Specify the Federation Service Name

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0, Windows Server 2012

The source of the Federation Service name in Active Directory Federation Services (AD FS) 2.0 is the Secure Sockets Layer (SSL) certificate for the Default Web Site in Internet Information Services (IIS) if the Web Server role is installed. The actual name text is determined by either the Subject field or, if necessary, the Subject Alternative Name field of the certificate. For example, if you want to have your Federation Service located at sts1.contoso.com, you must have a certificate, which is issued to sts1.contoso.com, installed on the local computer in the machine store. When you add a federation server to an existing server farm, the same certificate that is used on servers that are already configured within the farm must be available locally on the computer where you are attempting to extend the farm.

Item Detail

SSL certificate

Selects a certificate from the list of available qualified certificates to determine the federation service name. This list is generated from the SSL settings for the Default Web Site. If the Default Web Site has only one SSL certificate configured, that certificate is presented and automatically selected for use. If multiple SSL certificates are configured for the Default Web Site, all those certificates are listed here and you must select from among them. If there are no SSL settings configured for the Default Web Site, the list is generated from the certificates that are available in the machine store.

If you are not able to select a certificate, it is because you do not have a certificate that meets the minimum secure host naming requirements. Obtain a different certificate before continuing with server configuration.

AD FS 2.0 requires a certificate with a Subject name (or Subject Alternative Name) that is a fully qualified DNS domain name. Any local certificates that are named with short (single-label) host names are blocked from selection. Certificates that are issued under such names can be easily obtained from numerous certificate-issuing authorities throughout the Internet and spoofed.

Choosing the certificate that you use here is a major decision point in your AD FS 2.0 design and deployment. If you use a network load balancing (NLB) solution (such as Windows NLB or a non-Microsoft hardware load balancer), you should use the DNS name that is reserved for identifying your NLB cluster group. You should also register this name (or verify that it has been registered) and ensure that it resolves properly in your DNS configuration.

After you establish the DNS name to use in your environment, request or obtain a certificate from a trusted certification authority (CA) that offers strong security options, such as a key length of 2,048 bits or longer.

Note
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that any intended prior IIS configuration for SSL certificates is preserved. To work around this restriction, you can remove the certificate or manually reconfigure it using the IIS Management Console.

Port

Specifies the port number that is assigned to the SSL settings for the Default Web Site. If a certificate is configured on more than one port, you must select which port number to use here. If there are no SSL bindings configured, a certificate is selected from the personal certificates store on the local computer and the port value of 443 is assumed by default.

Federation Service name

Indicates the name of the Federation Service as determined from the selected certificate. This field will have more than one name in it if the selected certificate has more than one possible names or if the selected certificate is a wild card certificate and you must type in a name. For example, if the certificate is issued to *.contoso.com, you must provide a name (for example, sts1.contoso.com) to use here.

Why are my certificates not appearing here?

The AD FS 2.0 Federation Server Configuration Wizard has a filter for certificates based on Enhanced Key Usage (EKU). The EKU serves to specify the usage of a certificate (for example, client authentication, server authentication). A certificate is not required to have an EKU extension, which means that the certificate can be allowed for any purpose. For certificates to appear listed here, they must have either no EKU restrictions or the EKU extension of "Server Authentication," as recognized by the federation server.

Why should I use certificate with a key length of 2,048 bits or more?

Certificates are used to secure the Federation Service and its trust relationships. For these purposes, a key length of no less than 2,048 bits is recommended for current and future deployments. RSA keys that have a key length of 1,024 bits may be vulnerable to cryptanalytic attacks in the foreseeable future. To ensure security, use a default key length of 2,048 bits or more. This is the default that is provided by the Microsoft Strong Cryptographic Provider, as well as other cryptographic service providers (CSPs).