Re: ADFS and SSL Certificates

Yes, we are using certificates isssued by our in house CA. It trusts an RSA
CA cert which chains up to the valicert public root.

We actually had no problem at all with the SSL/IIS part of the
configuration. With the ADFS token signing part, I absolutely could NOT get
ADFS to verify our trust chain. There seems to be an issue with CRL
checking that I could not configure my way out of. The problem was either
that our CA cert's CRL could not be reached due to proxy issues or the RSA
CA cert doesn't publish a CRL (which is normal for root CAs, but I guess not
a normal for CAs signed by something else, based on what I was able to find
out).

I order to get around that problem, I had to disable CRL checking in the
trust policy file. This setting is not exposed in the UI, but can be
changed manually with a text editor or can be changed with the vbscript that
they include with ADFS for command line trust policy mods. I can't remember
the exact setting, but I'm pretty sure we set it to "None".

The SSL problems with IIS are usually just an issue of not having the cert
installed in the right store, not having the trust chain set up right with
the intermediate CAs in the intermediate store and trusted root in the
trusted root CA store, or you don't have the private key installed correctly
or the current process identity doesn't have rights to read it (this happens
a lot!).

I hope that gives you some more hints. If it is just SSL, you can try
connecting to a normal html page in the same site but not under the ADFS
virtual directory to see if you can get that working. That will get ADFS
out of the picture.

Also, this stuff comes up in the regular IIS newsgroups all the time outside
of the realm of ADFS, so make sure you do some searches in other newsgroups.

Best of luck again!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B409B60B-B149-4205-8442-73059B0E1A83@xxxxxxxxxxxxxxxx
Well, that event turned out not to help. We don't get any errors trying to
access the web app from the client now. Nothing happens on the client
(although he can access the default "under construction" page on the Web
server). And no messages show up on the server. Did you ever get this
working
with a CA yourself?

"Susieber" wrote:



.

Relevant Pages

  • Re: ADFS and SSL Certificates
    ... Well, it took 9 hours yesterday, but I finally got ADFS working with a CA. ... "Joe Kaplan" wrote: ... CA cert which chains up to the valicert public root. ... ADFS to verify our trust chain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: OT..though when am I ever?
    ... he'd kissed her on the lips...and her cheek. ... Trust me, I know! ... IQ = big time stress. ... Could be lots of root causes e.g. allergies, ...
    (uk.rec.humour)
  • Re: AD Domain Trust is unsafe!
    ... I will say that ADFS IS a good solution for doing some types of integration ... using it now are already integrated via Windows security. ... tell you whether or not you are taking risks with the trust. ...
    (microsoft.public.windows.server.active_directory)
  • AD Trust Breaks - object found same name as domain. Help Please :(
    ... Trust relationship between child and parent domain appears ... SAME name as the Root Domain ... Desktops have been appearing on the domain as "acrobat" as the computer name. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to give administrative previledges
    ... >> as giving them root password. ... use sudo to provide the limited access. ... >> that then I would not trust them to update the system. ... give a user admin access by adding (ALL) ALL ...
    (Fedora)