Re: Active Directory Federation Services

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 5 Apr 2007 16:10:21 -0500

---

Excellent. Yes, for Windows there are basically two stores (although really
there are potentially many). Each user on the machine has their own store
that is associated with their profile and the machine itself has a store.
Typically for server apps like ADFS, you'd want the certificate/private key
in the local machine store. In some cases you can put it in the user store
for the ID that runs the service.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"nboothe" <nboothe@xxxxxxxxx> wrote in message
news:1175799395.950068.95390@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Joe,

Just wanted to let you know that I got the cert problem fixed.
Apparently when I installed the user cert (client) it was going into
the user certificate store. FSP was looking for certs in the local
computer certificate store. I didn't know there were two stores. I
dragged the cert from the user to the computer store using a custom
mmc and it finally found the cert and allowed me to install it during
the FSP install process.

Thanks for all your help!

Nathan

On Apr 5, 2:20 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I can't answer the question on the Microsoft CA as I don't know anything
about them. Sorry. We use another CA vendor where I work so I mostly
know
it.

A "user" certificate should work, as they generally have the "client
authentication" extended key usage (EKU) which is the thing you really
need.
I'm not sure why you couldn't get that to work, but perhaps it is worth
another try?

Don't beat up on yourself too much about the ADFS stuff and the new job
in
general. Almost no one really knows ADFS at all yet, especially the
finer
points like FSP. :)

ADFS requires skills that a lot of people don't have such as PKI and IIS.
Since it has AD in the name, it is usually given to the directory guys in
an
organization, but they may not know anything about either PKI or IIS.

Give yourself a break and some time and you'll get there.

FWIW, I don't use the FSP in my production environment at all. I didn't
see
an important use for it. I put my FS on the public internet instead.
However, this complies with our standard web app usage model so it was
not a
difficult thing to deal with from a policy and infrastructure
perspective.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--<nboo...@xxxxxxxxx> wrote in message

news:1175792427.307287.70830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Thanks Joe. You're getting me a little closer. Now I'm going to show
my ignorance. How do I get a Microsoft CA to issue me a client cert?
I went to the Root CA from the FSP to request a cert. There is no
option for client certificate. There is a user certificate, but I've
tried that and that didn't work. I think I've tried every cert
available but with no success.

Have you ever started a job where you feel completely inadequate? My
buddy recruited me from my K12 education IT job to a corporate IT
security company. He has complete faith in me, but I'll tell you
what, this is way different then K12. Much better job opportunity,
but security and certificates were absent in K12 so this has been a
big learning curve.

Thanks again for any help you can provide.

Nathan

On Apr 5, 11:19 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

This is (for now at least) the best place to ask ADFS questions.

I'm not an FSP expert by any means, but I might be able to help here.
The
thing with the FSP is that it requires an HTTP client certificate, not
a
server SSL certificate. You could have a cert with both EKUs, but you
might
not.

The way it works is that the FSP does client certificate
authentication
to
the FS when it calls the FS web service to perform operations. The FS
"knows" that the FSP is an actual trusted FSP because the FS has been
configured with the FSP client certificate as a trusted FSP
certificate.

Thus, the FSP needs a regular client certificate in addition to the
SSL
certificate it will use in the web server capacity for encrypting the
HTTP
traffic sent to the browser. The FSP needs the cert with private key,
whereas the FS only needs the client certificate itself.

My guess is that you don't have an actual client certificate installed
on
the FSP. You'll also need to make sure the Network Service account
(or
whatever your app pool identity is if you changed it) has read
permissions
on the private key file.

I hope this helps some.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--<nboo...@xxxxxxxxx> wrote in message

news:1175783252.522205.322080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If this isn't the right group for this question, please point to the
right place.

I'm trying to implement ADFS in a test enviroment to see if it is a
solution for my company. I'm having a hard time with the
certificate
portion of the configuration. The federation proxy needs a cert
during the installation but no certs show as being available. Where
is this part of the installation pulling it's information from? On
the federation server side of things I tried to go into the trust
policy and add a FSP certificate, but nothing I try works. I've
tried
to all the SSL cert from the FSP, I've tried to add a user cert from
the FSP, I've tried to add the certificate chain from the FSP. It
won't take anything. Any ideas what I'm doing wrong?

Thanks!

Nathan

.

---

• References:
  • Active Directory Federation Services
    • From: nboothe
  • Re: Active Directory Federation Services
    • From: Joe Kaplan
  • Re: Active Directory Federation Services
    • From: nboothe
  • Re: Active Directory Federation Services
    • From: Joe Kaplan
  • Re: Active Directory Federation Services
    • From: nboothe

• Prev by Date: Re: Forcing Users To Change Passwords
• Next by Date: Re: GPO issue on 1 pc
• Previous by thread: Re: Active Directory Federation Services
• Next by thread: Adprep Issues with Win2K3 R2 & Win2K3 SBS SP1
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Accessing certificate store from ASP.NET web project ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ... (microsoft.public.dotnet.security) Re: Issues with SSL on Win CE 5.0 ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ... (microsoft.public.windowsce.embedded) Re: Issues with SSL on Win CE 5.0 ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ... (microsoft.public.windowsce.embedded) Re: Issues with SSL on Win CE 5.0 ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ... (microsoft.public.windowsce.embedded) Re: Active Directory Federation Services ... A "user" certificate should work, as they generally have the "client ... I don't use the FSP in my production environment at all. ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-04