ADFS 3.0 + Windows XP: #fail (and how to fix)

This is hopefully the last of my “ADFS 3.0 quirks ‘n stuff” series. After a more or less successful implementation of ADFS 3.0 (Or ADFS on Windows Server 2012 R2), my customer reported back they had huge problems with some clients. As it turned out, the vast majority of these clients were still running Windows XP. I know, I know.

After some research, it was pretty obvious that the problem is related to the fact that ADFS 3.0 relies on Server Name Indication (SNI), a technology which enables several ssl-secured sites on the same port/ip combination. Problem is, Windows XP doesn’t understand SNI and is simply unable to talk to any web services using it.

The good news is: As long as your Web Application Proxy doesn’t do anything else besides ADFS, you can get around this by allowing ADFS publishing to consume the ip/port, instead of not just the ADFS-specifix hostname. This is the golden link telling you what to do. If you have a ADFS+Web app proxy scenario, you need to perform these steps on both servers:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ab01ef59-d1f6-4959-a0be-f372234814c6/adfs-30-login-failing-from-ie8?forum=winserverDS

netsh http show sslcert

Secondly,

netsh http add sslcert ipport=<IPAddress:port> certhash=<Certificate Hash> appid=<Application ID> certstorename=MY

where
IPAddress:port = listening IP address for ADFS requests. eg. “0.0.0.0:443” for all addresses
<Certificate Hash> = copy and paste value from previous show command
<Application ID> = copy and paste value from previous show command including {}’s

  • Pingback: ADFS 3.0 with Windows XP (??) Clients | JohanPersson.nu()

  • If you do this and restart your ADFS WAP servers they will stop working. The signs are no services running on the WAP servers on ports 443 and in Event Viewer you get lots of 401 errors.

    The solution is to add SSL Ctl Store Name which is a location used by ADFS to authenticate the incoming WAP servers.

    netsh http add sslcert ipport=”x.x.x.x:443″ certhash=”83274623746238746872342387462387468″ appid=”{23784623874623874687}” certstorename=”MY” sslctlstorename=”AdfsTrustedDevices”

    I also deleted the certificates from ADFS in the ADFS TrustedDevices and deleted the client cert from the ADFS Proxy in Computer/Personal and reran this from each WAP server….

    Install-WebApplicationProxy -CertificateThumbprint “32847239847923847982347982347” -FederationServiceName “adfs.x.x.x”

    All working again 🙂