locked
ADFS Token Signing / Token Decrypting Certificate - 3rd party certificate required?

    Question

  • I'm in the process of setting up an ADFS Proxy and ADFS account server.  We're needing to create an external "trust" with a vendor so our users can authenticate their web app with our AD.  I'm looking at purchasing a SSL cert for the external ADFS proxy server, and the internal account server.  Do I need to purchase certs for Token Signing and Token Decrypting?  Or just the IIS SSL certs?

    I looked at the ADFS document for cert requirements and it didn't seem to specify this.  Thanks in advance.

    Tuesday, July 03, 2012 6:31 PM

Answers

  • Best practice is debatable as I have seen people go back and forth on the forums on whether or not it should be from a commercial CA or not.  You are correct that the Microsoft documentation does not specify a best practice for the token signing certificate. 

    However, I would recommend that the token signing cert is at least generated your internal CA.  Self signed certs can be spoofed by malicious users.  This security hole is present because self-signed certificates are actually root certificates.  As a best practice, when I implement ADFS, I do a public cert for the client facing SSL certificate and I use an internal Windows CA generated cert for token signing.  It is not susceptible to the same spoofing as a machine self-signed cert.  I have some large clients that use ADFS.  With a public signed client facing cert, and a windows CA issued token signing cert, the ADFS farm passed the security team testing.

    These links may help if you do not know them already:

    http://technet.microsoft.com/en-us/library/dd807040%28v=ws.10%29

    http://technet.microsoft.com/en-us/library/hh341466%28v=ws.10%29


    Friday, July 06, 2012 3:47 PM

All replies

  • As per Certificate Requirements for Federation Servers, only the service communication certificate has this clause:

    "Because the service communication certificate must be trusted by client computers, we recommend that you use a certificate that is signed by a trusted certification authority (CA). All certificates that you select must have a corresponding private key."

    As per: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates, "AutoCertificateRollover will create a self-signed Token-Signing certificate (and Token Decrypting certificate ) for you"

    We've only ever purchased the IIS SSL certificate.

    Tuesday, July 03, 2012 7:05 PM
  • Fair enough, but is it best practice to use self signed certs for those?  I should I be getting those from a CA instead?
    Tuesday, July 03, 2012 9:16 PM
  • Best practice is debatable as I have seen people go back and forth on the forums on whether or not it should be from a commercial CA or not.  You are correct that the Microsoft documentation does not specify a best practice for the token signing certificate. 

    However, I would recommend that the token signing cert is at least generated your internal CA.  Self signed certs can be spoofed by malicious users.  This security hole is present because self-signed certificates are actually root certificates.  As a best practice, when I implement ADFS, I do a public cert for the client facing SSL certificate and I use an internal Windows CA generated cert for token signing.  It is not susceptible to the same spoofing as a machine self-signed cert.  I have some large clients that use ADFS.  With a public signed client facing cert, and a windows CA issued token signing cert, the ADFS farm passed the security team testing.

    These links may help if you do not know them already:

    http://technet.microsoft.com/en-us/library/dd807040%28v=ws.10%29

    http://technet.microsoft.com/en-us/library/hh341466%28v=ws.10%29


    Friday, July 06, 2012 3:47 PM