locked
ADFS as idp with the certificate based authentication for SAML endpoint RRS feed

  • Question

  • Hello,

    Is it possible to use certificate-base authentication on ADFS for SAML endpoint? FBA auth works well, but there some problem with the CBA auth.

    I have a website (for example https://mywebsite) behind WAP proxy (WAP proxy configured to pass though access for this website), which has a saml authentication provider. On ADFS I created Claims Aware Relying Parity Trust with the SAML Assertion Consumer Endpoint that links to the saml provider for this website (https://mywebsite/saml2/). Added Claims Issuance Policies:

    1. Send LDAP Attributes: User-Principal-Name -> Outgoing Claim Type: Name ID

    2. Transform an Incoming Claim -> incoming claim: UPN; Outgoing Claim type: Name ID; outgoing name ID format: Unspecified; Pass through all claims value

    And I'am able to login to the website using my AD account through FBA authentication as well. But if I'am trying to use the domain user certificate on the ADFS auth page instead login I receiv the following error: 

    This site can’t be reached

    The webpage at https://myadfs:49443/adfs/ls/IdpInitiatedSignOn.aspx/?SAMLRequest=fZLNbsIwEITvPAXyPYljSFQsQKLQn0iUIKA99FI5yQKWEjv1Oi19%2B4akLbRS2duu9xvNjjxEUeQln1R2r1bwWgHaTreuQ5Er5M3jiFRGcS1QIleiAOQ25evJw5wzl%2FLSaKtTnZM%2F2GVKIIKxUqsWi2YjEi9u5vFdtHjZQuIPemkQ0qsw7fXDIAmTjFLmU8GyJPRT6FEYBNCiT2Cw1hmRWpZ0WjXECiKFVihbz6k%2FcChzaLBhjLOAs%2F5zi87qY6UStsH31pbIPU9kW3SlxQRyN%2FloWi9HL8rKSEkrhYVsLXcqVq7A8tAKLb8yuJYqk2p3%2BfSkXUJ%2Bv9ksnWW83rQik%2B9IplphVYBZg3mTKTyu5id3shSFc4z3zOKxZR4ZNyrDY8ebBMz4AjX0zhdPaMkXteNottS5TD%2Ba%2BbFutSmE%2Ff8w3%2FWbicycbbPKK4UlpHIrISM%2FMpM81%2B9TA3WKI2JNBaTrjTud1szvXzj%2BBA%3D%3D&RelayState=https%3A%2F%2Fmywebsite%2Fsaml2%2F&client-request-id=4080c041-2bfa-4165-8001-0080000000b8

    might be temporarily down or it may have moved permanently to a new web address.
    ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

    On this WAP+ADFS I already have some another websites (Sharepoint/Exchange and etc.) and I'm able to authenticate on them using the same  domain user certificate without any problem.

    What should I do to deploy certificate based authentication for the website with the SAML provider?
    Thanks for advises.

    Tuesday, February 5, 2019 11:18 PM

Answers

  • Are you sure you can authenticate using other users and other certs?

    Because it looks like the port 49443 is not reachable from the outside.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    You are right. I had a problem with the user certificate on the test computer (MacOS) where I checked the connection. I changed my user cert and now it works well. Thank you!
    Wednesday, February 6, 2019 7:15 PM

All replies

  • Hello,

    Yes it is possible to use certificate based authentication. Make sure the entire chain of trust, including any intermediate certificates, is installed on every AD FS and WAP server.

    Please see if this might be helpful

    https://blogs.technet.microsoft.com/pauljones/2014/05/27/how-to-enable-password-user-certificate-authentication-in-adfs-3-0/

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication


    Isaac Oben MCITP:EA, MCSE,MCC <a href="https://www.mcpvirtualbusinesscard.com/VBCServer/4a046848-4b33-4a28-b254-e5b01e29693e/interactivecard"> View my MCP Certifications</a>

    Wednesday, February 6, 2019 5:09 AM
  • Are you sure you can authenticate using other users and other certs?

    Because it looks like the port 49443 is not reachable from the outside.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, February 6, 2019 4:03 PM
  • Are you sure you can authenticate using other users and other certs?

    Because it looks like the port 49443 is not reachable from the outside.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    You are right. I had a problem with the user certificate on the test computer (MacOS) where I checked the connection. I changed my user cert and now it works well. Thank you!
    Wednesday, February 6, 2019 7:15 PM