locked
ADFS 3.0 - Signing certificate CRL check with HTTP Proxy to the internet RRS feed

  • Question

  • Hello, 

    We have an ADFS 3.0 server, with a Claims Provider Trust configured. 
    The Claims Provider signs its tokens sent to this ADFS 3.0 server with a public certificate. The CRL of this certificate is also publicly available over HTTP.  

    However, when trying to perform the Certificate Revocation Check for this signature certificate, we notice that the ADFS 3.0 server is trying to get to the internet directly. Unfortunately, our company policy is that no device can have direct internet access, and all must pass through a HTTP Proxy server
    We have the Proxy local area network (LAN) settings configured in Internet Explorer on the ADFS 3.0 server, and can browse the internet without problems. However, network traces show that ADFS is still trying to go directly to the internet for its revocation checks. 

    Probably this is because the HTTP Proxy server is configured on a per-user setting. 
    While we are using a Group Managed Service Account for our ADFS implementation, we cannot easily log in with this service account on the ADFS server, and change the HTTP proxy configuration for the ADFS service account. 

    We know we can work around this problem via the following PowerShell cmdlet, but are really looking for a better solution and letting ADFS perform the CRL check. 

    Set-AdfsClaimsProviderTrust -TargetName "<IDP name>" -SigningCertificateRevocationCheck None


    What is the correct way to make ADFS 3.0 perform its certificate revocation checks via the proxy server to the internet? 

    Thanks!

    Tuesday, February 24, 2015 2:18 PM

Answers

  • Configure the proxy within the browser as you already did and run in an administrative cmd:

    netsh winhttp import proxy source=ie

    • Marked as answer by Bart Billiet Tuesday, February 24, 2015 3:25 PM
    Tuesday, February 24, 2015 2:47 PM

All replies

  • Configure the proxy within the browser as you already did and run in an administrative cmd:

    netsh winhttp import proxy source=ie

    • Marked as answer by Bart Billiet Tuesday, February 24, 2015 3:25 PM
    Tuesday, February 24, 2015 2:47 PM
  • If the proxy is doing authentication, you'll need to whitelist the URL to the CDP/AIA of the issued certificate, otherwise this will continue to fail. As you've intimated, turning off certificate revocation checking is paying lip service to a company policy that denies access to the Internet. If proxy bypass is not possible, it might be time to update the company policy :-)

    http://blog.auth360.net

    Tuesday, February 24, 2015 8:19 PM