Solved

ADFS Queries

Posted on 2016-10-05
3
49 Views
Last Modified: 2016-10-07
Hi,

We are implementing a new AD FS solution.

A questions I have around the SSL cert is:
We have our main (internal) AD domain:
company.net
We also have subdomains:
usa.company.net
china.company.net
india.company.net

However, our users have e-mail addresses relating to their business rather than domain so email addresses will be:
user@businessa.com
user@businessb.com
user@businessc.com
user@businessd.com
user@businesse.com

The SSL certificate will be: sts.company.com (an external domain name)
Do I need to include any information relating to any of the above?

I'm thinking more around UPN/SAN information for the certificate.

Thanks,
Andy
0
Comment
Question by:Andy
  • 2
3 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41830247
The certificate you use only needs to match the address used to access the server by any applications that will use it for authentication and users that will be logging in. So if the certificate is for sts.company.com, just make sure there is an A Record for sts.company.com in Public DNS. CN Validity is only authenticated by access to the server. Token signing and encryption don't require a specific CN to exist on the certificate used by those processes (nor do they require Root CA trust). If you want businessb.com to be able to access the ADFS server using sts.businessb.com, though, you'll need to make sure that shows up in the cert.

However, you'll probably want to use a different certificate for token signing and encryption of tokens with ADFS. I would only use the sts.company.com certificate for the HTTPS service on the ADFS server. It's usually acceptable to just let ADFS generate its own certificates for those purposes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41831264
Thanks Adam,

We'll only use the sts.company.com URL for all users to access globally.
We'll be using a public premium EV SSL certificate for service communications.
We'll use the self-signed certificates for token-signing/token-decryption and probably increase the lifetime to 3 years (or length of initial SaaS contract).
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41833133
Thanks for the assistance.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now