Go.

Download.

Read.

Become claims-enabled.

...

You done? Good.

Now federate.

So ADFS 2.0 has this new feature called automatic certificate rollover, which theoretically allows ADFS to generate new service certificates on your behalf when the old ones are close to expiring. This feature is turned on by default if you configure a new ADFS server or server farm via the Config Wizard on initial install.

In order to manually add/remove certs to a store, such as the token-signing cert store, you need to disable this feature first, so that ADFS will "let go" of the certificate management process. Drop to a PowerShell prompt:

set-ADFSProperties -AutoCertificateRollover $false

Easy-peasy.

(Though I guarantee a slew of administrator-created issues when an admin disables this feature to add a new cert, forgets to turn it back on, and then forgets that they forgot. But we won't see whether I'm right about this for 12-24 months, since that's the average lifetime of a TS cert in most environments. Nevermind, the Internets will remember that I said it. :-))

Anyway. Shooting yourself in the foot with this feature? Is accomplished by doing the following:

• Have an ADFS server with this feature turned on.
• Realize that you've done something stupid with the CDP URL on the TS cert, and you need to issue a new one.

(watch very carefully, here comes the "Fire!" part)

• Open the Certificates MMC on the box and delete the TS cert from the computer's personal store...without first removing it from the ADFS MMC.

What happens next? Is that you open the ADFS MMC and try to add the new TS cert with the fixed-up CDP. MMC barks at you, complaining that AutoCertRollover is on and you need to turn it off.

Drop out to a PowerShell prompt, issue the command above...

...

...

...and then realize upon staring at the output of the resultant error message, that the cmdlet is checking for the presence of the old cert before it will allow you to turn off AutoCertRollover. (And there's no -force switch to bypass that...unless it's undocumented...and called something other than -force, 'cos I tried that one.)

So. Where does this leave us?

• Can't install the new cert into the ADFS MMC without turning off auto cert rollover.
• Can't turn off auto cert rollover because you deleted the old cert.

At this point I truly hope you've got a backup of the cert you deleted, complete with private key. (Did you mark it as exportable? And we won't talk about the fact that I didn't, because it was just a test box and I didn't care that much.)

:-)

Tip from the ADFS Kitteh. Here to help you people.

Carry on.

Anywho, your heroine will be speaking at the following upcoming User Group events and conferences about ADFS 2.0, ADFS troubleshooting, and a bit of SharePoint 2010 thrown in here and there for federated demo-y goodness.

Be there, or be hexagonal!

• Philly .NET Code Camp 2010.1 - Saturday April 10th, @ DeVry University in Ft. Washington PA
• Windows in Higher Education Conference 2010 - Monday April 12th-Wednesday April 14th in Redmond WA. (Not 100% confirmed yet, more details as I get them.)
• The Experts Conference 2010 - Monday April 25th- Thursday April 28th in Los Angeles CA
• Minasi Conference 2010 - Monday May 3rd-Wednesday May 5th in Virginia Beach VA
• SharePoint Saturday Philadelphia 2010 - Saturday May 8th, location TBA but most likely Ft. Washington DeVry

See you all there!

Understanding Windows Cardspace - An Introduction to the Concepts and Challenges of Digital Identities. Written by the brilliant Mssrs. Vittorio Bertocci, Caleb Baker & Garrett Serack.

I'll admit that this one was relegated to "Page 7 of 8" on my list of unread Kindle titles for many moons, and I just pulled it up while working out on the elliptical last night. (Best use case ever for the Kindle, I might add - I can stay on the elliptical for an hour at a decent clip without getting bored, since I'm reading.) I think the reason I hadn't gotten 'round to it was because...I'm an enterprise Identity lady, and I just haven't quite gotten my brain around use cases for Cardspace & InfoCard in a corporate environment yet. (Hi BP. Hi Matt.) Now, in the consumer identity space? Boy howdy will Cardspace be a killer thing...I'm just not quite sure where it fits into my happy world of AD domain controllers and ADFS federation agreements yet, still thinking on that one.

But even if you're of a similar mindset/background, you want to read this book. It's kinda Bruce Schneier-esque in its treatment of capital "I" Identity as a concept - how it has evolved on the Internet, what the problems and attack vectors are, and how to think about them conceptually as well as technically. And more to the point, it does all of this in a ridiculously well-written manner (again with the parallels to Schneier). Unlike a lot of technical books that are dry to the point of being a good substitute for Ambien at night, this one is actually erudite, occasionally funny, and an entirely enjoyable read.

So go buy it. And pre-order Vittorio's WIF book as well while you're at it.

Details as follows:

Minasi Conference 2010
May 2nd – May 5th
Virginia Beach, VA, USA

The conference runs from Sunday May 2nd until Wednesday May 5th and has some of the world’s top speakers.

The Minasi conference is unlike any other tech conference you’ve attended before due to its intimacy, favourable student:lecturer ratio, variety of topics and quality of instructors.

The conference is organized and staffed by volunteers from Mark Minasi’s forum and includes well known veteran lecturers like Mark Minasi, Rhonda Layfield, Todd Lammle, Roger Grimes, Microsoft MVP’s and author’s such as Aidan Finn, Nathan Winters and Eric Rux and forum members who just want to share what they’re doing.

The conference has enjoyed some prestigious special guest lecturers and this year is no exception. The chance to rub elbows and ask questions in such a small environment is found only at the Minasi conference. Previous years special guests have included:

-Cisco Guru and all around nice guy, Todd Lammle
-All things Security (now featuring the Cloud), Steve Riley
-Group Policy Experts Jeremy Moskowitz and Darren Mar-Elia
-Super Scripter, Don Jones
-Internet Fixer, Roger Grimes

We invite you to join us both online and in person. Take a look at the website for loads more info and to register –

www.minasiconference.com  

Pre-Conference Event

For the 2010 Conference we are pleased to offer our first Pre-Conference session.

The aim is to provide a 4 hour event at a small additional cost which will cover a topic that is closely related to the main conference but just slightly different!

In this case Todd Lammle will lead the session on the morning of Sunday 2nd May from 08:30 until 12:30.

The topic is “Configuring Basic Cisco and Router Configurations”
All students would need is their own laptop and we will provide a free copy of Todd’s latest book as well as very slick router and switch simulator that you get to keep.

We are currently working to flesh out the details of this session and will update with a full agenda shortly.

This pre-con session will cost $85 which includes the Book, The Simulator, a light breakfast, Lunch and of course the 4 hours tuition!

For more information check the conference website in the Pre-Conference section.

I look forward to seeing you in Virginia!

So a placement firm that I’ve done some work for, Pro Search Inc. in Portland Maine, has a nice little charitable arm as part of their business model:

“About the Pro Search Gives Back Program:  Each Quarter, on behalf of our clients, Pro Search donates 5 cents for every hour our temporary and contract employees work to community organizations and not-for-profits in Southern Maine.     In 2009, thanks to the hard work and dedication of you and other Pro Search contractors, this totaled over $11,000.”

Now, clearly all eyes are on the ongoing humanitarian efforts in Haiti right now, and these guys are no exception. Come to find that one of their contractors is a Haitian immigrant with significant family base still in Port-au-Prince. As a directed giving measure, Pro Search is paying to fly this person and his brother home in order to re-connect with family and friends, and to assist in the relief efforts.

Yes indeed. I work with some truly outstanding people.

Now, go give some money to the relief organization of your choice. Mine is the Salvation Army, since having worked in IT Operations for them I know first-hand what percentage of every donation dollar goes directly to relief efforts instead of administrative overhead, and they’re ridiculously efficient…something like 85 cents on the dollar goes into the mission. But there are innumerable others…go get in the game.

Token Issuance Authorization, new feature in the ADFSv2 release candidate. Allows the Identifying Party STS to control which users are authorized to receive tokens, thus decoupling both AuthN as well as certain aspects of AuthZ from the Relying Party.

From the blog post, in describing a scenario in which Contoso users are accessing a Fabrikam online store:

With the new token issuance authorization feature, the administrator of the Contoso STS can create a policy that authorizes token issuance to Fabrikam based on membership in an Active Directory security group. This implements a form of role based access control (RBAC) at the STS. The administrators of the Fabrikam online store need not be aware of the details of the [Contoso] access control policy and no action is required from the vendor if the [Contoso] policy changes.

The lovely Pamela Dingle, recent addition to the brilliant staff of Ping Identity, has joined the OpenID Foundation as a board member representing Ping.

Congratulations!

This flurry of Amazon-related ADFS goodness courtesy of Steve Riley, whom I’m incredibly happy to see speaking with such a passion around my favorite technology in the communities. :-)

There appears to be a list-serv that you can subscribe to without being an ABANet member. Some of the doc links don’t seem to be showing love, though the ones that do make for some pretty cool reading.