F5 to ADFS 2016 SSL/TLS handshake failure

Browser to ADFS server works fine, but dies when going through the F5 LTM. Packet capture showed the F5 would send a client hello SSL handshake message as expected, with the ADFS server responding with a TCP RST.

Upon doing some more digging, found this the ADFS 2016 guide:

The load balancer MUST NOT terminate SSL. AD FS supports multiple use cases with certificate authentication which will break when terminating SSL. Terminating SSL at the load balancer is not supported for any use case.

So, the F5 Virtual server should be configured as Layer 4.

The unsupported work-around is set a custom ServerSSL profile with the server name field:

ltm profile server-ssl /Common/serverssl-myserver {
 app-service none
 defaults-from /Common/serverssl
 server-name adfs.mydomain.com
}

One thought on “F5 to ADFS 2016 SSL/TLS handshake failure”

This was a huge save! All of a sudden our handshakes began failing (unsure why). Replacing the Server SSL profile with one configured like you specified fixed the problem immediately

LikeLike

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Layer 77

Tips n' Tricks for Network Automation, Cloud, Linux, Containers, Python, etc

F5 to ADFS 2016 SSL/TLS handshake failure

One thought on “F5 to ADFS 2016 SSL/TLS handshake failure”

Leave a Reply Cancel reply

Share this:

Like this:

Related

One thought on “F5 to ADFS 2016 SSL/TLS handshake failure”

Leave a Reply Cancel reply