Solved

Setting up AD FS with SSL cert

Posted on 2013-12-10
4
983 Views
Last Modified: 2013-12-12
Hi All

We need to setup an AD FS solution to connect to a 3rd party we use for email archiving to allow SSO,

We have an 2008 Domain with one of the DC's is also a root CA which i have been told we must use :(

I am struggling to understand how we create the certificate, I followed a guide to copy a Web server Template and given it a unique name in Certificate services on our CA,

Next i think i need to get a certificate on the server we are installing ADFS on, the guide said import as a user certificate but when i tried that the template was unavailable, does this need to be a Computer Certificate?

After we have configured this i guess then we need to export our root Certificate and provide it to the 3rd party so they trust our cert, how do i do that?

Any help will be gratefully received

Thanks
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39709826
You require Server authentication (certificate (X.509) SSL certificates, user certificates are not required.
1st you need to decide if you require Public SSL certificate or Internal CA SSL certificate ?

If you are publishing your ADFS server on internet, then its recommended to have Public SSL certificate.
You can use SSL certificate from internal CA server, But in that case your root CA server certificate must be installed on all client computers and servers who are going to access your ADFS server. Hence it is not recommended

Certificate Common name must be set to your ADFS service name FQDN
For ex: adfs.domain.com

You can use IIS console to generate SSL certificate request from your internal CA or from external Public CA
You can navigate to Server Certificates in IIS console to follow certificate request wizard
In wizard there is option given if you wanted to generate certificate from internal online CA or if you want to generate new certificate request (.req) file and get the certificate from external public CA

Alternatively, If you have enterprise root CA, then it has got certificates templates, you need to duplicate existing Web Server template and need to provide read and enrol permissions to  ADFS server account on that template so that you can request SSL certificate from internal CA

http://msmvps.com/blogs/acefekay/archive/2012/02/21/iis-7-amp-iis-7-5-how-to-create-an-ssl-certificate-request.aspx
http://www.youtube.com/watch?v=I8gLSt4O8nI

Mahesh
0
 
LVL 5

Author Comment

by:ncomper
ID: 39711315
Hi Mahesh

Thanks for your reply

The provider stated they will accept our internal cert, so will need to export our root CA's cert, how do i do that?

Also in regards to the FQDN for the cert, do i need to ensure that this resolves to the IP of our AD FS server or a Domain controller

Thanks
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39711902
You need to go to root ca console and from there you can export root ca certificate without private key which can be imported later.

Check below URL
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.administering.doc%2Ftopics%2Ft_Exporting_certificate_Active_Directory_server.html

http://support.microsoft.com/kb/555252

Certificate Common name (issued to) should resolve to your ADFS service FQDN, not domain controller.

Mahesh
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39713501
Excellent, Thanks for your help
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question