Citrix ADC (Citrix Netscaler) as ADFS Proxy

You want to use online services like Office 365, Citrix Sharefile and others? But you don’t want to manage or create users twice? Don’t passwords have to be different for each platform? Then you can authenticate via your own Active Directory from anywhere. In this case you can set up an Active Directory Federation Services (ADFS) Server Farm in your environment.

If you want not to read the article, here is the direct link to the cli commands

This article is part of a series of articles depending on Citrix ADC and Authentication. Here you can find the other Posts. In this article I will show you how you can set up Citrix ADC as ADFS Proxy , configure your ADFS servers in principle, and we will also provide them externally (WAN) via Citrix ADC. Optionally, you can use the explanations in my other article if you want to provide ADFS internally only and want to loadbalance it via Netscaler only.

What is ADFS?

Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
Here you can find morge information about ADFS:

There are also a view new features on ADFS with Windows Server 2019. Check this out:

Setup and configure your ADFS Servers

Setup ADFS Server

Before we can use the Citrix ADC as ADFS Proxy, we need to setup the ADFS environment. First of all we start the installation of the ADFS server. We will install it on a Windows Server 2019, which I have already prepared and included in the domain.

1. Install ADFS Role via Server Manager

First of all we install the role ADFS via the Server Manager. Select Add new role and follow the next steps.

Setup Microsoft Active Directory Federation Services

You do not need to install any features. Here you can simply click directly on “Next”.

Setup Microsoft Active Directory Federation Services

On the next page you can see a short overview of what ADFS does and what you have to consider. Click here on next.

Setup Microsoft Active Directory Federation Services

But if you want to install other roles and they require a restart, you can check this box and the windows server will reboot if necessary. In our case we don’t need this because ADFS doesn’t require a restart at this point. We click on “Install”.

Setup Microsoft Active Directory Federation Services

If the components we need for ADFS are installed, a hint symbol appears in the Server Manager. Here you will be asked to complete the configuration for ADFS.

Setup Microsoft Active Directory Federation Services

2. Configure ADFS Server settings

After the ADFS role is installed, we can configure it. First of all you could choose to make this your first server for the farm. In my case it is the first and so I choose the following option. Confirm the whole thing again with “Next”.

Configure Microsoft Active Directory Federation Services

For a productive environment I would recommend to create a service account with administrator rights. In my LAB environment I use the default administrator of my domain. To continue please click on “Next”.

Configure Microsoft Active Directory Federation Services

In the next step you have to select the desired certificate for the Full Qualified Name of your ADFS server (please use a name that can be resolved later via DNS in the WAN). I have already imported this certificate as a computer certificate via the MMC. The name of the certificate also specifies the Federation Service Name. Now you can add your own display name. After that you could continue to the next step.

Configure Microsoft Active Directory Federation Services

On the page for the configuration of the service accounts which will be used by ADFS later on, you will get a message that the Root Keys are not availiable yet.You can create / Update these in the next step via the powershell.

Configure Microsoft Active Directory Federation Services

Since the root keys are only set after several hours, we accelerate this with the following powershell command. Execute the Powershell with administrator rights. Immediately after that we display the Root Keys. So they were created successfully.

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Configure Microsoft Active Directory Federation Services

You can now go back one step in your installation wizard and go directly back to the “Specifiy Service Account” tab. Now it should be possible to enter an account name for the Group Manager Service Account. Go to the next window.

Configure Microsoft Active Directory Federation Services

If you want to configure multiple ADFS servers in a larger environment, you can also store the data in an SQL database. You can configure it here. I will not use this in my case and so I will go to “next”.

Configure Microsoft Active Directory Federation Services

If you want to install a second ADFS server later, you can save the necessary powershell script in the next window

The configuration of our first ADFS server for the farm is now completed.

Now you will get a summary with the detailed results. Just click “Close” to exit the configuration wizzard.

After we have successfully completed the installation we now check in event logs that our ADFS instance has started correctly. If you search for event ID 100, you will find the information that I think provides all the important details about your ADFS.

3. Setup the second ADFS Server

On the additional ADFS servers for our farm we can now set up ADFS as follows. First you install the role ADFS on the Windows server as described in point one. Then you import your certificate that you have issued for ADFS. If you have done something, start the Powershell with administrator rights and execute the script you copied in step two.

Active the Site for Initiated signon

The following setting must be made on all ADFS servers. Herewith I activate the login page for initiated signon.

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

If you have entered the command successfully, your login page looks like this.

Prepare ADFS for Loadbalacing

If you want to loadbalance your ADFS Server, you have to bind the SSL certificate also to the port 443 listener. This step is absolutely necessary, because later we want to loadbalance the ADFS connections to the Citrix Netscaler. But the Netscaler will not access the ADFS servers with IP with the FQDN.

netsh http show sslcert
netsh http add sslcert ipport= certhash=YOUR_CERTHASH appid=YOUR_APPID certstorename=YOUR_CERTSTORE

Setup Citrix ADC as ADFS Proxy

After we have set up our ADFS farm, we take care of the setup on the Citrix Netscaler. For this we proceed as follows.

1. Setup Servicegroup

So that we can loadbalance our ADFS later, we first create the servers we want to use as ADFS farm members as servers on the Netscaler.

Citrix ADC ADFS Loadbalancing

We now want to manage our servers using a Load Balancing Serive group. We will now create this group.

Citrix ADC ADFS Loadbalancing

Now add your servers to the service group.

Citrix ADC ADFS Loadbalancing
Citrix ADC ADFS Loadbalancing

2. Create the Load Balancing vServer

We create the Load Balancing Virtual Server. I set it as “Non Addressable” in my case.

Citrix ADC ADFS Loadbalancing

Add your service group for the ADFS Servers.

Citrix ADC ADFS Loadbalancing

3. Configure Content Switching

First we create two content switching policies. With this we define which requirements the proxy (our Citrix ADC (Netscaler)) should forward to the ADFS servers.

Citrix ADC ADFS Contentswitch
Citrix ADC ADFS Contentswitch
Citrix ADC ADFS Contentswitch

4. Create Rewrite Policies

In addition we create two rewrite policies and the corresponding actions and the policies will later adapt the URLs, we also add a header that tells the ADFS server that the request is sent through a proxy. If the header is not included, the ADFS server will treat the request as a direct request from the client. This would lead to an error if the header is not included.

Rewrite Actions

Rewrite Policies

5. Bind the rewrite policies to the loadbalancing vserver

After we have created the policies, we can now apply them to our vServer.

Please make sure to configure the policies with the correct “Goto Expression”.

Check your configuration

Now that our configuration on the Netscaler is complete. We can now test our Citrix ADC (Netscaler) ADFS Proxy.

To really test everything cleanly, you should disable the servers of your ADFS form individually, and also test the monitoring.

Netsaler CLI Commands

#Citrix ADC/ Citrix Netscaler - ADFS Proxy

#Replace the following Scriptparts

ADFS-FQDN       <-
mon_adfs        <- yourMonitorName
lb_sg_adfs      <- your Service Group Name   <- your Contentswitch IP-Address
adfscert        <- your Certificate Name

add server adfs01.lab.local
add server adfs02.lab.local

add serviceGroup lb_sg_adfs SSL -maxClient 0 -maxReq 0 -cip ENABLED X-MS-Forwarded-Client-IP -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES

add lb vserver lb_vs_adfs SSL 0 -persistenceType NONE -cltTimeout 180

add cs vserver cs_vs_web_SSL SSL 443 -cltTimeout 180 -persistenceType NONE

add cs policy cs_pol_adfs_metadata -rule "HTTP.REQ.HOSTNAME.SET_TEXT_MODE(IGNORECASE).EQ(\"\") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(\"/FederationMetadata\")"

add rewrite action rew_act_adfs_proxyheader insert_http_header X-MS-Proxy "\"NETSCALER\""
add rewrite action rew_act_adfs_rewrite_mex replace HTTP.REQ.URL.PATH_AND_QUERY "\"/adfs/services/trust/proxymex/\" + HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).PATH_AND_QUERY.STRIP_CHARS(\"/adfs/services/trust/mex/\").HTTP_URL_SAFE"
add rewrite policy req_pol_adfs_proxyheader "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs\")" rew_act_adfs_proxyheader
add rewrite policy req_pol_adfs_rewrite_mex "HTTP.REQ.URL.TO_LOWER.STARTSWITH(\"/adfs/services/trust/mex\")" rew_act_adfs_rewrite_mex

add lb monitor mon_adfs HTTP -respCode 200 -httpRequest "GET /adfs/probe" -customHeaders "Host: ADFS-FQDN\r\n" -LRTM DISABLED -interval 30 -resptimeout 10 -destPort 80

bind serviceGroup lb_sg_adfs -monitorName mon_adfs

bind lb vserver lb_vs_adfs lb_sg_adfs

bind lb vserver lb_vs_adfs -policyName req_pol_adfs_proxyheader -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver lb_vs_adfs -policyName req_pol_adfs_rewrite_mex -priority 110 -gotoPriorityExpression END -type REQUEST

bind cs vserver cs_vs_web_SSL -policyName cs_pol_adfs -targetLBVserver lb_vs_adfs -priority 100
bind cs vserver cs_vs_web_SSL -policyName cs_pol_adfs_metadata -targetLBVserver lb_vs_adfs -priority 110

bind serviceGroup lb_sg_adfs adfs02.lab.local 443
bind serviceGroup lb_sg_adfs adfs01.lab.local 443

bind ssl vserver cs_vs_web_SSL -certkeyName adfscert
bind ssl vserver lb_vs_adfs -certkeyName adfscert

6 thoughts on “Citrix ADC (Citrix Netscaler) as ADFS Proxy”

  1. Pingback: Citrix ADC as RDP Proxy - Thomas Preischl - put your IT on the next level

  2. Can you explain why there’s two “add servicegroup lb_sg_adfs” commands, each with different options? The second one doesn’t work for me on ADC 12.1. Thanks!

    1. Hey Thomas,
      thanks for your hint. Think that was a error while writing the blog post and put in the scripts out of my database.
      I deleted the second entry. It is not required.

      Thanks and have a good time

  3. Hi Thomas,
    Thanks for this article, it provides an excellent explanation in how to deploy Citrix ADC as an ADFS-proxy.
    Now, I just have a quick question for you: do you know if we can setup a “non-claims-aware” Relaying Party Trust, meaning an application that will use Windows Integrated authentication? under this configuration.

    Most of third party SW that acts as an ADFS-proxy supports only “Claims-aware”.
    Thanks and I look forward to hearing from you.

  4. Looks like the UI equivalent of the ‘add cs vserver cs_vs_web_SSL SSL 443 -cltTimeout 180 -persistenceType NONE’ is missing in the instructions. There’s no step showing creating a content switching vserver and thus no IP for the proxy traffic to apparently land on.

Leave a Comment

Your email address will not be published. Required fields are marked *