Shut Up, Laura

One is "looking really cool"...the other is "DEAD!"

So I'm sure that all of my readers of a certain vintage remember a-ha, right?[1] Well, it turns out that their keyboardist has released a few solo projects, the most recent of which I just downloaded off of iTunes on a whim and it's fracking awesome. (And his website is entirely odd and in keeping with my sense of humour, too.)

What's the album sound like? Well, some people seem to think that my beloved Marillion simply sound like Journey, so I suppose that I need to think of a similarly well-known analogy for this one.  Uhhh....hmmm...I suppose Magne smacks a bit of the Goo Goo Dolls, or of the Dave Matthews Band. Maybe.  If either of those is your cup of tea, go download "Kryptonite" and "Nothing Here to Hold You" from your MP3 provider of choice to see if the rest of "Past Perfect Future Tense" might float your boat.

[1] You know, that "one-hit wonder" band from the 80's who've actually released something like a dozen albums over the last 22 years.  :-)

Putting them all in one place for my own reference and anyone else who needs it.

How to make it go:

• On ADFSACCOUNT, import the Token-signing certificate from ADFSRESOURCE into the local computer's Personal store.
• On ADFSRESOURCE, import the Token-signing certificate from ADFSACCOUNT into the local computer's Personal store.
• On ADFSWEB, import the root CA for ADFSRESOURCE into the local computer's Trusted Root Certificates store.
• On ADFSCLIENT, import the root CA for ADFSACCOUNT, ADFSRESOURCE, and ADFSWEB into the local computer's Trusted Root Certificates store. (NB: the claimapp sample app will still work if you miss this part, you'll just get one or more "IE doesn't like this cert, do you want to continue?" prompts nagging at you when you attempt to test from the client.)

All of these can be exported as .cer files; at no point do you need to go exporting private keys from one machine to another. (I think the docs reference exporting the ADFSRESOURCE cert to ADFSWEB as a .pfx file, but I made it work without doing so, for my part.)  You will achieve more reliable results if you import the certs using the Certificates MMC, not Internet Explorer, and if you do so while signed on as a local admin on the respective box, so that the certs land in the computer's cert store rather than a user-specific store. The docs indicate that the ADATUM test user doesn't need to be a local admin on the client box to run the sample app, and it doesn't...but doing the leg-work to make the certs behave as desired is another story.

To see if you have achieved self-signed certificate nirvana, confirm that you can navigate to the following URLs from the client without receiving any cert errors:

• https://adfsaccount.adatum.com (NB: will return a blank page. That's fine, you just want to confirm that you can get there without any cert errors.)
• https://adfsaccount.adatum.com/adfs/fs/federationserverservice.asmx (Will return a standard-looking ASP.NET ASMX page.)
• https://adfsresource.treyresearch.net (Also blank, but should fire up with no cert errors.)
• https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx (Standard-looking ASMX page.)
• https://adfsweb.treyresearch.net (Another blank one.)

The moral of this story being, of course, that self-signed certificates will be the death of me before this day is over.

So. The 2008 ADFS Step-by-Step guide.  (Thank you Matt for the link, once again.)

The ADFS part?  Fairly easy, if you don't count the trailing '/' in the definition of the application URL that, as it turns out, really really matters! and cost me 30 minutes of head-scratching right at the end after I'd figured out everything else.

Now, the PKI (read: "everything else") part? Took me the whole fracking weekend to get it right. I don't know if the docs are only 90% of the way there, or if I just wasn't reading carefully enough. JoeK does not kid when he tells you that "publicly-signed PKI certificates are the key to salvation when configuring ADFS."

I shall now officially dub the last 3 days: "The ADFS Weekend of Repeated and Abject Failures, though Happily Everything Ended Well."  Too long for a t-shirt slogan, but otherwise captures things quite nicely.

Burn Notice returns to us on July 10th. I am...ridiculously amped.