Tuesday 13 January 2015

AD FS 3.0 and Hardware Load Balancers Compatibility with TLS SSL SNI

For organisations considering the move to Office 365, you will probably have explored the requirement for Active Directory Federation Services (AD FS) to provide Single Sign On (SSO) to your domain users when connecting to Office 365 services. Without AD FS in place to federate and project users domain credentials to Office 365, users would have to maintain a separate set of logins details for both the domain and Office 365.

If you have looked at AD FS and are planning on deploying it on Windows Server 2012 R2, with hardware-load balancers I suggest you read and understand this post in full. Active Directory Federation Services in Windows Server 2012 R2 is currently at version 3.0. This is different to even Windows Server 2012, which was shipped with AD FS 2.1.  You can off course use Windows Network Load Balancing to load balance AD FS but I am sure you will agree for a component as important as AD FS a dedicated appliance would be better. If you decide to deploy AD FS, it is vital the service is highly available, if for whatever reason your AD FS infrastructure goes down on-site users will not be able to access O365 services.

One of the improvements in AD FS 3.0 is built-in compatibility for Server Name Indication (SNI), which is an extension of the TLS element of the SSL protocol. Although AD FS 3.0 supports SNI not all networking equipment and end devices do. SNI allows multiple SSL certificates to be bound to the same IP Address and Port Number, which allows support for multiple SSL (or HTTPS) connections to the same address.

SNI works by providing application server host names during the SSL handshaking phases, thus allowing multiple HTTPS applications to reside behind a single IP Address.

Although AD FS 3.0 supports the SNI feature, not all hardware load balancers do. It is important to consider this when making a purchasing decision for your hardware load balancers.

At the time of writing the following servers do offer support for SNI:

Citrix NetScaler 9.2 or higher
F5 Networks Local Traffic Manager, version 11.1 or higher
KEMP Load Balancers (as of October 2014)
Apache 2.2.12 or higher
Apache Traffic Server 3.2.0 or higher
Apache Tomcat on Java 7 or higher
Microsoft Internet Information Server (IIS) 8

Web browsers also require support for SNI; all of the recent versions of Internet Explorer from 7 onwards support SNI along with Google Chrome and Mozilla Firefox.