Jump to content
Welcome to our new Citrix community!

NetScaler, ADFS and IE11


Stan Svetec

Recommended Posts

Hi,

I have an ADFS setup that is Load Balanced behind a Citrix NetScaler.  My current SSL Cert is due to expire in October.  As it stands, ADFS and IE11 work without an issue.  I can hit https://myurl.com/adfs/ls/idpinitiatedsignon.aspx, hit 'Sign In' and I'm all good.

So now I have a newly renewed SSL cert.  I update the certs on my NetScaler and now, https://myurl.com/adfs/ls/idpinitiatedsignon.aspx via IE11 persists on giving me a Windows Security message and will not allow me to login.  If I flip the SSL cert back to the original, everything works as expected.

Anyone know what's up here with ADFS/IE11/NetScalers?

Regards

Link to comment
Share on other sites

Did you update the reference to the IDP certificate in the Service Provider config?  (Not just the cert on the lb vserver.)

Did you update the cert for the IDP itself in the IDP config?

You can use this article to verify additional settings, though not sure if you are using the IDP or SP policies on the NS or just load balancing an existing one:  https://support.citrix.com/article/CTX221631

 

If your signing authority changed, double check your root certs too. 

Also, make sure your new cert isn't based on Sha-1 as that will likely be rejected.

 

If none of this helps, share your NS version, your LB config, and relevant info on the idp/sp configurations.

 

Link to comment
Share on other sites

It's just load balanced behind the NetScaler.  The signing auth hasn't changed, only really, the expiry date of the cert.  All other certs in the chain remain as is.  Other browsers regardless of the old, or new cert work without issue.  IE11 only works on the old cert, but once I update it...IE11 and ADFS break.

Link to comment
Share on other sites

They're all SHA2 certs.  We haven't had SHA1 for a few years now.  In the attached files, you can see that I can sign in without issue using Edge (and the cert used).  The same url, with the same cert in IE11 stops at the Windows Security screen.  If I roll back to my previous cert, it all works as expected from all browsers.

2019-08-06_9-39-19.jpg

2019-08-06_9-39-57.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...