locked
ADFS Win 2012 R2 ADAL Authentication with Netscaler and Pre Authentication RRS feed

  • Question

  • Hello,

    i try to use citrix netscaler as reverse proxy for the adfs win 2012 r2 server. I use pre authentication and forwards the logon credentials as ntlm or kerberos to the adfs server for browser based access, like o365 portal page.

    This works great.

    But if i used the same for modern authenticatin clients (ADAL) like skype for business, i got an error message. In the eventlog of the adfs server is see, that the authentication type is not supported.

    Has someone any idea which endpunkt ADAL use? and how i can enable windows integrated authentication for that endpoint, so that netscaler can logon on behalf the user and ADAL also works with pre authentication ?

    Friday, December 2, 2016 11:03 AM

All replies

  • Are you using a WAP server in this equation?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 2, 2016 4:42 PM
  • No. in front of the ADFS Server I placed a citrix netscaler which does the authentication and passed the credentials as Kerberos token or ntlm to the adfs server. This works well for browser based access. But not for modern authentication.
    Friday, December 2, 2016 5:23 PM
  • Hum, it's hard to say... Netscaler is not sticking to the [MS-ADFSPIP] https://msdn.microsoft.com/en-us/library/dn392811.aspx do you have more logs? Like the actual error message and the corresponding Debug log?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 2, 2016 5:47 PM
  • In the event viewer i get an error log 364 with this (sorry) german error message

    Fehler bei einer passiven Verbundanforderung. 
    
    Zusätzliche Daten 
    
    Protokollname: 
    wsfed 
    
    Vertrauende Seite: 
    urn:federation:MicrosoftOnline 
    
    Ausnahmedetails: 
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Die angeforderte Authentifizierungsmethode wird vom STS nicht unterstützt.
       bei Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
       bei Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
       bei Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
       bei Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       bei Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       bei Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    

    I know that netscaler isn't supported. If i dont do pre authentication. It works.

    But i hope i got pre auth working.

    Monday, December 5, 2016 12:47 PM
  • Well you could do the pre-authentication in WAP and set up your Netscaler not to do pre-auth. It works, and supported. Maybe some Citrix folks have more insights in this scenario?

    You could try to enable the debug log, repro and stop the debug logs, and check the data...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 6, 2016 10:15 PM
  • Hey Stefan,

    ADAL is /adfs/services/trust/13/windowsmixed I think, enable it and see if that resolves your problem.

    Good Luck!

    Shane


    Friday, December 9, 2016 9:51 PM
  • Hi Shane, I will try it. Can you explain how I can activate wia for that endpoint? Thanks.
    Saturday, December 10, 2016 9:04 AM
  • Hi Shane,

    i activated the endpoint, but it doesnt work. Same error message.

    Monday, December 12, 2016 10:34 AM