Client Certificates with ADFS 2.1 RRS feed

  • Question

  • Aloha all.  My first forum post here.

    I have a rather simple request: is there some prescriptive guidance on how to set up client certificates on ADFS 2.1.

    My infrastructure involves a small SharePoint 2013 farm.  We have a single front end server that is using ADFS 2.1 for authentication services.  All servers are Windows 2012.

    ADFS was set up per a TechNet article, and works fine with Windows Auth.

    I did the following to enable client certificates:

    • Used the guidance on this article (https://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx) to enable client certificates as the primary authentication method for ADFS.
    • Enabled client certificates on the IIS Server via authentication icon.

    The authentication request would redirect to ADFS from SharePoint during login.  The certificate selector would pop up from the web browser and I could choose a cert, but after that I would get a 403.16 error.  I went through some cleanup of certificates in the root store per guidance I found online.  I also tried to enable certificate mapping on each level of the IIS hierarchy: Default Web Site, ADFS Application, and LS Application.  All to no avail.

    There must be some standard guidance on how to implement smart cards with ADFS.  According to Microsoft this is the only supported method for doing client certificates with Microsoft products. See https://docs.microsoft.com/en-us/sharepoint/install/configure-client-certificate-authentication.

    Finally, we do have client certificates working with SharePoint 2007 on Windows Server 2003.  So we know our infrastructure supports smart cards. It is just the ADFS part that we need to get working.

    Any assistance is appreciated.



    • Edited by CJW1 Friday, November 30, 2018 5:38 AM
    Friday, November 30, 2018 4:44 AM