Netscaler ADFS Proxy setup breaks after upgrading to 11.0-65.35

Netscaler ADFS Proxy setup breaks after upgrading to 11.0-65.35

book

Article ID: CTX217389

calendar_today

Updated On:

Description

ADFS Proxy setup has been configured on Netscaler by using the below article:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/guide-to-deploying-netscaler-as-an-active-directory-federation-services-proxy.pdf

After User authenticates on Netscaler AAA vserver users get below error on the browser:

User-added image

Resolution

As DenySSLReneg is set to ALL by default, which means Netscaler will not allow renegotiation. So Netscaler is closing the connection.

Solution is to allow the SSL renegotiation by running below command:

> set ssl parameter -denySSLReneg NO




 

Problem Cause

From the netscaler trace we see that Netscaler flow is correct and the request is being forwarded to backend server. But backend server is trying to do another SSL handshake over existing SSL session by sending "Hello Request" as shown below. As DenySSLReneg is set to ALL by default (which means Netscaler will not allow any renegotiation on Netscaler). So Netscaler is closing this connection as shown below:

User-added image

Note: To view the full image clearly, you can right click on the image and "save image as" on desktop machine and open or right click on image and open in new tab.

As per rfc 5426:
https://tools.ietf.org/html/rfc5246#section-7.4.1.1

"HelloRequest is a simple notification that the client should begin the negotiation process anew. In response, the client should send a ClientHello message when convenient. This message is not intended to establish which side is the client or server but merely to initiate a new negotiation.
 

Additional Information

CTX123680 - How to Configure -denySSLReneg Parameter
 
Powered by Wolken Software