I'm hoping that I can provide all the details to the issue I am having with regard to getting AD FS, SSL Certificates to work with our Citrix Netscaler 5500 device. However, before I delve into that I would like to state that I was able to use Windows NLB successfully. NetScaler has proven to be most difficult and I'm not certain why.
I've read a ton of information on setting up AD FS Server, AD FS Proxy and using SSL and feel I have a pretty good handle on it, but, I may be missing some relevant information or just may not know how to troubleshoot it thoroughly enough. In addition, for the sake of keeping this post more brief, I'm only concerned with getting the AD FS Servers, SSL working in the On-Premise environment and not really concerned with the AD FS Proxy setup portion here. Baby steps, right!?
Our environment:
An AD FS Farm with two (2) AD FS Servers installed on Server 2012 Standard w/ Service Pack updates. AD FS Server names are fs1.myco.com and fs2.myco.com. They each have a static IP address or Host (A) Record in our DNS Server. Also, I've setup an 3rd static IP for the DNS Service name of sso.myco.com. It also has a Static IP Address. It will be the DNS name we will use as our AD FS Service name, the Subject Name in our SSL Certificate and will Serve as the Virtual IP Address I've setup on the NetScaler device for Load Balancing between the two Servers fs1 and fs2.
I setup two test files called test.html. One that says "You've connected to Server fs1 successfully" and the other "You've connected to Server fs2 successfully". When I had Windows NLB installed I was using one NIC with Unicast configured on it. I could successfully connect to the two servers using https://fs1.myco.com/test.html, https://fs2.myco.com/test.html, and when I hithttps://sso.myco.com/test.html it would balance out between the two servers nicely. I tried this from a number of workstations successfully.
When I go to set it up in NetScaler, the VIP and the two Server Services, i.e. svc_FS1 AND svc_FS2, are both down. The main culprit here seems to be when I enable the "SSL Settings" option called "Enable SSL" and if I use any of the "Ignore", "Accept" or "Require" options. I've binded the IP Address on each IIS Server to https and have set it to use the SSL Certificate w/ Subject Name of sso.myco.com. I also import the SSL Certicate and it's correlating Private Key onto the NetScaler device successfully and added it to the Service Server accounts during setup. If I choose uncheck "require" SSL and re-configure the IP / Port bindings to Port 80, then the NetScaler VIP and Server Service accounts come up right away.
So, w/o making this an entire novel on this post, has anyone been down this "endless road" of issues and come across this type of issue that might lead me to some sort of epiphany?
Thank you for taking the time to read this and a little bit of patience to go with it. :)
Wally
Wallace Davis
