Re: ADFS Proxy setup?
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 3 Aug 2006 12:06:50 -0500
Ah yes, you need a client certificate for the proxy. For the purposes of
the demo, you can self issue this too. SelfSSL is used for doing SSL certs,
but you can use certutil to create one. When you go to production, you can
either buy a client cert from a vendor (just like buy SSL certs, but
generally cheaper!), or you can stand up your own CA. For this cert, only
your federation server needs to trust it, so you don't have the same issues
to consider with SSL certs for your internet facing stuff and your token
signing certs. You generally want those chaining to a trusted root so you
don't have to cajole all of your external orgs to trust your certs. :)
There are some nice docs here:
http://technet2.microsoft.com/WindowsServer/en/library/4b9e6078-6b7d-4cc1-a927-77c1eab7c1341033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/4b9e6078-6b7d-4cc1-a927-77c1eab7c1341033.mspx?mfr=true
The section in the operations guide on TechNet2 is really good and useful.
Besides the link that shows how to use certutil to create a self-signed cert
for the proxy, they really do tell you just about everything you need to
know. I recommend reading the whole ADFS "operations" part of the tree.
That's where all the useful details are.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dom Williams" <dominic.williams@xxxxxxxxx> wrote in message
news:1154620970.423308.248640@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Well, I dont know how to set one up :)
Some background...
I have the step-by-step environment (adatum & trey) working in a VM
environment. I'd like to introduce the proxies to observe behavior &
understand how it all works.
I used selfssl on the ADs & webserver, but I think a different kind of
cert is needed for the proxy? (forgive my ignorance here, I'm a bit
weak on certificate services material)
basically, does anyone know how to set one up w.o standing up a CA?
...I'll get one up if I need to, but right now i'm just looking for the
most simple way to take things to the next level.
Thanks!
Joe Kaplan (MVP - ADSI) wrote:
What isn't working?
I'm not actually using the proxy in my setup, but I know a little about
how
it works.
Some of the tricks are that you need to create the client auth
certificate
for it and get that installed correctly so that the FS will trust the
FSP.
There is also a bit of trickery you may need to do if you want to use the
FS
and the FS-P in the same environment, but use the same DNS name for both.
Brian Puhl talked about how he did that for the MS ADFS implementation at
his session at TechEd.
Joe K.
.
- Follow-Ups:
- Re: ADFS Proxy setup?
- From: Dom Williams
- Re: ADFS Proxy setup?
- References:
- ADFS Proxy setup?
- From: Dom Williams
- Re: ADFS Proxy setup?
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS Proxy setup?
- From: Dom Williams
- ADFS Proxy setup?
- Prev by Date: Re: ADFS June 2006 Step-by-step guide
- Next by Date: Renaming Permissions in AD/Domain
- Previous by thread: Re: ADFS Proxy setup?
- Next by thread: Re: ADFS Proxy setup?
- Index(es):
Relevant Pages
|
