Step 5: Configuring Client Certificates and Testing the Sample Application

Applies To: Windows Server 2008 R2

In this step, you prepare, distribute, and use the certificates of Active Directory Federation Services (AD FS) to test access from the client computer to a claims-aware application.

This step includes the following procedures:

• Export adfsweb and adfsaccount certificates to a file

• Export adfsweb and adfsaccount certificates to a file

• Access the claims-aware application from the client computer

Export adfsweb and adfsaccount certificates to a file

Administrative credentials

To perform the procedures in this step, you must log on to the adfsweb and adfsaccount computers using with the domain administrator account.

Use this procedure to export the server authentication certificates for adfsweb and adfsaccount to files. By performing this step now and then importing the certificates to the adfsclient computer in the next step, you will optimize the user experience by preventing certificate prompts that users normally see when they access the federated applications. The adfsresource server authentication certificate was exported to a file in step 2. It is not necessary to export that certificate again. In the next procedure, you import these certificates to the adfsclient computer.

To export adfsweb and adfsaccount certificates to a file

1. On the adfsweb computer, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the console tree, click ADFSWEB.

3. In the center pane, double-click Server Certificates.

4. In the center pane, right-click adfsweb.treyresearch.net, and then click Export.

5. In the Export Certificate dialog box, click the … button.

6. In File name, type d:\adfsweb, and then click Open.

7. Type a password for the certificate, confirm it, and then click OK.

8. Repeat steps 1 through 7 on the adfsaccount computer. In step 6, save the file as C:\adfsaccount.

Import adfsweb, adfsaccount, and adfsresource certificates

Administrative credentials

To perform the procedures in this step, you must log on to the adfsclient computer using the local administrator account.

Use this procedure to import each of the server authentication certificates from adfsweb, adfsaccount, and adfsresource to the Local Computers Trusted Root Certification Authorities certificate store.

To import adfsweb, adfsaccount, and adfsresource certificates

1. Log on to the adfsclient computer with the local administrator account, click Start, in Search programs and files, type mmc, and then click OK. Click File, and then click Add/Remove Snap-in.

2. Click Certificates, click Add, click Computer account, and then click Next.

3. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

4. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.

5. On the Welcome to the Certificate Import Wizard page, click Next.

6. On the File to Import page, click Browse, in File name type \\adfsresource\d$\adfsresource.pfx, click Open, and then click Next.

7. On the Password page, type the password for the adfsresource.pfx file, and then click Next.

8. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

9. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.

10. Repeat these steps on the adfsclient computer until you have imported the adfsaccount and adfsweb certificates, and then proceed to the next section.

Access the claims-aware application from the client computer

Administrative credentials

To perform the procedures in this step, it is not necessary to log on with administrative credentials to the client computer. In other words, if you are logged on to the client as Alan Shen (alansh), you can access the claims-aware application without adding alansh to any of the local administrator groups (for example, Power Users, Administrators) on the adfsclient computer.

Use the following procedure to access the sample claims-aware application from a client that is authorized for that application.

To access the claims-aware application from the client computer

1. Log on to the adfsclient computer as alansh.

2. Open a browser window, and then install the required certificates on the client by doing the following:

   1. Go to https://adfsaccount.adatum.com/.

      The browser displays a "Certificate Error: Navigation Blocked" error message that notifies you that the incoming certificate was not issued by a trusted certification authority. This error is expected behavior when you deploy Active Directory Federation Services (AD FS) servers with self-signed certificates.

   2. Click the Continue to this website (not recommended) link.

   3. In the address bar, click Certificate Error, and then click View certificates.

   4. In the Certificate dialog box, click Install Certificate.

   5. On the Welcome to the Certificate Import Wizard page, click Next.

   6. On the Certificate Store page, click Place all certificates in the following store, and then click Browse.

   7. In the Select Certificate Store dialog box, highlight Trusted Root Certification Authorities, click OK, and then click Next.

   8. On the Completing the Certificate Import Wizard page, click Finish.

   9. On the Security Warning dialog box, click Yes.

   10. Click OK twice.

   11. Repeat steps a through j using https://adfsresource.treyresearch.net and https://adfsweb.treyresearch.net to install all three certificates into the Trusted Root Certification Authorities certificate store.

3. Go to https://adfsweb.treyresearch.net/claimapp/. When you are prompted for your home realm, click A. Datum Corporation, and then click Submit.

4. At this point SSO Sample Application appears in the browser. You can see which claims were sent to the Web server in the SingleSignOnIdentity.SecurityPropertyCollection section of the sample application.