Re: Active Directory Federation Services

I can't answer the question on the Microsoft CA as I don't know anything
about them. Sorry. We use another CA vendor where I work so I mostly know
it.

A "user" certificate should work, as they generally have the "client
authentication" extended key usage (EKU) which is the thing you really need.
I'm not sure why you couldn't get that to work, but perhaps it is worth
another try?

Don't beat up on yourself too much about the ADFS stuff and the new job in
general. Almost no one really knows ADFS at all yet, especially the finer
points like FSP. :)

ADFS requires skills that a lot of people don't have such as PKI and IIS.
Since it has AD in the name, it is usually given to the directory guys in an
organization, but they may not know anything about either PKI or IIS.

Give yourself a break and some time and you'll get there.

FWIW, I don't use the FSP in my production environment at all. I didn't see
an important use for it. I put my FS on the public internet instead.
However, this complies with our standard web app usage model so it was not a
difficult thing to deal with from a policy and infrastructure perspective.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<nboothe@xxxxxxxxx> wrote in message
news:1175792427.307287.70830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Joe. You're getting me a little closer. Now I'm going to show
my ignorance. How do I get a Microsoft CA to issue me a client cert?
I went to the Root CA from the FSP to request a cert. There is no
option for client certificate. There is a user certificate, but I've
tried that and that didn't work. I think I've tried every cert
available but with no success.

Have you ever started a job where you feel completely inadequate? My
buddy recruited me from my K12 education IT job to a corporate IT
security company. He has complete faith in me, but I'll tell you
what, this is way different then K12. Much better job opportunity,
but security and certificates were absent in K12 so this has been a
big learning curve.

Thanks again for any help you can provide.

Nathan

On Apr 5, 11:19 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This is (for now at least) the best place to ask ADFS questions.

I'm not an FSP expert by any means, but I might be able to help here.
The
thing with the FSP is that it requires an HTTP client certificate, not a
server SSL certificate. You could have a cert with both EKUs, but you
might
not.

The way it works is that the FSP does client certificate authentication
to
the FS when it calls the FS web service to perform operations. The FS
"knows" that the FSP is an actual trusted FSP because the FS has been
configured with the FSP client certificate as a trusted FSP certificate.

Thus, the FSP needs a regular client certificate in addition to the SSL
certificate it will use in the web server capacity for encrypting the
HTTP
traffic sent to the browser. The FSP needs the cert with private key,
whereas the FS only needs the client certificate itself.

My guess is that you don't have an actual client certificate installed on
the FSP. You'll also need to make sure the Network Service account (or
whatever your app pool identity is if you changed it) has read
permissions
on the private key file.

I hope this helps some.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--<nboo...@xxxxxxxxx> wrote in message

news:1175783252.522205.322080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If this isn't the right group for this question, please point to the
right place.

I'm trying to implement ADFS in a test enviroment to see if it is a
solution for my company. I'm having a hard time with the certificate
portion of the configuration. The federation proxy needs a cert
during the installation but no certs show as being available. Where
is this part of the installation pulling it's information from? On
the federation server side of things I tried to go into the trust
policy and add a FSP certificate, but nothing I try works. I've tried
to all the SSL cert from the FSP, I've tried to add a user cert from
the FSP, I've tried to add the certificate chain from the FSP. It
won't take anything. Any ideas what I'm doing wrong?

Thanks!

Nathan




.

Relevant Pages

  • Re: Active Directory Federation Services
    ... that is associated with their profile and the machine itself has a store. ... Just wanted to let you know that I got the cert problem fixed. ... the user certificate store. ... FSP was looking for certs in the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Federation Services
    ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... There is a user certificate, ... I'm not an FSP expert by any means, but I might be able to help here. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Federation Services
    ... Just wanted to let you know that I got the cert problem fixed. ... Apparently when I installed the user cert (client) it was going into ... the user certificate store. ... FSP was looking for certs in the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS Proxy Cert issue
    ... know the command line for requesting a proper client certificate though. ... you would start getting these certs from the CA that you will ... FSP setup better. ...
    (microsoft.public.windows.server.active_directory)
  • Active Directory Federation Services
    ... The federation proxy needs a cert ... is this part of the installation pulling it's information from? ... policy and add a FSP certificate, ...
    (microsoft.public.windows.server.active_directory)