none
use of wildcard certificate

    Question

  • Hi,

    We are going to use the UAG with a AD for the SSO of a sharepoint server and a set of 10+ web applications servers behind the UAG, the connections are supposed to be HTTPS; would like to know if the use of wild card server certificate is a mandatory in this kind of environment ? or a server certificate for each application server is also possible for this requirement ?


    Thanks a lot !


    • Edited by llk1234 Tuesday, January 07, 2014 6:59 AM
    Tuesday, January 07, 2014 6:45 AM

All replies

  • Hi,

    it is not mandatory but recommended. The reason for recommendation is, that you can just use 1 trunk for publishing instead of 10 different trunks (10 IPs) if you use a single server SSL cert. E.g. if you use app01.domain.com to app10.domain.com.As an alternative to the wildcard cert you can use a SAN certificate which has all app host names  inlcuded. Just in case this makes a price difference.

    I would recommend to use the wildcard cert, because UAG configuration and management is much simpler as with the single server certificate and the SAN certificate is inflexible if you want add more apps because you have to request a new certificate if you add a new application.

    Hope that helps,

    Lutz

    Tuesday, January 07, 2014 8:05 PM
  • Thanks Lutz for your advice !

    As I am new to UAG, would like to know if I create different trunks for each server, can the SSO still able be configure to cover these 10 different HTTPS trunks, if yes, where should this be configured ?

    Thanks again !


    • Edited by llk1234 Wednesday, January 08, 2014 12:57 AM
    Wednesday, January 08, 2014 12:32 AM
  • Yes, this can be achieved through cross-site single sign-on. http://technet.microsoft.com/en-us/library/ee921441.aspx
    Wednesday, January 08, 2014 1:08 AM
  • Thanks your prompt reply very much, I will check on the link !

    Wednesday, January 08, 2014 1:28 AM
  • As we are going to use client certificate's email in additional to username & password for the authentication,

    then according to the cross-site SSO link provided, "client certification authentication" is not supported,

    so does it means that I have to use a single HTTPS trunk to cover all the backend servers, and

    this will imply that only wildcard or SAN server certificate is needed to use for this requirement ?

    Wednesday, January 08, 2014 2:16 AM
  • I think the wildcard cert is the best option for you.
    Wednesday, January 08, 2014 2:32 AM
  • Thanks again !
    Wednesday, January 08, 2014 2:35 AM