I have been struggling last few days with new feature of SSL TLS called SNI (Server Name Indication). Both Web Application Proxy and AD FS 2012 R2 use it to enable simpler deployment and remove networking prerequisites.

What is this SNI of which you speak?

SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate to serve to the client. A key benefit of SNI is that is allows a server to host multiple certificates on the same IP/port pair instead of needing an IP per certificate (assuming you are using port 443).

SNI relies on the client supporting SNI and sending the Server Name extension in the SSL Client Hello. If the SSL Client Hello does not contain the SNI header then http.sys is unable to determine which certificate to serve and will reset the connection.

http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx

Immediately when I changed traffic to go through LB problems raised. I’m very satisfied that I found Jespers article about ADFS & SNI, it saved my day:). Instructions based on his blog.

Workarounds are

1. Update your client OS/firmware which is not capable for SNI

2. Add a HTTPS (port 80) based healh check probbe

3. Use a fallback certificate in ADFS instance (0.0.0.0:443)

Recommendation is nowadays to use option 2. Following steps are needed for configuration:

1. Apply necessary patches to all ADFS intance servers August 2014 rollup – found from here http://support.microsoft.com/kb/2975719/en-us. You need following patches in this order

KB2993651, KB2975719, KB2993100, KB2995004

2. Launch the Windows Firewall with Advanced Security MMC on the first WAP serve

3. Go to Inbound Rules

4. Create a new Inbound Rule (New Rule in Action Pane). Suggested name: “ADFS HTTP Health Check Probe”

5. Configure the rule for TCP protocol, local port 80 (specific port) and Allow traffic (All ports as Remote port). See overview of expected result in this picture from Ian Parramore’s blog.

6. Repeat steps on other ADFS/WAP machines.

7. Configure HLB to do health check probe using the http protocol and this specific endpoint: http://servername-or-ip-address/adfs/probe