Re: Active Directory Federation Services
- From: nboothe@xxxxxxxxx
- Date: 5 Apr 2007 10:00:27 -0700
Thanks Joe. You're getting me a little closer. Now I'm going to show
my ignorance. How do I get a Microsoft CA to issue me a client cert?
I went to the Root CA from the FSP to request a cert. There is no
option for client certificate. There is a user certificate, but I've
tried that and that didn't work. I think I've tried every cert
available but with no success.
Have you ever started a job where you feel completely inadequate? My
buddy recruited me from my K12 education IT job to a corporate IT
security company. He has complete faith in me, but I'll tell you
what, this is way different then K12. Much better job opportunity,
but security and certificates were absent in K12 so this has been a
big learning curve.
Thanks again for any help you can provide.
Nathan
On Apr 5, 11:19 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This is (for now at least) the best place to ask ADFS questions.
I'm not an FSP expert by any means, but I might be able to help here. The
thing with the FSP is that it requires an HTTP client certificate, not a
server SSL certificate. You could have a cert with both EKUs, but you might
not.
The way it works is that the FSP does client certificate authentication to
the FS when it calls the FS web service to perform operations. The FS
"knows" that the FSP is an actual trusted FSP because the FS has been
configured with the FSP client certificate as a trusted FSP certificate.
Thus, the FSP needs a regular client certificate in addition to the SSL
certificate it will use in the web server capacity for encrypting the HTTP
traffic sent to the browser. The FSP needs the cert with private key,
whereas the FS only needs the client certificate itself.
My guess is that you don't have an actual client certificate installed on
the FSP. You'll also need to make sure the Network Service account (or
whatever your app pool identity is if you changed it) has read permissions
on the private key file.
I hope this helps some.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--<nboo...@xxxxxxxxx> wrote in message
news:1175783252.522205.322080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
If this isn't the right group for this question, please point to the
right place.
I'm trying to implement ADFS in a test enviroment to see if it is a
solution for my company. I'm having a hard time with the certificate
portion of the configuration. The federation proxy needs a cert
during the installation but no certs show as being available. Where
is this part of the installation pulling it's information from? On
the federation server side of things I tried to go into the trust
policy and add a FSP certificate, but nothing I try works. I've tried
to all the SSL cert from the FSP, I've tried to add a user cert from
the FSP, I've tried to add the certificate chain from the FSP. It
won't take anything. Any ideas what I'm doing wrong?
Thanks!
Nathan
.
- Follow-Ups:
- Re: Active Directory Federation Services
- From: Joe Kaplan
- Re: Active Directory Federation Services
- References:
- Active Directory Federation Services
- From: nboothe
- Re: Active Directory Federation Services
- From: Joe Kaplan
- Active Directory Federation Services
- Prev by Date: Remote Assistance Issues
- Next by Date: Re: Forcing Users To Change Passwords
- Previous by thread: Re: Active Directory Federation Services
- Next by thread: Re: Active Directory Federation Services
- Index(es):
Relevant Pages
|
