ADFS 2: Issue with HSM integration


  • Hello,

    I am trying to setup Active Directory Federation Services on Windows Server 2008 R2 in a test environment. I need to integrate ADFS server with our HSM LunaSA, however, I couldn't figure out how to do this. I tried to find some help in guides provided on Microsoft Technet but no luck. We dont get any option to select Luna CSP while configuring ADFS. Please assist me with integration of ADFS with a HSM.

    Thanks & regards, Vivek
    Sunday, August 07, 2011 1:27 PM

All replies

  • What exactly do you want the HSM to do for ADFS?
    Developer Security MVP | www.steveonsecurity.com
    Sunday, August 07, 2011 3:41 PM
  • Hi Steve,

    I want to use Safenet Provided cryptographic service provider (CSP) or KSP with ADFS for SSO.

    Thanks & regards, Vivek
    Monday, August 08, 2011 5:10 AM
  • Right, that doesn't actually answer the question. Do you want the HSM to manage crypto keys, use the HSM to offload the crypto processing, etc?
    Developer Security MVP | www.steveonsecurity.com
    Monday, August 08, 2011 4:02 PM
  • I am hoping that if I can store the certificates (and associated private keys) generated when you install ADFS within the HSM.
    Thanks & regards, Vivek
    Tuesday, August 09, 2011 6:19 AM
  • Earlier, we have performed LunaSA integration with other Microsoft products e.g. ADRMS and ADCS. While configuring ADRMS we get an option to select CSP key storage where we can select Luna Cryptographic service provider. Similarly, while configuring ADCS, we get an option to select Luna CSP for key generation. We don’t get any such option while configuring ADFS server. It does not allow us to select a CSP.
    Thanks & regards, Vivek
    Tuesday, August 09, 2011 6:20 AM
  • Okay, that makes sense. I've sent an email to some people at Microsoft and I'll see what they say.

    Developer Security MVP | www.steveonsecurity.com
    Tuesday, August 09, 2011 3:44 PM
  • Thank You, Steve!

    I just received this information that Microsoft have admitted it’s not possible to integrate HSM’s with ADFS at this time. A hotfix is planned for release this October.

    Thanks & regards, Vivek
    Wednesday, August 10, 2011 5:44 AM
  • Hi Steve,

    I am working on the ADFS 2.0 integration with our HSM Luna SA for securing the private keys on Luna SA. I have successfully setup the lab for verifying the SSO feature for claim based application using WIF. I have installed the AdfsSetup.exe and applied a patch (Windows6.1-KB2607496-v3-x64.msu) released by Microsoft for HSM support. I am able to generate the certificate request using Luna KSP while keys are on Luna SA and this certificate is bind in to the IIS but when we configuring the ADFS 2.0, I am getting the following error:

    Please help us to solve this problem.



    Monday, February 20, 2012 6:56 AM
  • Were there any errors in the event log or setup log?

    Developer Security MVP | www.syfuhs.net

    Monday, February 20, 2012 8:57 AM
  • Hi Steve,

    I have found that an error is occured in the event log when ADFS 2.0 Configuration wizard failed to configure service settings, below I have copied that event for your reference:

    Log Name:      Application
    Source:        MSSQL$MICROSOFT##SSEE
    Date:          2/21/2012 10:54:12 AM
    Event ID:      9645
    Task Category: (2)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      FSWEB.contoso.com
    The description for Event ID 9645 from source MSSQL$MICROSOFT##SSEE cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:


    The specified resource type cannot be found in the image file

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <Provider Name="MSSQL$MICROSOFT##SSEE" />
        <EventID Qualifiers="49152">9645</EventID>
        <TimeCreated SystemTime="2012-02-21T05:24:12.000000000Z" />
        <Security />

    and there is no any error in Setup log.



    Tuesday, February 21, 2012 5:55 AM
  • Hi Steve,

    Do you have any update on the above issue.



    Friday, February 24, 2012 3:07 AM
  • I have no idea why that error is occurring. I haven't seen it before. It looks like the package you used to install ADFS is either corrupt, or it's the wrong version. Try downloading the installer from the web and re-running it.

    Developer Security MVP | www.syfuhs.net

    Friday, February 24, 2012 10:07 PM
  • Can you please share the correct version and updates so that we can download and check.

    It will be a great help.



    Friday, March 02, 2012 6:40 AM