locked
Help with ADFS certificate RRS feed

  • Question

  • Hello,

    We are going to be building an ADFS internal server (2016) and I've been watching some videos on this and I'm stuck on the certificate creation.

    1. Does the certificate on the internal ADFS server just have to be an internal one and are you aware of a tutorial?
    2. Does the ADFS proxy server also need a certificate and if so can it use the same one as the internal?

    Thanks

    Thursday, July 13, 2017 1:37 PM

All replies

  • Good overview here.

    The SSL certificate should be issued by a CA. This clears up all the "not trusted" issues.

    Signing and encryption are handled by ADFS if you have rollover on.

    Thursday, July 13, 2017 6:58 PM
  • Does this same CA SSL cert go on the internal ADFS server and proxy in the DMZ?

    Should I create this cert on the ADFS server or can I use something like this?

    https://www.digicert.com/csr-creation-ssl-installation-ad-fs-windows-server-2012-digicert-utility.htm#adfs_create_csr

    Friday, July 14, 2017 7:49 AM
    1. Does the certificate on the internal ADFS server just have to be an internal one and are you aware of a tutorial?

    Your ADFS wont recognize from internet If you are not used public trusted certificate . like Go-  daddy\Global   Sign.

    2. Does the ADFS proxy server also need a certificate and if so can it use the same one as the internal?   

    You need same certificate in ADFS Proxy which you have used in STS server (ADFS) with private key (.pfx). 


    Cheers,

    Biswajit

    Technical Consultant – Active Directory-Microsoft PKI-Windows 2012 R2

      Linkedin:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    • Edited by bshwjt Friday, July 14, 2017 6:16 PM
    Friday, July 14, 2017 6:15 PM
  • Does the certificate on the internal ADFS server just have to be an internal one and are you aware of a tutorial?

    You can use an internal PKI IF you have your own Enterprise CA for issuing the SSL certificate to the AD FS farm node and all your clients are managed, i.e. domain-joined to AD.... (non-domain joined clients won't trust the internal authority)

    Does the ADFS proxy server also need a certificate and if so can it use the same one as the internal?

    The WAP should use an external certificate from a trusted third-party. The WAP will bridge Internet connections to the internal server. If you go the internal PKI route for your SSL/Service Communications cert on the AD FS farm, then your WAP needs a copy of the internal PKI certificate chain and the CDP/AIA/OCSP endpoints need to be reachable from those nodes.

    There is a Technet document floating around saying that the same certificate should be used as there are some possible issues with Device Registration. I've not seen any issues myself. Most configurations end up using the same certificate, unless your security officer has key hygiene issues concerning using certificates more than once


    http://blog.auth360.net

    Monday, July 17, 2017 7:37 PM
  • To the last point, "same certificate should be used" the only case I am aware of applications breaking are legacy Lync clients.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 17, 2017 8:40 PM
    1. Does the certificate on the internal <g class="gr_ gr_4 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="4" id="4">ADFS</g> server just have to be an internal one and are you aware of a tutorial?

    >>> based on your requirement if you have users who are going to access <g class="gr_ gr_138 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="138" id="138">ADFS</g> enabled applications outside your intranet, you require a certificate from a third party CA.

          2. Does the <g class="gr_ gr_353 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="353" id="353" style="font-family:inherit;font-style:inherit;font-weight:inherit;color:#333333;font-size:14px;">ADFS</g> proxy server also need a certificate and if so can it use the same one as <g class="gr_ gr_476 gr-alert gr_gramm gr_hide gr_inline_cards gr_run_anim Style multiReplace replaceWithoutSep replaceWithoutSep" data-gr-id="476" id="476">the             internal</g>?

    >>> yes, <g class="gr_ gr_530 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="530" id="530">ADFS</g> proxy also needs a certificate, same certificate with private key exportable.

    Monday, July 17, 2017 9:25 PM
  • Hi Manoj,

    Something went crazy in your post.. lots of clutter.. reading "between the lines"

    1. No, it can be a third-party cert. It's more a preference thing or as Pierre mentioned, there is an issue with legacy Lync clients (did not know that Pierre.. thank you!). From the outside, connections are bridged via the proxy. Just make sure the proxy trusts any internal CA when you proxy SSL connections.

    2. The proxy certificate acts as a front-end to connections to your AD FS server/farm. Acting on its behalf, to secure connections from untrusted networks, it need to use a certificate that is globally trusted. That's why I mentioned that the back-end certificate is less important coming from the Internet because the proxy will always intercept that request.  Regards your last question, you can use the same cert.

    As mentioned before, there have been situations where security officers insist on using separate certificates for both proxy and AD FS farm nodes.  In the previous post, I used the example of 3rd party and internal PKI combinations. What I failed to mention is that this could be a certificate sourced from a third-party provider (Verisign/Godaddy etc) TWICE using two separate signing requests, with a different private key on both WAP and ADFS backend.

    3. "Yes".. you can share the certificate between ADFS and WAP with the same certificate via the private key exportable option. It's more a convenience thing rather than a security thing if you uncheck it :)


    http://blog.auth360.net

    Wednesday, July 19, 2017 11:05 PM