Re: Active Directory Federation Services

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 5 Apr 2007 10:19:15 -0500

---

This is (for now at least) the best place to ask ADFS questions.

I'm not an FSP expert by any means, but I might be able to help here. The
thing with the FSP is that it requires an HTTP client certificate, not a
server SSL certificate. You could have a cert with both EKUs, but you might
not.

The way it works is that the FSP does client certificate authentication to
the FS when it calls the FS web service to perform operations. The FS
"knows" that the FSP is an actual trusted FSP because the FS has been
configured with the FSP client certificate as a trusted FSP certificate.

Thus, the FSP needs a regular client certificate in addition to the SSL
certificate it will use in the web server capacity for encrypting the HTTP
traffic sent to the browser. The FSP needs the cert with private key,
whereas the FS only needs the client certificate itself.

My guess is that you don't have an actual client certificate installed on
the FSP. You'll also need to make sure the Network Service account (or
whatever your app pool identity is if you changed it) has read permissions
on the private key file.

I hope this helps some.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<nboothe@xxxxxxxxx> wrote in message
news:1175783252.522205.322080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If this isn't the right group for this question, please point to the
right place.

I'm trying to implement ADFS in a test enviroment to see if it is a
solution for my company. I'm having a hard time with the certificate
portion of the configuration. The federation proxy needs a cert
during the installation but no certs show as being available. Where
is this part of the installation pulling it's information from? On
the federation server side of things I tried to go into the trust
policy and add a FSP certificate, but nothing I try works. I've tried
to all the SSL cert from the FSP, I've tried to add a user cert from
the FSP, I've tried to add the certificate chain from the FSP. It
won't take anything. Any ideas what I'm doing wrong?

Thanks!

Nathan

.

---

• Follow-Ups:
  • Re: Active Directory Federation Services
    • From: nboothe

• References:
  • Active Directory Federation Services
    • From: nboothe

• Prev by Date: Re: GPO issue on 1 pc
• Next by Date: Adprep Issues with Win2K3 R2 & Win2K3 SBS SP1
• Previous by thread: Active Directory Federation Services
• Next by thread: Re: Active Directory Federation Services
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Active Directory Federation Services ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... There is a user certificate, ... I'm not an FSP expert by any means, but I might be able to help here. ... (microsoft.public.windows.server.active_directory) Re: Active Directory Federation Services ... A "user" certificate should work, as they generally have the "client ... I don't use the FSP in my production environment at all. ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... (microsoft.public.windows.server.active_directory) Re: Active Directory Federation Services ... Just wanted to let you know that I got the cert problem fixed. ... Apparently when I installed the user cert (client) it was going into ... the user certificate store. ... FSP was looking for certs in the local ... (microsoft.public.windows.server.active_directory) Active Directory Federation Services ... The federation proxy needs a cert ... is this part of the installation pulling it's information from? ... policy and add a FSP certificate, ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)