Forefront UAG, AD FS and Sharepoint RRS feed

  • Question

  • I would really appreciate if someone could take the time to verify that the following solution is possible.

    There are three domains in the solution:

    • Users
    • AD FS server (abclogon.domain.com) (*.domain.com-wildcard certificate)
    • Sharepoint (search.domain.com, myself.domain.com) (*.domain.com-wildcard certificate)
    • Users
    • AD FS server (deflogon.domain.com) (*.domain.com-wildcard certificate)

    We use one UAG server to publish the 2 AD FS and the SharePoint solution .

    • Will there be any challenges that one UAG publish the 2 AD-FS-solutions and Sharepoint trunk in UAG set up with the 2 AD-FS trunk as authentication servers?
    • Are there challenges that we use the same wildcard certificate for alle UAG trunks (and Sharepoint/AD-FS)?
    • Should we avoid using the same wildcard-certificate for token-signing? Why?

    Regars, Kenneth

    Thursday, September 15, 2011 9:57 AM

All replies

  • Kenneth-


    You won't be able to use UAG to publish 2 ADFS servers; when using ADFS 2.0 authN/authZ on a portal trunk, you're limited to ONLY that instance --- you can't add another ADFS server, AD, etc.


    You shouldnt have a problem using a wildcard cert on UAG.


    You probably CAN use a wildcard cert for token signing (I've never tried), but it's considered bad key hygiene.

    Monday, September 19, 2011 2:17 AM
  • Kenneth, as DOM_LMCO points out only one AD FS 2.0 instance can be configured for a portal trunk. There is also a limitation that a single AD FS 2.0 instance can only be used by one single UAG trunk. A different UAG trunk would need another AD FS 2.0 instance.

    In your example it would seem you need a third AD FS 2.0 instance for the "resource organization", to be configured as authentication method on the Sharepoint trunk.

    This AD FS 2.0 instance would need a federation trust relationship with the 2 other AD FS 2.0 instances where the users are. The AD FS instance for the Sharepoint resource would be configured as a relaying party for the 2 other "account organization" AD FS 2.0 instances. They will be added as trusted claims providers on the third AD FS 2.0 instance.

    As for the certificates other than that following usual certificate trust parameters as Common Name, CRL, trust chain and more I would not see any configuration problems with that.

    Monday, September 19, 2011 8:54 PM