Thursday, November 27, 2008

Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 3: Configure the FS certificates

In my last post, I explained how to configure your IIS to require SSL and how to install the needed FS Claims-aware agent.
Now, we need to configure our certificates.

STEP 3: FS - Creating, Exporting & Importing Certificates (Resource domain)
A) Creating the certificate (self-signed)
1. Open the IIS Manager and open the Server certificates on the server properties center panel
2. Here, under Actions click Create Self-signed certificate and give it a recognizable name.

B) Export the server authentication certificate to a file (Resource domain)
So that successful communication between the FS server and web server can occur, the web server must first trust the root of the FS server.
1. Open the IIS manager and double click on the Server Certificates
2. There select the FS server of the domain (here server3.test.local) and click Export.
3. Specify a certificate name and password, then click OK.

C) Import the certicate on the web server (Resource domain)
Now, the file that we created by exporting the certificate on the FS server can be imported on the web server.
1. Open a MMC window and add Certificates
2. Choose for Computer account -> Local computer and click Finish.
3. Go to the Trusted Root Certificate Authorities, right click and select Import under "All Tasks"

4. Browse to the certificate pfx file, created above and provide the password
5. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

6. You should get a message: The import was successful after which you can see the certificate added in the mmc.

D) Export the token-signing certificate (Account domain)
The token-signing certificate will be used later to set up to Account Partner. For that, it will be imported to the Resource domain later on.
1. Open the Active Directory Federation Services and choose Properties on the Federation Service.
2. On the Details tab, click Copy to File.

3. In the wizard, on the Export Private Key choose No, do not export the private key
4. Then in the wizard, on the Export File Format, choose DER encoded binary X.509 (.CER)
5. Lastly, choose a file to export to and finish the wizard

There, that's it for this post. OK, it's quite a lot, but at least it very straightforward. It's the configuration of the FS were the magic is. That's for my next posts ...


Federation Services setup posts:
1. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 1: Overview and installation
2. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 2: Configure IIS to use SSL on the FS servers
4. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 4: Configuring the FS server in the Account domain
5. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 5: Configuring the FS server in the Resource domain
6. Setting up Federation Services (FS) in a Windows 2008 (WS08) environment: Part 6: Creating the federation trust on both sides

No comments: