Solved

Setting up AD FS with SSL cert

Posted on 2013-12-10
4
958 Views
Last Modified: 2013-12-12
Hi All

We need to setup an AD FS solution to connect to a 3rd party we use for email archiving to allow SSO,

We have an 2008 Domain with one of the DC's is also a root CA which i have been told we must use :(

I am struggling to understand how we create the certificate, I followed a guide to copy a Web server Template and given it a unique name in Certificate services on our CA,

Next i think i need to get a certificate on the server we are installing ADFS on, the guide said import as a user certificate but when i tried that the template was unavailable, does this need to be a Computer Certificate?

After we have configured this i guess then we need to export our root Certificate and provide it to the 3rd party so they trust our cert, how do i do that?

Any help will be gratefully received

Thanks
0
Comment
Question by:ncomper
  • 2
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39709826
You require Server authentication (certificate (X.509) SSL certificates, user certificates are not required.
1st you need to decide if you require Public SSL certificate or Internal CA SSL certificate ?

If you are publishing your ADFS server on internet, then its recommended to have Public SSL certificate.
You can use SSL certificate from internal CA server, But in that case your root CA server certificate must be installed on all client computers and servers who are going to access your ADFS server. Hence it is not recommended

Certificate Common name must be set to your ADFS service name FQDN
For ex: adfs.domain.com

You can use IIS console to generate SSL certificate request from your internal CA or from external Public CA
You can navigate to Server Certificates in IIS console to follow certificate request wizard
In wizard there is option given if you wanted to generate certificate from internal online CA or if you want to generate new certificate request (.req) file and get the certificate from external public CA

Alternatively, If you have enterprise root CA, then it has got certificates templates, you need to duplicate existing Web Server template and need to provide read and enrol permissions to  ADFS server account on that template so that you can request SSL certificate from internal CA

http://msmvps.com/blogs/acefekay/archive/2012/02/21/iis-7-amp-iis-7-5-how-to-create-an-ssl-certificate-request.aspx
http://www.youtube.com/watch?v=I8gLSt4O8nI

Mahesh
0
 
LVL 5

Author Comment

by:ncomper
ID: 39711315
Hi Mahesh

Thanks for your reply

The provider stated they will accept our internal cert, so will need to export our root CA's cert, how do i do that?

Also in regards to the FQDN for the cert, do i need to ensure that this resolves to the IP of our AD FS server or a Domain controller

Thanks
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39711902
You need to go to root ca console and from there you can export root ca certificate without private key which can be imported later.

Check below URL
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.administering.doc%2Ftopics%2Ft_Exporting_certificate_Active_Directory_server.html

http://support.microsoft.com/kb/555252

Certificate Common name (issued to) should resolve to your ADFS service FQDN, not domain controller.

Mahesh
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39713501
Excellent, Thanks for your help
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now