locked
ADFS SSL Certificates RRS feed

  • Question

  • I am trying to setup a SSO solution using Active Directory Federation Services 2.0, and I am having trouble with the security certificates.

    I have my ADFS server and my ADFS proxy server running on Server 2008 R2.

    Obviously I have to have an SSL certificate for each server, but the directions are a bit confusing. Listed in some of the tutorials it says this when referring to the certificates on the proxy server:

    "This certificate must have the same subject name as the SSL certificate configured on the federation server in the corporate network. Recommendation: Use the same server authentication certificate as is configured on the federation server that this federation server proxy will connect to."

    So both of my servers are going to have certificates with the same name? I was thinking that my ADFS server would have one for its name (adfs.whatever.com) and the proxy server would have one for it's name (adfsproxy.whatever.com). Would I generate two certificates saying that each server is adfs.whatever.com?

    • Moved by Cicely Feng Tuesday, January 8, 2013 7:48 AM (From:Directory Services)
    Friday, January 4, 2013 8:23 PM

Answers

  • Hi,

    Yes, the name should match. Please read this:

    "It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS 2.0 Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box."

    You choose the subject name of the certificate on Ferderation Proxy Server from the existing list.

    More details you can go to:
    Certificate Requirements for Federation Server Proxies
    http://technet.microsoft.com/en-us/library/dd807054(v=WS.10).aspx

    Also read below article which has a detailed station for ADFS certificates for Federation Servers and Federation Server Proxies:
    ADFS Certificates - SSL, Token Signing, and Client Authentication Certs
    http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Friday, January 11, 2013 8:42 AM
    Tuesday, January 8, 2013 9:08 AM

All replies

  • Hi,

    Yes, the name should match. Please read this:

    "It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS 2.0 Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box."

    You choose the subject name of the certificate on Ferderation Proxy Server from the existing list.

    More details you can go to:
    Certificate Requirements for Federation Server Proxies
    http://technet.microsoft.com/en-us/library/dd807054(v=WS.10).aspx

    Also read below article which has a detailed station for ADFS certificates for Federation Servers and Federation Server Proxies:
    ADFS Certificates - SSL, Token Signing, and Client Authentication Certs
    http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx

    Regards,
    Cicely

    • Marked as answer by Cicely Feng Friday, January 11, 2013 8:42 AM
    Tuesday, January 8, 2013 9:08 AM
  • Can i use an internal CA-certificate on my internal ADFS-server and a public 3rd party cert on my ADFS-Proxy if they both have the same name?

    both

    Thursday, February 6, 2014 1:09 PM