Solved

ADFS Queries

Posted on 2016-10-05
3
81 Views
Last Modified: 2016-10-07
Hi,

We are implementing a new AD FS solution.

A questions I have around the SSL cert is:
We have our main (internal) AD domain:
company.net
We also have subdomains:
usa.company.net
china.company.net
india.company.net

However, our users have e-mail addresses relating to their business rather than domain so email addresses will be:
user@businessa.com
user@businessb.com
user@businessc.com
user@businessd.com
user@businesse.com

The SSL certificate will be: sts.company.com (an external domain name)
Do I need to include any information relating to any of the above?

I'm thinking more around UPN/SAN information for the certificate.

Thanks,
Andy
0
Comment
Question by:Andy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41830247
The certificate you use only needs to match the address used to access the server by any applications that will use it for authentication and users that will be logging in. So if the certificate is for sts.company.com, just make sure there is an A Record for sts.company.com in Public DNS. CN Validity is only authenticated by access to the server. Token signing and encryption don't require a specific CN to exist on the certificate used by those processes (nor do they require Root CA trust). If you want businessb.com to be able to access the ADFS server using sts.businessb.com, though, you'll need to make sure that shows up in the cert.

However, you'll probably want to use a different certificate for token signing and encryption of tokens with ADFS. I would only use the sts.company.com certificate for the HTTPS service on the ADFS server. It's usually acceptable to just let ADFS generate its own certificates for those purposes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41831264
Thanks Adam,

We'll only use the sts.company.com URL for all users to access globally.
We'll be using a public premium EV SSL certificate for service communications.
We'll use the self-signed certificates for token-signing/token-decryption and probably increase the lifetime to 3 years (or length of initial SaaS contract).
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41833133
Thanks for the assistance.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question