Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ADFS Queries

Posted on 2016-10-05
3
Medium Priority
?
105 Views
Last Modified: 2016-10-07
Hi,

We are implementing a new AD FS solution.

A questions I have around the SSL cert is:
We have our main (internal) AD domain:
company.net
We also have subdomains:
usa.company.net
china.company.net
india.company.net

However, our users have e-mail addresses relating to their business rather than domain so email addresses will be:
user@businessa.com
user@businessb.com
user@businessc.com
user@businessd.com
user@businesse.com

The SSL certificate will be: sts.company.com (an external domain name)
Do I need to include any information relating to any of the above?

I'm thinking more around UPN/SAN information for the certificate.

Thanks,
Andy
0
Comment
Question by:Andy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41830247
The certificate you use only needs to match the address used to access the server by any applications that will use it for authentication and users that will be logging in. So if the certificate is for sts.company.com, just make sure there is an A Record for sts.company.com in Public DNS. CN Validity is only authenticated by access to the server. Token signing and encryption don't require a specific CN to exist on the certificate used by those processes (nor do they require Root CA trust). If you want businessb.com to be able to access the ADFS server using sts.businessb.com, though, you'll need to make sure that shows up in the cert.

However, you'll probably want to use a different certificate for token signing and encryption of tokens with ADFS. I would only use the sts.company.com certificate for the HTTPS service on the ADFS server. It's usually acceptable to just let ADFS generate its own certificates for those purposes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41831264
Thanks Adam,

We'll only use the sts.company.com URL for all users to access globally.
We'll be using a public premium EV SSL certificate for service communications.
We'll use the self-signed certificates for token-signing/token-decryption and probably increase the lifetime to 3 years (or length of initial SaaS contract).
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41833133
Thanks for the assistance.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A hard and fast method for reducing Active Directory Administrators members.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question