Re: ADFS and SSL Certificates
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 5 Sep 2006 16:27:46 -0500
Cert errors can be a pain. I'd suggest by starting on the SSL problems and
not the token signing cert, as SSL is usually a little easier to debug and
may lead you down the path of getting everything working.
The thing that I generally find the most helpful with SSL problems is
enabling Schannel logging at the debug level and checking the system event
logs for errors:
http://support.microsoft.com/?id=260729
Typically, you either have a problem with the trust path or with access to
the private key files. If you can't browse to the various sites at all, it
is likely the case that one of these things is the problem.
Note that you may have to enable schannel logging on both machines.
Best of luck. Perhaps Tomasz can help more while I'm gone this week.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:388C8A24-D11B-4D94-A854-B731570DA7F9@xxxxxxxxxxxxxxxx
Tomasz/Joe -
I tried setting up ADFS with a CA on Friday and couldn't get it to work.
It's a Federated Web SSO with Forest Trust scenario, with the resource
domain
trusting the account domain. I'm using the claimapp that comes with the
step-by-step guide, modified for my environment.
The exact same setup using self-signing certs (created with SelfSSL
according to the step-by-step guide) works fine. But with a CA running on
the
resource domain, I can't get SSL working between any of the servers - even
opening up the sampleapp (claimapp) on the Web server itself fails to
prompt
for a cert. Result: access denied (401.3).
No prompting for certs is happening anywhere, and the web server can't
access the resource federation server's Federation Service URL. We aren't
even getting to the Web server becuase any client that tries isn't offered
a
cert.
Here are the certs as I have them on the various components:
Account Federation Server
-Personal store: account server SSL cert (from Default Web); Federation
Server Account token-signing cert
-Trusted Root Certification Authorities store: account server SSL cert
(from
Default Web); resource domain CA's root cert
Resource Federation Server
-Personal store: resource server SSL cert (from Default Web); Federation
Server Account token-signing cert
-Trusted Root Certification Authorities store: resource server SSL cert
(from Default Web); resource domain CA's root cert
Resource Web Server
-Personal store: web server SSL cert (from Default Web)
-Trusted Root Certification Authorities store: web server SSL cert (from
Default Web); server SSL cert (from Default Web); resource domain CA's
root
cert
Any advice would be appreciated, otherwise I expect to be bald by the end
of
the day after pulling all my hair out trying to get this to work with a CA
for the umpteenth time. :) I sure wish Microsoft would publish some
comprehensive documentation for ADFS.
Susie
"Tomasz Onyszko" wrote:
Susieber wrote:
Thanks, Tomasz and Joe - I will try this with a CA (hopefully this
week) and
let you know what happens. Tomasz, what a coincidence - before I saw
this
post I was reading through your blog's lab tips for ADFS - I'd printed
it out
weeks ago and it was in my stack of ADFS "stuff." :) Thanks!
Hope it helps a little :)
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
.
- Follow-Ups:
- Re: ADFS and SSL Certificates
- From: Susieber
- Re: ADFS and SSL Certificates
- References:
- Re: ADFS and SSL Certificates
- From: Susieber
- Re: ADFS and SSL Certificates
- Prev by Date: Re: ADFS
- Next by Date: Re: 2 domains, DNS issue
- Previous by thread: Re: ADFS and SSL Certificates
- Next by thread: Re: ADFS and SSL Certificates
- Index(es):
Relevant Pages
|
