none
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (ADRMS Deployment)

    Question

  • Hi,

    I am trying to deploy ADRMS. When specifying the federation server (a seperate server in the domain), I get an error stating could not establish trust relationship.

    See ]

    Anyone got any ideas re this?

    Thanks

    Saturday, September 08, 2012 9:34 PM

Answers

  • 1. Name you are reffering to (ADFS-1.SHAREPOINTDEVENV....) is present in the subject, or if subject alternative name extension is present in the federation server's certificate then check if the DNS name is present.

    How/where do I check this? Assuming the cert?

    Open up Internet Explorer browse to the https://ADFS-1.SHAREPOINTDEVENV... and open the certificate by clicking the padlock icon. Check for the subject and subject alternative name extension and that it contains the DNS name.

    2. Certificate is issued by a trusted certification authority

    How can I tell if this is the case?

    If in previous point the certificate warning didn't show up then the certificate is probably trusted.

    3. CRL distribution points are accessible.

    Open the server certificate, in the details tab search for CRL distribution points extension and check whether you can access URIs listed there.

    Martin

    Tuesday, September 18, 2012 6:20 AM

All replies

  • Hi

    Please ask this in Rights Management Services forum for better assistance

    Rights Management Services
    http://social.technet.microsoft.com/Forums/en-US/rms/


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, September 08, 2012 10:08 PM
  • Hi, 

    Could a mod move this thread?

    Sunday, September 09, 2012 7:42 PM
  • Is the certificate on the federation server trusted? Please check:

    1. Name you are reffering to (ADFS-1.SHAREPOINTDEVENV....) is present in the subject, or if subject alternative name extension is present in the federation server's certificate then check if the DNS name is present.

    2. Certificate is issued by a trusted certification authority

    3. CRL distribution points are accessible.

    Feel free to ask more questions if necessary.

    HTH

    Martin

    Tuesday, September 11, 2012 7:48 AM
  • Ok to tackle this in another way, do I need to deploy AD CS? If so, can it be on the same server as ADFS?
    Tuesday, September 11, 2012 9:40 PM
  • No you do not need to deploy AD CS, on the other hand the certificate must be trusted by ADFS. One way is to deploy the AD CS ...

    In general you can deploy AD CS on the same server as AD FS, though there might be some security concerns. AD FS is typically internet facing and CA should not be accessible through internet. On the other hand I can imagine deploying ADFS + ADCS on a same server in a secure way. From technical point of view these two services should not conflict if installed on a same server.

    Martin  

    Wednesday, September 12, 2012 6:08 AM
  • Hi Martin,

    Regarding your points:

    1. Name you are reffering to (ADFS-1.SHAREPOINTDEVENV....) is present in the subject, or if subject alternative name extension is present in the federation server's certificate then check if the DNS name is present.

    How/where do I check this? Assuming the cert?

    2. Certificate is issued by a trusted certification authority

    How can I tell if this is the case?

    3. CRL distribution points are accessible.

    Again, how can I tell if this is the case?

    Wednesday, September 12, 2012 10:54 PM
  • Ok I downloaded adfs 2.0 rtw for server 2008 r2.

    This time, when going through the config wizard, I get this error:

    http://tinypic.com?ref=1256q9w

    Do I need to buy a certificate?

    Thanks

    Saturday, September 15, 2012 8:15 PM
  • 1. Name you are reffering to (ADFS-1.SHAREPOINTDEVENV....) is present in the subject, or if subject alternative name extension is present in the federation server's certificate then check if the DNS name is present.

    How/where do I check this? Assuming the cert?

    Open up Internet Explorer browse to the https://ADFS-1.SHAREPOINTDEVENV... and open the certificate by clicking the padlock icon. Check for the subject and subject alternative name extension and that it contains the DNS name.

    2. Certificate is issued by a trusted certification authority

    How can I tell if this is the case?

    If in previous point the certificate warning didn't show up then the certificate is probably trusted.

    3. CRL distribution points are accessible.

    Open the server certificate, in the details tab search for CRL distribution points extension and check whether you can access URIs listed there.

    Martin

    Tuesday, September 18, 2012 6:20 AM