ADFS 2: Issue with HSM integration

Question

Hello,

I am trying to setup Active Directory Federation Services on Windows Server 2008 R2 in a test environment. I need to integrate ADFS server with our HSM LunaSA, however, I couldn't figure out how to do this. I tried to find some help in guides provided on Microsoft Technet but no luck. We dont get any option to select Luna CSP while configuring ADFS. Please assist me with integration of ADFS with a HSM.

---

Thanks & regards, Vivek

Answer 1

What exactly do you want the HSM to do for ADFS?

---

Developer Security MVP | www.steveonsecurity.com

Answer 2

Hi Steve,

I want to use Safenet Provided cryptographic service provider (CSP) or KSP with ADFS for SSO.

---

Thanks & regards, Vivek

Answer 3

Right, that doesn't actually answer the question. Do you want the HSM to manage crypto keys, use the HSM to offload the crypto processing, etc?

---

Developer Security MVP | www.steveonsecurity.com

Answer 4

I am hoping that if I can store the certificates (and associated private keys) generated when you install ADFS within the HSM.

---

Thanks & regards, Vivek

Answer 5

Earlier, we have performed LunaSA integration with other Microsoft products e.g. ADRMS and ADCS. While configuring ADRMS we get an option to select CSP key storage where we can select Luna Cryptographic service provider. Similarly, while configuring ADCS, we get an option to select Luna CSP for key generation. We don’t get any such option while configuring ADFS server. It does not allow us to select a CSP.

---

Thanks & regards, Vivek

Answer 6

Okay, that makes sense. I've sent an email to some people at Microsoft and I'll see what they say.

---

Developer Security MVP | www.steveonsecurity.com

Answer 7

Thank You, Steve!

I just received this information that Microsoft have admitted it’s not possible to integrate HSM’s with ADFS at this time. A hotfix is planned for release this October.

---

Thanks & regards, Vivek

Answer 8

Hi Steve,

I am working on the ADFS 2.0 integration with our HSM Luna SA for securing the private keys on Luna SA. I have successfully setup the lab for verifying the SSO feature for claim based application using WIF. I have installed the AdfsSetup.exe and applied a patch (Windows6.1-KB2607496-v3-x64.msu) released by Microsoft for HSM support. I am able to generate the certificate request using Luna KSP while keys are on Luna SA and this certificate is bind in to the IIS but when we configuring the ADFS 2.0, I am getting the following error:

Please help us to solve this problem.

Thanks,

Arif

Answer 9

Were there any errors in the event log or setup log?

---

Developer Security MVP | www.syfuhs.net

Answer 10

Hi Steve,

I have found that an error is occured in the event log when ADFS 2.0 Configuration wizard failed to configure service settings, below I have copied that event for your reference:

Log Name:      Application
Source:        MSSQL$MICROSOFT##SSEE
Date:          2/21/2012 10:54:12 AM
Event ID:      9645
Task Category: (2)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FSWEB.contoso.com
Description:
The description for Event ID 9645 from source MSSQL$MICROSOFT##SSEE cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

3602
145

The specified resource type cannot be found in the image file

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSSQL$MICROSOFT##SSEE" />
    <EventID Qualifiers="49152">9645</EventID>
    <Level>2</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-02-21T05:24:12.000000000Z" />
    <EventRecordID>743</EventRecordID>
    <Channel>Application</Channel>
    <Computer>FSWEB.contoso.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>3602</Data>
    <Data>145</Data>
    <Binary>AD2500001000000016000000460053005700450042005C004D004900430052004F0053004F00460054002300230053005300450045000000070000006D00610073007400650072000000</Binary>
  </EventData>
</Event>

and there is no any error in Setup log.

Regards,

Arif

Answer 11

Hi Steve,

Do you have any update on the above issue.

Thanks,

Arif

Answer 12

I have no idea why that error is occurring. I haven't seen it before. It looks like the package you used to install ADFS is either corrupt, or it's the wrong version. Try downloading the installer from the web and re-running it.

---

Developer Security MVP | www.syfuhs.net

Answer 13

Can you please share the correct version and updates so that we can download and check.

It will be a great help.

Thanks,

Arif