Load Balancing AD FS v3.0 with WAP across Citrix Netscaler RRS feed

  • Question

  • ***I know this is not a FIM question, but as it's ADFS it belongs under IDM but there is no option for that.***

    I am trying to get AD FS 3.0 up and working being load balanced through a pair of physical Citrix NetScaler ADC's. The load balancing part of the AD FS side is working fine, it is creating the trust relationship between the WAP's (which are in the DMZ) and the AD FS servers (which are in the LAN) that are being load balanced across the NS.

    So the topology is 2*WAP in the DMZ and 2*ADFS in the LAN. There are two vServers one for the DMZ and LAN side, there is a NAT rule configured to forward traffic from the external IP to the DMZ vServer for the WAP's. Load balancing is working across the LAN vServer as I can browse to the ADFS URL's using the vServer IP. 

    The real issue is when I try to run the WAP trust relationship wizard to pair the WAP's and ADFS servers, there is an entry in the hosts file configured with the ADFS service name which points to the IP of the vServer in the LAN.

    I also know this is not a Citrix forum but the NS is configured with a service pointing to each of the four servers, I have tried using the following protocols SSL_TCP, SSL_Bridge and SSL. The result is the same for all of the protocols, there does not have to be SSL offloading done on the WAP/ADFS

    The error on the WAP is simply cannot save the configuration there is nothing in the events.

    I know ADFS has changed in v3.0 and in 2012 it used to be like load balancing any other SSL website.

    Wednesday, June 10, 2015 8:23 AM

All replies

  • Hello Ryan,

    I have had the same issue today and fixed it with temporary replacing the vServers IP in the Hostfile through the IP of my first ADFS Farm Server.


    Thursday, June 11, 2015 5:49 PM
  • Try this ADFS forum:

    Friday, June 12, 2015 6:03 AM
  • Julian,

    Yeah I have also tried that, I am on a call with MS today.

    Did you get it fixed? I'll keep you posted if we get it sorted.


    Friday, June 12, 2015 8:13 AM
  • Hello Ryan,

    sorry for this late answer! Yes, I have fixed it. Pointing the ADFS URL directly to the IPs of the internal ADFS servers worked for me.

    On the WAPs you do not have to point the URL on to the internal ADFS vServer. WAP is able to monitor the internal ADFS servers by itself and redirects allways to the healthy ADFS Server.


    Thursday, June 18, 2015 11:25 AM
  • Thanks Julian, yeah got it sorted in the end.

    Written a post on the configuration if anyone else is interested;

    Monday, June 22, 2015 11:25 AM
  • Hello,

    I'm currently facing the same situation and problem here.

    Internal load balacing to 2 ADFS servers with Netscaler works fine (I did the thing with netsh command to support SNI) and this setup provides a highly available solution.

    At this stade, establishing the WAP trust relationship doesn't work. I got the <null> thumbprint certificate in the logs on the ADFS servers side (this is not a ctlstore issue).

    On the WAP servers, i edited the etc/hosts file to point the record of the federation directly to the master ADFS of the farm (this superseeds the DNS record pointing to the load balanced IP hosted by the Netscaler). Now, the WAP servers DO register on the ADFS!

    BUT, I have to let the hosts file record ; if I remove it, then I cannot use the WAP MMC console anymore. 

    What i don't understand in this setup: how can ADFS high availability work from the WAP servers point of view if they point to the federation directly to ONE ADFS server??

    What do you mean when you say "WAP is able to monitor the internal ADFS servers by itself and redirects allways to the healthy ADFS Server."? Firewall rules must be created for each WAP to allow connection to each ADFS directly, bypassing the Netscaler??

    Thanks for some explanation :)

    Wednesday, February 15, 2017 10:05 AM
  • Hi Thomas,

    that's exactly what I've meant. If you add a row for each adfs server in the host file, the WAP Server is able to check which of the Servers is healthy and automatically redirects to one of them:

    And yes, this requires a firewall rule from the WAP Servers directly to your ADFS Servers.

    Let me know if this helps.


    Monday, February 20, 2017 8:26 AM
  • Hi Julian,

    Thanks for the above post .

    So with the above, are you saying, we technically do not need a NLB between WAP to ADFS. The doubt I have is over the fact that host file configuration will force a client to always go the First Entry. Even though it's down.



    Friday, May 5, 2017 5:12 AM