Re: ADFS and SSL Certificates
- From: Susieber <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Oct 2006 13:15:01 -0700
Joe -
Well, it took 9 hours yesterday, but I finally got ADFS working with a CA.
And I have an answer to my original question posted in this thread: No, you
do not need to export the resource federation server's SSL cert to the Web
server's Trust Root store in order for ADFS to work, unless you are using
self-signed certificates.
Voila!
I have learned a lot of other things about ADFS along the way, as well as
filed three UI text bugs.....
Susie
"Joe Kaplan" wrote:
Yes, we are using certificates isssued by our in house CA. It trusts an RSA.
CA cert which chains up to the valicert public root.
We actually had no problem at all with the SSL/IIS part of the
configuration. With the ADFS token signing part, I absolutely could NOT get
ADFS to verify our trust chain. There seems to be an issue with CRL
checking that I could not configure my way out of. The problem was either
that our CA cert's CRL could not be reached due to proxy issues or the RSA
CA cert doesn't publish a CRL (which is normal for root CAs, but I guess not
a normal for CAs signed by something else, based on what I was able to find
out).
I order to get around that problem, I had to disable CRL checking in the
trust policy file. This setting is not exposed in the UI, but can be
changed manually with a text editor or can be changed with the vbscript that
they include with ADFS for command line trust policy mods. I can't remember
the exact setting, but I'm pretty sure we set it to "None".
The SSL problems with IIS are usually just an issue of not having the cert
installed in the right store, not having the trust chain set up right with
the intermediate CAs in the intermediate store and trusted root in the
trusted root CA store, or you don't have the private key installed correctly
or the current process identity doesn't have rights to read it (this happens
a lot!).
I hope that gives you some more hints. If it is just SSL, you can try
connecting to a normal html page in the same site but not under the ADFS
virtual directory to see if you can get that working. That will get ADFS
out of the picture.
Also, this stuff comes up in the regular IIS newsgroups all the time outside
of the realm of ADFS, so make sure you do some searches in other newsgroups.
Best of luck again!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Susieber" <Susieber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B409B60B-B149-4205-8442-73059B0E1A83@xxxxxxxxxxxxxxxx
Well, that event turned out not to help. We don't get any errors trying to
access the web app from the client now. Nothing happens on the client
(although he can access the default "under construction" page on the Web
server). And no messages show up on the server. Did you ever get this
working
with a CA yourself?
"Susieber" wrote:
- Follow-Ups:
- Re: ADFS and SSL Certificates
- From: Joe Kaplan
- Re: ADFS and SSL Certificates
- Prev by Date: Re: Unable to promote W2K3R2 Enterprise to DC
- Next by Date: Re: Disable lock stations
- Previous by thread: Forest trusts and GPOs
- Next by thread: Re: ADFS and SSL Certificates
- Index(es):
Relevant Pages
|
