?
Solved

Setting up AD FS with SSL cert

Posted on 2013-12-10
4
Medium Priority
?
1,004 Views
Last Modified: 2013-12-12
Hi All

We need to setup an AD FS solution to connect to a 3rd party we use for email archiving to allow SSO,

We have an 2008 Domain with one of the DC's is also a root CA which i have been told we must use :(

I am struggling to understand how we create the certificate, I followed a guide to copy a Web server Template and given it a unique name in Certificate services on our CA,

Next i think i need to get a certificate on the server we are installing ADFS on, the guide said import as a user certificate but when i tried that the template was unavailable, does this need to be a Computer Certificate?

After we have configured this i guess then we need to export our root Certificate and provide it to the 3rd party so they trust our cert, how do i do that?

Any help will be gratefully received

Thanks
0
Comment
Question by:ncomper
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39709826
You require Server authentication (certificate (X.509) SSL certificates, user certificates are not required.
1st you need to decide if you require Public SSL certificate or Internal CA SSL certificate ?

If you are publishing your ADFS server on internet, then its recommended to have Public SSL certificate.
You can use SSL certificate from internal CA server, But in that case your root CA server certificate must be installed on all client computers and servers who are going to access your ADFS server. Hence it is not recommended

Certificate Common name must be set to your ADFS service name FQDN
For ex: adfs.domain.com

You can use IIS console to generate SSL certificate request from your internal CA or from external Public CA
You can navigate to Server Certificates in IIS console to follow certificate request wizard
In wizard there is option given if you wanted to generate certificate from internal online CA or if you want to generate new certificate request (.req) file and get the certificate from external public CA

Alternatively, If you have enterprise root CA, then it has got certificates templates, you need to duplicate existing Web Server template and need to provide read and enrol permissions to  ADFS server account on that template so that you can request SSL certificate from internal CA

http://msmvps.com/blogs/acefekay/archive/2012/02/21/iis-7-amp-iis-7-5-how-to-create-an-ssl-certificate-request.aspx
http://www.youtube.com/watch?v=I8gLSt4O8nI

Mahesh
0
 
LVL 5

Author Comment

by:ncomper
ID: 39711315
Hi Mahesh

Thanks for your reply

The provider stated they will accept our internal cert, so will need to export our root CA's cert, how do i do that?

Also in regards to the FQDN for the cert, do i need to ensure that this resolves to the IP of our AD FS server or a Domain controller

Thanks
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39711902
You need to go to root ca console and from there you can export root ca certificate without private key which can be imported later.

Check below URL
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.administering.doc%2Ftopics%2Ft_Exporting_certificate_Active_Directory_server.html

http://support.microsoft.com/kb/555252

Certificate Common name (issued to) should resolve to your ADFS service FQDN, not domain controller.

Mahesh
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39713501
Excellent, Thanks for your help
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question