Re: ADFS and SSL Certificates

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I can't remember what I did and I'm in the middle of a laptop upgrade and
can't check my test bed, so I'm not sure. :)

The logic that I'd apply is that if you give a third party your certificate,
it seems reasonable that you'd give them the whole chain so they can see the
intermediary certificates too. They might trust the root CA, but they won't
be able to establish the chain without having the rest of the certs
available (unless they are included in the signed message, which I'm not
sure).

Sorry that wasn't too helpful.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Tomasz Onyszko" <T.Onyszko_nospam_@xxxxxx> wrote in message
news:eDeBSnixGHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
Susieber wrote:
(...)

My question is: If you are using a CA instead of SelfSSL, do you still
need to export the resource federation server authentication certificate
to a file and import it on the Web server? You could infer from the note
above that you don't have to do so, because self-signing certificates are
not used and the two servers should share the same CA root automatically.
But it isn't clear in the documentation how to set this thing up with a
CA.....

Yes and I've tried to point it out to the team which is doing
documentation.
Yes You still need to export this certificate because it is needed to
verify data signed by ADFS server. Beside this certificate both machines
has to know certificate chain and CRL in order to operate correctly.

(...)


We can get the Step-by-Step sampleapp working in our lab if we use
SelfSSL, but not if we have the environment configured for Microsoft
Certificate Services. Joe, or any other ADFS guru, can you help?

I'm not joe or ADFS guru :) but will try to do my best. Some time ago
I've posted few words about setting up lab for ADFS step-by-step with CA
instead of SelfSSL. Not exactly what You asking for but maybe it would
help a little:
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/adfs-lab.aspx



--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)


.

Relevant Pages

  • Re: regarding retrival of server certificate
    ... As Joe already pointed out - use SSL - thats an easy and standard way to get a server certificate for validation and authentication. ... validate the identity of the server. ...
    (microsoft.public.dotnet.security)
  • Re: Client certificate error with web services
    ... The number of times that client certificate issues turn out to be easy to ... Joe Kaplan-MS MVP Directory Services Programming ... Assuming that the CNs are the same in both certs, ... Authentication is via client certificates. ...
    (microsoft.public.dotnet.security)
  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Valid Certificate Authority
    ... another web site via something based on HttpWebRequest or a web service ... If you aren't calling another server, then why would you need to check a ... > Thanks Joe, ... you can enforce your own certificate policy based on the rules you ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDAPS
    ... Look for errors from schannel in the System event log on the client machine ... Joe Kaplan-MS MVP Directory Services Programming ... is the certificate you issued matches the ... installed on the DCs local cert store? ...
    (microsoft.public.windows.server.active_directory)