?
Solved

ADFS Queries

Posted on 2016-10-05
3
Medium Priority
?
95 Views
Last Modified: 2016-10-07
Hi,

We are implementing a new AD FS solution.

A questions I have around the SSL cert is:
We have our main (internal) AD domain:
company.net
We also have subdomains:
usa.company.net
china.company.net
india.company.net

However, our users have e-mail addresses relating to their business rather than domain so email addresses will be:
user@businessa.com
user@businessb.com
user@businessc.com
user@businessd.com
user@businesse.com

The SSL certificate will be: sts.company.com (an external domain name)
Do I need to include any information relating to any of the above?

I'm thinking more around UPN/SAN information for the certificate.

Thanks,
Andy
0
Comment
Question by:Andy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41830247
The certificate you use only needs to match the address used to access the server by any applications that will use it for authentication and users that will be logging in. So if the certificate is for sts.company.com, just make sure there is an A Record for sts.company.com in Public DNS. CN Validity is only authenticated by access to the server. Token signing and encryption don't require a specific CN to exist on the certificate used by those processes (nor do they require Root CA trust). If you want businessb.com to be able to access the ADFS server using sts.businessb.com, though, you'll need to make sure that shows up in the cert.

However, you'll probably want to use a different certificate for token signing and encryption of tokens with ADFS. I would only use the sts.company.com certificate for the HTTPS service on the ADFS server. It's usually acceptable to just let ADFS generate its own certificates for those purposes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41831264
Thanks Adam,

We'll only use the sts.company.com URL for all users to access globally.
We'll be using a public premium EV SSL certificate for service communications.
We'll use the self-signed certificates for token-signing/token-decryption and probably increase the lifetime to 3 years (or length of initial SaaS contract).
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41833133
Thanks for the assistance.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question