HA-Proxy Oauth/ADFS Token Issue

[amichel]

Hi all,
I decided to go for HA Proxy as a reverso proxy as my current implementation ofr Port forwarding to a Web Application Proxy does not help in using Exchange HMA as the WAP does not correctly forward the authentication Request. So after some fiddling around I was successfully able to configuere that with Ha Proxy and now I end uzp in another Issue I can't fix.
Additionally I am using Work Folders which can use ADFS/Oauth authentication, and if using an Azure AD Joined device are able to do device based authentication.
For some reson this does not work with HA Proxy. I did a fiddler trace, but usually the only thing I see from the client side is that the request simply times out.
In the Clients Event Log I see that the device does not get an JWT from the ADFS Server and in the ADFS Eventlog I see:
"The refresh token received in 'refresh_token' parameter is invalid. The device identifier in the token does not match the specified device certificate"

So for me that looks like the cert of the client is not passed through.
It works when using the WAP as reverse Proxy and ADFS Proxy. I have to use TCP as I rely on SNI for correctly forwarding the servers and because ADFS does not support offloading.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbproc                      1
    nbthread                    1
    maxconn                     50
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             128
    log 10.168.1.39 local0 info
cache opnsense-haproxy-cache
    total-max-size 8
    max-age 120

defaults
    log     global
    option redispatch -1
    maxconn 50
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats



# Frontend: Frontend_443_SNI (All Backends to be placed here)
frontend Frontend_443_SNI
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    # tuning options
    timeout client 30s

    # logging options
    option tcplog
    # ACL: Condition_Traffic_SSL
    acl acl_603c864d90ff52.36940379 req_ssl_hello_type 1
    # ACL: Condition_Certauth_FS_SNI
    acl acl_603de074a90f78.82060934 req.ssl_sni -i certauth.fs.domain.com
    # ACL: Condition_FS_SNI
    acl acl_603c8693c29905.84827726 req.ssl_sni -i fs.domain.com
    # ACL: Condition_MAIL_SNI
    acl acl_603d2cefa4baa3.21722062 req.ssl_sni -i mail.domain.com
    # ACL: Condition_MAIL_autodiscover
    acl acl_603d3dd94f1241.73969723 req.ssl_sni -i autodiscover.domain.com
    # ACL: Condition_workfolders_SNI
    acl acl_603d5286ac0958.05383484 req.ssl_sni -i workfolders.domain.com
    # ACL: Condition_Sync_SNI
    acl acl_603d52af5c2b72.14160560 req.ssl_sni -i sync.domain.com

    # ACTION: RULE_Inspect_Delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 60s
    # ACTION: RULE_Acccept_SNI_SSL
    tcp-request content accept if acl_603c864d90ff52.36940379
    # ACTION: RULE_WAP_SNI
    use_backend WAP_Pool if acl_603de074a90f78.82060934 || acl_603c8693c29905.84827726
    # ACTION: RULE_Mail_SNI
    use_backend Mail_Pool_SNI if acl_603d2cefa4baa3.21722062
    # ACTION: RULE_Autodiscover_SNI
    use_backend Mail_Pool_SNI if acl_603d3dd94f1241.73969723
    # ACTION: RULE_Workfolders_SNI
    use_backend Workfolder_Pool if acl_603d5286ac0958.05383484
    # ACTION: RULE_Sync_SNI
    use_backend Workfolder_Pool if acl_603d52af5c2b72.14160560

# Frontend: Frontend_HTTP (Backend for HTTP)
frontend Frontend_HTTP
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Condition_CRL
    acl acl_603d60d79b7ae4.11560289 hdr_beg(host) -i crl.domain.com

    # ACTION: RULE_Crl
    use_backend CRL_Pool if acl_603d60d79b7ae4.11560289

# Backend: WAP_Pool (Web Application Proxy Pool)
backend WAP_Pool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server WAP_Real wap.sub.domain.com:

# Backend: Mail_Pool_SNI (Mail Pool)
backend Mail_Pool_SNI
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server Mail_Real_SNI msx.sub.domain.com:

# Backend: Workfolder_Pool (Pool Workfolder)
backend Workfolder_Pool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 5s
    timeout server 30s
    server Workfolder_Real sync.sub.domain.com:

# Backend: CRL_Pool (Pool für CRL)
backend CRL_Pool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server CRL_REAL dc2.sub.domain.com:



If anyone sees if there is a glitch in my config I highly appreiciate any help here
amichel