------------------------------------------
#AD FS Certauth HTTP Frontend
#---------------------------------------------------------------------
frontend adfs_certauth_internal_cavanasystems_com
description Active Directory Federation Services Certauth HTTP Frontend
bind 10.88.18.222:49443 ssl crt "@cavanasystems_wildcard/cert_2025"
bind [2001:67c:d68:83::222]:49443 ssl crt "@cavanasystems_wildcard/cert_2025"
default_backend adfs_federation_servers_certauth
option forwardfor if-none
#---------------------------------------------------------------------
#AD FS Certauth HTTP Backend
#---------------------------------------------------------------------
backend adfs_federation_servers_certauth
description Active Directory Federation Services Portal HTTP Backend
balance roundrobin
server itmil01pstsv01 [2001:67c:d68:83::16]:49443 check port 80 ssl ca-file /etc/haproxy/certs/ca_store/ sni ssl_fc_sni
# server itmil01pstsv02 [2001:67c:d68:83::17]:49443 check port 80 ssl ca-file /etc/haproxy/certs/ca_store/ # sni req.hdr(host)
option forwardfor if-none
option httpchk GET /adfs/probe
Thank you for your help, any hints or help in troubleshooting is greatly appreciated.