none
ADFS is not able to fetch the Client machine IP Address RRS feed

  • Question

  • Hi All,

    Anyone can help me with the following issue:

    We have configured 2 node ADFS farm (2016) with 2 node WAP and Load balancer is also configured. Now the requirement is to collect client machine IP address(X-MS-Forwarded-Client-IP) in ADFS claim but ADFS is fetching the LB gateway IP address always. We have checked that LB is collecting the client IP address but the same is not collected in ADFS end.

    Can anyone confirm whether LB is not able to forward the IP address to ADFS end or it is problem in ADFS end. where is the problem.

    ADFS Claim Details tested with following two ways:

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"]
     => issue(claim = c);

    ------------------------------------------------------------------------------------------------------------------

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"]
     => issue(claim = c);

    we are getting IP address of the gateway of LB.

    Friday, August 9, 2019 9:03 AM

Answers

  • You have two options here.

    1. On your load balancer, you terminate the SSL tunnel and inject the "real" IP in the header. And then re-encrypt (this breaks user and device based certificate authentication, so it is a no-go if you are using these).

    2. Some load balancers allow to spoof the actual IP of the client to the WAP (it has different names depending of the brand, check with the vendors documentation). 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Friday, August 9, 2019 8:02 PM
    Owner

All replies

  • Hiya,

    It depends on your load balancer, how it handles the X header information.

    Friday, August 9, 2019 12:03 PM
  • You have two options here.

    1. On your load balancer, you terminate the SSL tunnel and inject the "real" IP in the header. And then re-encrypt (this breaks user and device based certificate authentication, so it is a no-go if you are using these).

    2. Some load balancers allow to spoof the actual IP of the client to the WAP (it has different names depending of the brand, check with the vendors documentation). 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Friday, August 9, 2019 8:02 PM
    Owner
  • Both the above mentioned points are addressed in our environment. Still have the same results.
    Tuesday, August 13, 2019 1:16 PM
  • So just to be clear, if update the host file on a client and bypass the Load Balancer, you are still not getting the X-header information?
    Wednesday, August 14, 2019 9:03 AM
  • When I am bypassing the load balancer by making making hostfile entry in any client machine, I am getting the client IP address in Claim logs/ADFS.
    Wednesday, August 14, 2019 9:07 AM
  • Then that returns to both points that it is the load balancer, which is not forwarding the x-header information as Pierre described.

    Wednesday, August 14, 2019 9:11 AM
  • Yes, We also expecting the same. Thanks for the guide.

    Do you anything else that you want to suggest for further checking/troubleshooting this case.

    Wednesday, August 14, 2019 9:56 AM
  • Besides contacting the vendor of the load balancer and confirm that it is able to correctly forward x-header information on https packages.

    Which load balancer is it? Model and version?

    Wednesday, August 14, 2019 11:24 AM
  • We are getting the actual client IP in LB but from LB it is not forwarding to ADFS.

    We have F5 LB.

    Wednesday, August 14, 2019 12:00 PM
  • The closest I can find:
    K4816: Using the X-Forwarded-For HTTP header to preserve the original client IP address for traffic translated by a SNAT
    https://support.f5.com/csp/article/K4816

    But it is really not a ADFS, WAP or Windows server issue for that matter. It is really the load balancer that needs to perform the operation as you require.

    Wednesday, August 14, 2019 12:53 PM
  • Both the above mentioned points are addressed in our environment. Still have the same results.

    This does not make a lot of sense. It's one or the other... Few comments...

    1. Is rarely well done. And because it can break some authentication methods, I'll be considering it only if 2 isn't an option.

    2. Is even more rarely well configured. I think it is a matter of reading the documentation but few realizes these configurations require network changes (usually either changing the topology between the LB and the WAP - same segment - or configuring the LB as the gateway for the WAP - and therefore a custom route for the ADFS).



    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Jesper Arnecke Thursday, August 15, 2019 9:05 AM
    Wednesday, August 14, 2019 2:26 PM
    Owner