This is quite a rare scenario, but they do exist more than often in IT! After hitting one of Microsoft’s Azure/Office 365 landing pages that sends you to your ADFS login screen via Netscaler, you encounter a HTTP 400 error message after a successful authentication. Simple reason for this, there is a bug in the Netscaler software. Keep reading.

Scenario

Most ADFS implementations use a common practice of leveraging Microsoft Windows Server Windows Application Proxy (WAP) to proxy untrusted ADFS traffic to internal trusted ADFS servers. In deployments where [exisiting] Netscalers are deployed as proxies and load balancers, it only makes sense to re-use what is already there.

The Bug

Bug on 11.1 56.19 (Dec, 2017)

A NetScaler Gateway appliance running release 11.1. build 55.13 or 56.19 fails while attempting forms-based single sign on (SSO) to the back-end server. This happens because the POST request sent from the NetScaler appliance to the back-end server contains corrupted headers, resulting in SSO failure.

[# 700652, 702495, 702678]

The Fix

After working with Netscaler support, it has been confirmed that it was fixed in build 11.1 57.11 (January 25, 2018)

Hope this helps someone out!