0

I am seeing strange behavior when accessing the REST API for ADFS in an Azure configuration.

Let's say I use a tool like OpenSSl or DigiCert to test whether or not my site is returning the correct certificates. For example:

openssl s_client -connect adfs.{mydomain}.com:443

Running this multiple times will alternately return the correct certificate and the wrong certificate.

The configuration is as follows:

  1. CNAMES for ADFS, WWW, and ADRMS have been create in DNS, pointing them to {mydomain}testsvc.cloudapp.net which is the Azure public host.
  2. A SAN Certificate has been created and installed on the internet facing webserver
  3. Subject Name: www.{mydomain}.com
  4. Subject Alternative Names: adfs.{mydomain}.com, adrms.{mydomain}.com, www.{mydomain}.com
  5. Running "Netsh http show sslcert" on the webserver shows the right certificate for both the adfs and adrms Hostname:Port
  6. The WebApplicationProxy is installed to allow me to reach adfs.{mydomain}.com/adfs/oauth2/xxx.

If I run a slightly different test:

openssl s_client -connect adrms.{mydomain}.com:443

Then, I also get alternatingly different certificates. I've determined that the edge server is providing the correct certificate, and the adrms server is providing the "bad" certificate. In fact, that certificate is really okay, it just shouldn't be provided to someone asking for adfs.{mydomain}.com.

So, why do connect requests to adfs alternately got to the edge server and to the adrms server? And where do I go looking now to figure out this problem? I admit I have very little knowledge of WebApplicationProxy and how to direct all traffic through the edge server (including adrms traffic).

I can provide a real URI to demonstrate the problem via a private message.

Also: I suspect a load balancer because my web logs have lots of requests from a "Load Balancer Agent". However, I can't find one configured. I've used:

Get-AzureInternalLoadBalancer
Get-AzureRMLoadBalancer

Neither return anything.

Les
  • 10,335
  • 4
  • 40
  • 60

1 Answers1

0

Well right after posting my question, I had a break through that solved the problem.

I was using the "classic" management console. I switched to the portal.azure.com to manage my deployment. When I navigated to the edge server and the adrms server, I found that both were part of a Load Balanced Set. I am not sure why the PowerShell scripts did not show this.

To solve the problem, I had to remove them from the LB set and recreate the endpoint for the edge server.

The steps were:

  1. Go to the management portal. (portal.azure.com)
  2. Select Virtual Machines
  3. Click on my adrms VM
  4. Click on Load Balancing Sets
  5. Click on the Load Balancer
  6. Click "Leave"
  7. Do these same steps for the edge VM
  8. For the edge VM add a new endpoint for port 443

This works because the Edge server also handles redirecting traffic to the adrms server.

I hope this saves someone a headache.

Les
  • 10,335
  • 4
  • 40
  • 60