[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Setting up AD FS with SSL cert

Posted on 2013-12-10
4
Medium Priority
?
1,002 Views
Last Modified: 2013-12-12
Hi All

We need to setup an AD FS solution to connect to a 3rd party we use for email archiving to allow SSO,

We have an 2008 Domain with one of the DC's is also a root CA which i have been told we must use :(

I am struggling to understand how we create the certificate, I followed a guide to copy a Web server Template and given it a unique name in Certificate services on our CA,

Next i think i need to get a certificate on the server we are installing ADFS on, the guide said import as a user certificate but when i tried that the template was unavailable, does this need to be a Computer Certificate?

After we have configured this i guess then we need to export our root Certificate and provide it to the 3rd party so they trust our cert, how do i do that?

Any help will be gratefully received

Thanks
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39709826
You require Server authentication (certificate (X.509) SSL certificates, user certificates are not required.
1st you need to decide if you require Public SSL certificate or Internal CA SSL certificate ?

If you are publishing your ADFS server on internet, then its recommended to have Public SSL certificate.
You can use SSL certificate from internal CA server, But in that case your root CA server certificate must be installed on all client computers and servers who are going to access your ADFS server. Hence it is not recommended

Certificate Common name must be set to your ADFS service name FQDN
For ex: adfs.domain.com

You can use IIS console to generate SSL certificate request from your internal CA or from external Public CA
You can navigate to Server Certificates in IIS console to follow certificate request wizard
In wizard there is option given if you wanted to generate certificate from internal online CA or if you want to generate new certificate request (.req) file and get the certificate from external public CA

Alternatively, If you have enterprise root CA, then it has got certificates templates, you need to duplicate existing Web Server template and need to provide read and enrol permissions to  ADFS server account on that template so that you can request SSL certificate from internal CA

http://msmvps.com/blogs/acefekay/archive/2012/02/21/iis-7-amp-iis-7-5-how-to-create-an-ssl-certificate-request.aspx
http://www.youtube.com/watch?v=I8gLSt4O8nI

Mahesh
0
 
LVL 5

Author Comment

by:ncomper
ID: 39711315
Hi Mahesh

Thanks for your reply

The provider stated they will accept our internal cert, so will need to export our root CA's cert, how do i do that?

Also in regards to the FQDN for the cert, do i need to ensure that this resolves to the IP of our AD FS server or a Domain controller

Thanks
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39711902
You need to go to root ca console and from there you can export root ca certificate without private key which can be imported later.

Check below URL
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.administering.doc%2Ftopics%2Ft_Exporting_certificate_Active_Directory_server.html

http://support.microsoft.com/kb/555252

Certificate Common name (issued to) should resolve to your ADFS service FQDN, not domain controller.

Mahesh
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 39713501
Excellent, Thanks for your help
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question