Get started for free
Visual Studio Developer Center >
ADFS / ADFS Proxy Setup - Certificate misconfiguration

Unanswered ADFS / ADFS Proxy Setup - Certificate misconfiguration

  • Tuesday, July 10, 2012 9:57 PM
     
     
    Sign In to Vote
    0

    Hi,

    I'm brand new with ADFS, this is my very first installation, I've been reading and watching this video, but unfortunately, I have a problem because of certificates !

    Here is my configuration so far

    Internal ADFS server

    FQDN: ADFS01.mydomain.local
    IP: 192.119.12.82
    Cname: sts.active.local
    I have install and bind a certificate (sts.mydomain.local) signed by my internal CA (CA01.mydomain.local)

    So far so good, everything works !

    Now I'm trying to setup my ADFS proxy in a DMZ

    FQDN: ADFS02.mydomain.com
    IP: 192.119.33.82
    EXT NAT: 70.12.12.12

    ADFS02 host file contains an entry for sts.active.local (192.119.12.82). I can ping and resolve 192.119.12.82 from my proxy ADFS.

    I have imported and bind, our Wildcard certificate (*.mydomain.com) to IIS, this is signed by an external entity (Verisign).

    Problem:

    The error message I got in the ADFS event log after entering my credential is:

    Could not establish trust relationship for SSL/TLS secure channel with authority 'sts.mydomain.local'

    Should I try to import the sts.mydomain.local certificate ? if so where? I'm pretty sure that won't work since I need *.mydomain.com cerfiticate for the external users !

    My internal DNS server does not hold mydomain.com but only mydomain.local. 

    Mydomain.com zone is hosted externally

    I was thinking creating a mydomain.com zone on my internal DNS server, but I'm a bit worry ,and do not want to break anything !

    TIA

    Cyreli

    Life is short, Enjoy it now. Cyreli


    • Edited by Cyreli Tuesday, July 10, 2012 10:15 PM
    •  
     

All Replies

  • Tuesday, July 10, 2012 10:30 PM
     
     
    Sign In to Vote
    0
    The internal STS certificate should match the external certificate and the domain names should match for both servers. So externally ADFS proxy should resolve to ADFS02.mydomain.com and internally it should also resolve to ADFS02.mydomain.com and the certificate for both should have a subject of ADFS02.mydomain.com.

    Developer Security MVP | www.syfuhs.net

     
  • Wednesday, July 11, 2012 12:02 PM
     
     
    Sign In to Vote
    0
    I presume that the proxy is not a member of your domain.  As a result, it would not trust the certificate generated from the internal CA.  Did you download the CA certificate into the trusted root certification authorities on the computer account of the ADFS proxy? 
     
  • Monday, July 16, 2012 6:45 PM
     
     
    Sign In to Vote
    0

    Thank you for your replies, unfortunately I'm still having issue.

    So as advised, I have imported the wildcard certificate (*.mydomain.com) to ADFS01.mydomain.local and ADFS02.mydomain.com

    How should I configure the host file on the host server ?
    sts.mydomain.local 192.119.12.82
    or
    sts.mydomain.com 192.119.12.82 ?

    During the connection test, since my ADFS02 server is not part of the mydomain.local what credential should I use ? Will a mydomain.local domain will work ?

    I have tried different thinks, and I got 2 different type of errors

    Error1:

    Could not connect to https://sts.mydomain.com/adfs/services/trust/proxytrustprovisionusername. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 74.XXX.XXX.XXX:443

    Telnet 74.XXX.XXX.XXX 443 DOES WORK

    Error 2:

    Could not establish trust relationship for the SSL/TLS secure channel with authority 'sts.mydomain.local'. 

    Error 3:

    The HTTP request was forbidden with client authentication scheme 'Basic'. 

    Life is short, Enjoy it now. Cyreli