locked
Device Registration Service and ADFS SSL Certificate RRS feed

  • Question

  • Hello,

    I'm implementing a new ADFS farm on Windows Server 2016 and also consider enabling Device Registration Service.

    I'm about to order a new SSL certificate for my ADFS farm from the third party CA.

    We have a single-domain AD forest mycompany.local. Our users UPN suffixes are @mycompany.local

    On Active Directory Domains & Trusts there is no UPN suffixes added.

    In my design, federation service name will be sts.mycompany.se and it is registered to public DNS.

    I want to order a SSL certificate from third party CA. I don't want to use wildcard certificate.

    I'm aware that there's requirements for SSL certificate regarding Device Registration Service

    https://technet.microsoft.com/en-us/library/dn614658(v=ws.11).aspx

    I know that the Subject Name of the SSL certificate must match Federation Service Name. 

    My question is about correct value for Subject Alternative Name in SSL certificate:

    TechNet article states that certificate should contain server name enterpriseregistration.<upnsuffix> for every UPN suffix used in the company. Should Subject Alternative Name value of the ADFS SSL certificate contain value enterpriseregistration.mycompany.se OR enterpriseregistration.mycompany.local OR both?

    Thanks.







    • Edited by weedee Friday, June 9, 2017 7:59 AM
    Friday, June 9, 2017 7:36 AM

Answers

  • You can change the UPN to something routable. You can add alternative UPN suffix to your AD forest and configure your user to use them.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by weedee Friday, July 14, 2017 8:26 AM
    Thursday, June 15, 2017 1:30 PM

All replies

  • You will not find a certificate provider signing off a public certificate containing a SAN for a non public TLD (.local).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 9, 2017 2:01 PM
  • Hello Pierre,

    That's a good point. But, now I'm confused.

    Technet article states: "You must include one server name for every userPrincipalName (UPN) suffix in use at your company in the format of enterpriseregistration.<upnsuffix>

    UPN suffix of our users is @mycompany.local. If enterpriseregistration.mycompany.local is not a valid entry to SAN field of the certificate, what is my option?

    Monday, June 12, 2017 6:45 AM
  • I suppose there's quite a number of AD domains where users have non routable UPN only. How people have resolved this?
    Wednesday, June 14, 2017 6:42 AM
  • You can change the UPN to something routable. You can add alternative UPN suffix to your AD forest and configure your user to use them.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by weedee Friday, July 14, 2017 8:26 AM
    Thursday, June 15, 2017 1:30 PM