ADFS and iOS caching SSL certs

  • 274 Views
  • Last Post 03 April 2019
kool posted this 01 April 2019

We recently made a configuration change to our F5 load balancer which is in front of our ADFS servers. The change meant a new SSL certificate was being presented to the ADFS O365 clients. Most clients continued to work properly but there were a handful of reports of failures which in some cases included error messages saying the connection was closed/refused. We don't have good repro info but it looks like the majority of the problem cases were on mobile clients. So my question is: does iOS and/or Android cache SSL certs?

More info: we had been running the F5 in SSL termination mode with one SSL cert on the F5 and a different one on the ADFS servers. We did this because we thought we needed to do header updating via iRule but that turned out not to be the case. We want to switch to pass-through mode which means that clients would see the ADFS server SSL cert rather than the F5 cert. Our attempt to do this though has produced some perplexing failures.

Our O365/AAD auth topology is rather complex: client -> EO -> AAD -> F5 -> ADFS 4.0 -> Shibboleth. It has been working fine until this F5 reconfiguration.

I realize this is rather limited repro/debugging info, but if anyone else has any ideas, please speak up.

Thanks,

Eric

Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
minwar posted this 02 April 2019

I dont have the answer your looking for, but interested if you get one.  I am looking at an issue that is not dissimilar. If I hit the idp signin page a number of times from an IOS device then 1/5 times ill get "server stopped responding" .  Can see plenty of "no server replies" in the TMG logs.

We route or ADFS traffic Ace LBs > TMG's > STM > ADFS Proxy > ADFS4.0.  Not ideal, I know! 

Presumably you have ADFS proxies in path too?  In the past we have had to switch off SSL offloading and tunnel straight to proxies as it was failing to negotiate TLS ciphers.

kool posted this 03 April 2019

Thanks Ian (and Ken who replied directly). We were in fire drill mode and didn't really have the time to dig into a repro. We just rolled back to the prior, working configuration on the F5.

I've looked more closely at the cert on the F5 and the cert on the ADFS servers. They are nearly identical, the same signing (SHA-256) and encryption (RSA 2048) algorithms, cipher suites, and the same issuing chain. (You can view the F5 cert at https://www.ssllabs.com/ssltest/analyze.html?d=sts.netid.washington.edu&hideResults=on if you are curious.) The only difference I can see is that the F5 cert has several subject alt names for the F5 modules. I don't see how this would be important if the F5 is put into SSL tunneling mode. It also seems to point to something other than older OS's not understanding the ciphers.

I'm thinking that we should install the F5 cert on the ADFS servers and if that works, then clients shouldn't see any change at all if we switch to SSL tunneling. We'll have to wait for a maintenance window to do this after getting approval, so it may be a while. I'll let the lists know once we have more info.

Eric

show

Close