Is external certificates necessary when not using AD FS proxy RRS feed

  • Question

  • Hi,
    We are setting up Office 365 SSO for our organization.
    We are not using AD FS proxy as we have TMG servers in place.
    In this scenario, do we have to purchase an external certificate or our internal certificate will do this job?
    Will there be any security issue when using internal certificate over external certificate?
    Your inputs are most appreciated as I'm not familiar with certificates.
    • Moved by pbbergs [MSFT] Wednesday, July 25, 2012 9:13 PM Transition Requested info (From:Directory Services)
    Wednesday, July 25, 2012 3:32 PM

All replies

  • There are a number of factors with ADFS cert requirements. It appears you have a Hybrid On-Premise scenario, and it also depends on if you have Exchange in the mix, which changes the type of cert required, which is a UC/SAN cert.

    I think this question is better suited for the Office365 Transition Forum where the Office365 Engineers can specifically assist you:


    For your convenience, maybe we can get a moderator to move this post for you to that forum, this way you won't have to do anything, and you'll still receive notifications with the new link.


    You know you also have the option to call Microsoft Office365 Support, where they can assist you step by step. Go to your Office365 Admin page, https://portal.microsoftonline.com/, and you can find the link for Support, or simply fill out a service request:

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, July 25, 2012 4:42 PM
  • Arun,

    You will definitely need an external (3rd party) trusted certificate due to trust chains.  Since O365 does not hold your CA (Certificate Authority) server in its trusted root/intermediate CA's, your users will not be able to access the O365 services via Outlook/Lync.

    This can be worked around for any portal-based access since the user has the option to accept access to the page even though the certificate is not trusted, but there is no such option for Outlook/Lync and mobile phones.

    Have a great day,



    Monday, July 30, 2012 10:39 PM