Certificate requirements for federation server proxies
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
Servers that are running the Federation Service Proxy component of Active Directory Federation Services (ADFS) are required to use the following types of certificates:
Secure Sockets Layer (SSL) server authentication certificates: Federation server proxies use SSL server authentication certificates to secure Web server traffic communication with Web clients. Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, Verisign.
When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. (For more information, see When to create a federation server proxy farm.) It is important to verify that the subject name in the server authentication certificate matches the Domain Name System (DNS) name of the Federation Service endpoint Uniform Resource Locator (URL) in the trust policy.
For general information about using SSL certificates, see Configuring Secure Sockets Layer (http://go.microsoft.com/fwlink/?linkid=62785) and Obtaining Server Certificates (http://go.microsoft.com/fwlink/?linkid=62479).
SSL client authentication certificates: Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication extended key usage (EKU) that chains to a trusted root CA on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate. For general information about installing client authentication certificates when you use Microsoft Certificate Services as your enterprise CA, see "Submit an advanced certificate request via the Web to a Windows Server 2003 CA" (http://go.microsoft.com/fwlink/?linkid=64020).
Important Do not use a certificate that was issued by your enterprise CA for client authentication of an Active Directory user (especially a domain administrator) because the private key is stored on the federation server proxy. Storing a private key on the federation server proxy allows an administrator or a successful attacker to assume the identity that the certificate represents.
|Token-signing certificates do not have to be issued for federation server proxies.|
If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate must be able to contact the server that distributes the CRLs. The type of CRL determines what ports are used.