I’m currently setting up a new ADFS infrastructure, and one of the things I’m still struggling with is the Token Signing/Decryption Certificates. From TechNet I read (Certificate Requirements for Federation Servers) it’s recommended to use certificates from your own CA. You can go to a third party, but this would cost you more. You could use the same certificate as used for the ADFS web services, but then that’s against best practices. You could also stick with self signed certificates and thus benefit the automatic certificate rollover feature ADFS offers (TechNet Wiki: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates) , but if I’m correct when rollover occurs you still have some work updating the Relying Party trusts if these don’t support automated Federation Metadata updates through the ADFS metadata URL. As this probably remains a manual task for certain RPs, I‘d rather stick to proper certificates then anyway. So here comes the customer Certificate Authority to the rescue!
When installing ADFS using a SQL database to store the configuration, you have to use the fsconfig.exe command line tool. Paul Williams made a nice write-up regarding the parameters for this utility: Deploying a federation server with a SQL database.
This command actually seems pretty easy:
fsconfig createsqlfarm /serviceaccount DOMAIN\S_ADFS /sqlconnectionstring "database=ADFSConfiguration;server=SQLSRV\SQLInstance;integrated security=sspi" /cleanconfig /signingcertthumbprint "fd fd fd 10 55 0b df 63 3b 56 65 2b e1 c7 97 bf 6e 83 fc 1b" /decryptcertthumbprint "77 77 77 c3 8b cb bd bc 5b a0 3a 9d 5d af 8c 57 08 f9 ce 91"
Now this command is supposed to check the default website in IIS for the certificate bound to port 443 and it should extract the subject of the certificate (sts.customer.com) and use that for the ADFS Server URL. So obviously IIS has to be properly configured for HTTPS first. Here’s the error I received:
In words: The following error occurred: The Federation Service name that was determined from the Subject field of the specified certificate is not a valid DNS name. Specify a certificate with a valid Subject name for the Federation Service DNS name, and then try again.
- My certificate was based upon a web server template, and was requested from within IIS 7.5 MMC, specifying sts.customer.com as subject
- Changing the thumbprints to a format without spaces didn’t help for this issue
- Originally I specified another name for the database, e.g. ADFS_Test_Configuration, the utility happily ignores this and created ADFSConfiguration & ADFSArtifactStore nevertheless…
- I tried adding a SAN attribute to the ADFS Web certificate, with the subject (sts.customer.com) as value, didn’t help for the issue
- I tried specifying the certificate thumbprint for the ADFS Web Certificate, I tried specifying the name to be used for the ADFS Service URL, and I tried combining both parameters in the command. All failed…
At some point in time, and after googling a bit, I found this similar case: TechNet FSConfig Errors. No answer though… So I decided to leave out the /signingcertthumbprint and the /decryptcertthumbprint and just use the /autocertrolloverenabled instead. This would configure to use SQL and it would still extract the subject from the ADFS Web Certificate. Guess what, now it was able to do that…. So I ended up using the ADFS PowerShell cmdlets to get my custom certificates in place as I tried to do with the fsconfig utility. Here’s what I did:
- Disable automatic certificate rollover
- Add my custom Token Signing\Decryption certificates
- Set them as primary
- Remove the self singed ones
It would be great if anyone could provide me feedback as to whether I’m doing something wrong, missing a prerequisite, or if this is just a bug.