« An unexpected musical discovery. | Main | Suffering Mightily Under the Iron Fist of PKI »
Monday
30Jun

Self-signed cert requirements in the ADFS step-by-step guide.

DateMonday, June 30, 2008 at 11:22AM

Putting them all in one place for my own reference and anyone else who needs it.

How to make it go:

  • On ADFSACCOUNT, import the Token-signing certificate from ADFSRESOURCE into the local computer's Personal store.
  • On ADFSRESOURCE, import the Token-signing certificate from ADFSACCOUNT into the local computer's Personal store.
  • On ADFSWEB, import the root CA for ADFSRESOURCE into the local computer's Trusted Root Certificates store.
  • On ADFSCLIENT, import the root CA for ADFSACCOUNT, ADFSRESOURCE, and ADFSWEB into the local computer's Trusted Root Certificates store. (NB: the claimapp sample app will still work if you miss this part, you'll just get one or more "IE doesn't like this cert, do you want to continue?" prompts nagging at you when you attempt to test from the client.)

All of these can be exported as .cer files; at no point do you need to go exporting private keys from one machine to another. (I think the docs reference exporting the ADFSRESOURCE cert to ADFSWEB as a .pfx file, but I made it work without doing so, for my part.)  You will achieve more reliable results if you import the certs using the Certificates MMC, not Internet Explorer, and if you do so while signed on as a local admin on the respective box, so that the certs land in the computer's cert store rather than a user-specific store. The docs indicate that the ADATUM test user doesn't need to be a local admin on the client box to run the sample app, and it doesn't...but doing the leg-work to make the certs behave as desired is another story.

To see if you have achieved self-signed certificate nirvana, confirm that you can navigate to the following URLs from the client without receiving any cert errors:

  • https://adfsaccount.adatum.com (NB: will return a blank page. That's fine, you just want to confirm that you can get there without any cert errors.)
  • https://adfsaccount.adatum.com/adfs/fs/federationserverservice.asmx (Will return a standard-looking ASP.NET ASMX page.)
  • https://adfsresource.treyresearch.net (Also blank, but should fire up with no cert errors.)
  • https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx (Standard-looking ASMX page.)
  • https://adfsweb.treyresearch.net (Another blank one.)

The moral of this story being, of course, that self-signed certificates will be the death of me before this day is over.

AuthorLaura E. Hunter | CommentPost a Comment |
in , ,

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.