Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2)

Posted by Jorge on 2012-05-09


Part 1 of this series showed you how to install the binaries for ADFS v2.0.

After restarting the server we still need to install/configure the ADFS role. The previous step just installed the binaries. But, before actually installing/configuring the ADFS role, let’s first make sure we have the correct certificates. For more information about the certificates in use by ADFS see:

In this case I’m going to use certificate from the CA in my test/demo environment. The steps for each certificate in this are similar

Start the Certificates MMC on the ADFS STS server and target the local computer. To request a certificate navigate to “Certificates (Local Computer)” –> Personal –> Certificates. Right-click the last one and then “All Tasks” –> “Request New Certificate”.

clip_image001

Figure 1: Requesting A New Certificate

Click on “Next >”.

clip_image002

Figure 2: Certificate Enrollment – Before You Begin

In this select the “Active Directory Enrollment Policy” and click on “Next”.

clip_image003

Figure 3: Certificate Enrollment – Certificate Enrollment Policy

For all three ADFS related certificates you can leverage the “Web Server” certificate template. Select the “Web Server” certificate template, click on details to expand for more information and click on “Properties”.

clip_image004

Figure 4: Selecting The “Web Server” Certificate Template

For the Service Communication (SSL) Certificate, targeting the “Subject” TAB, provide the service name (e.g. FS.ADCORP.LAB) as the subject name (Type = Common Name) and as the alternate name (Type = DNS)

clip_image005

Figure 5a: Service Communication (SSL) Certificate – Subject Name And Alternate Name

For the Service Communication (SSL) Certificate, targeting the “General” TAB, provide the friendly name (e.g. Service Communication Cert For ADFS-STS) and the description.

clip_image006

Figure 5b: Service Communication (SSL) Certificate – Friendly Name And Description

For the Service Communication (SSL) Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

clip_image007

Figure 5c: Service Communication (SSL) Certificate – Configuring Private Key To Be Exportable

For the Token Signing Certificate, targeting the “Subject” TAB, provide the common name (e.g. FS.ADCORP.LAB.TOKEN.SIGNING) as the subject name (Type = Common Name). The actual value of the common name is not important, from a technical perspective. However, from a management perspective it is suggested to enter a name in the format <ADFS Service Name>.TOKEN.SIGNING.

clip_image008

Figure 6a: Token Signing Certificate – Subject Name And Alternate Name

For the Token Signing Certificate, targeting the “General” TAB, provide the friendly name (e.g. Token Signing Cert For ADFS-STS) and the description.

clip_image009

Figure 6b: Token Signing Certificate – Friendly Name And Description

For the Token Signing Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

clip_image010

Figure 6c: Token Signing Certificate – Configuring Private Key To Be Exportable

For the Token Decryption Certificate, targeting the “Subject” TAB, provide the common name (e.g. FS.ADCORP.LAB.TOKEN.DECRYPTION) as the subject name (Type = Common Name). The actual value of the common name is not important, from a technical perspective. However, from a management perspective it is suggested to enter a name in the format <ADFS Service Name>.TOKEN.DECRYPTION.

clip_image011

Figure 7a: Token Decryption Certificate – Subject Name And Alternate Name

For the Token Decryption Certificate, targeting the “General” TAB, provide the friendly name (e.g. Token Decryption Cert For ADFS-STS) and the description.

clip_image012

Figure 7b: Token Decryption Certificate – Friendly Name And Description

For the Token Decryption Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

clip_image010[1]

Figure 7c: Token Decryption Certificate – Configuring Private Key To Be Exportable

Click on “Enroll” to actually enroll the certificate.

clip_image013

Figure 8: Enrolling The Certificate

Click on “Finish”

clip_image014

Figure 9: Finishing The Certificate Enrollment

Let’s enumerate the just created certs for ADFS, using the following PowerShell commands

# Retrieving The Service Communication Cert For ADFS $adfsSvcCommunicationCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB"} $adfsSvcCommunicationCert | FL # Retrieving The Token Signing Cert For ADFS $adfsTokenSigningCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB.TOKEN.SIGNING"} $adfsTokenSigningCert | FL # Retrieving The Token Decryption Cert For ADFS $adfsTokenDecryptionCert = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=FS.ADCORP.LAB.TOKEN.DECRYPTION"} $adfsTokenDecryptionCert | FL

The output of that all can be seen in the picture below.

clip_image015

Figure 10: Enumerating The Certs To Be Used In ADFS

Part 3 of this series will continue with the system configuration of ADFS.

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

5 Responses to “(2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2)”

  1. […] Tools (1) « (2012-05-06) Setting Up SALESFORCE.COM With ADFS v2.0 (2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2) […]

  2. […] Remote Server Administration Tools (1) « (2012-05-09) Installing And Configuring ADFS v2 As An STS Server (Part 2) […]

  3. […] ADFS v2.0 see the blog post about Installing And Configuring ADFS v2 As An STS Server (part1, part 2, part 3) and about Installing And Configuring ADFS v2 As A PRX […]

  4. […] ADFS v2.0 see the blog post about Installing And Configuring ADFS v2 As An STS Server (part1, part 2, part 3) and about Installing And Configuring ADFS v2 As A PRX […]

  5. […] the past I described how to install an ADFS STS Server in this post and this post and this post. The idea of this post was to focus on UNINSTALLING an ADFS STS Server or the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: