Re: ADFS Proxy Cert issue
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Nov 2006 17:15:24 -0600
If you just want to test, then makecert is probably the way to go. I don't
know the command line for requesting a proper client certificate though.
You have to request one with the correct extended key usage OID for client
authentication.
Ideally, you would start getting these certs from the CA that you will
eventually use in production, as you may run into different issues with real
certs than with fake certs and you might as well start finding those out
sooner rather than later. However, if you don't have an internal CA or an
easy way to get certs from a vendor, then this might not be as easy. I'm
lucky in that my company has a CA that allows me to get whatever certs I
want without too much trouble.
Hopefully the step by step guide has the right makecert command line. You
might also check out the docs update that Nick was working on that explained
FSP setup better. It was posted on technet on the ADFS documentation blog a
while ago.
Also, someone in one of the other security newsgroups will be able to tell
you the right command line if you can't find someone here who does.
Basically, you have the overall big picture right:
- All the ADFS IIS communications use HTTPS, so they need standard SSL
certificates. The common name on the cert must match the DNS name of the
server in the URL, or you will likely run into annoying problems.
- Each federation server has a token signing certificate. This can be any
cert that has the Digital Signature key usage on it, which could be an SSL
cert, a client certificate, a code signing certificate, or a number of
different things. You get a lot of flexibility with this one (maybe too
much :)).
- The FSP uses a certificate intended for HTTP client certificate
authentication over SSL to talk to the FS, so it needs a standard client
certificate
HTH!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:536B0B4C-690D-4A87-BE09-9EDCDA29AB54@xxxxxxxxxxxxxxxx
I am trying to set up an environment to allow roaming users to access
several
asp.net apps along with OWA. We want to do this using SSO to control
account
management. We are trying to setup ADSF to handle this using the Intranet
and Roaming users scenario described in the Planning document. I was able
to
get the step by step lab scenario setup, but that architecture is a lot
more
then what we are looking for, as we only have users from our organization
access these apps. I am now trying to set this up in our lap environment
to
test the funcationality there.
My problem is getting the FSP setup properly. I am using temp
certificates,
but I am some what confused on what certs need to be on each server and
how
to create them. From what I understand, I need an SSL cert on the FSP for
IIS and a completely different cert for the client authenication piece
what
will all the FSP to authenicate back the FS. If this is correct what is
the
easiest way to create these certs. I have used makecert but I am not very
familar with all of the triggers and am not sure if I am generating them
properly. Also are there any certs that I need to create on the FS that
need
to be exported and installed on the FSP?
Any assistance would be appreciated on this.
Thanks
Eric
.
- Prev by Date: Re: Creating a Computer Object in ADAM
- Next by Date: Re: How to confirm member computer is using Kerberos authentication
- Previous by thread: How to confirm member computer is using Kerberos authentication
- Next by thread: Re: ADFS Proxy Cert issue
- Index(es):
Relevant Pages
|
