Adding a Certificate to ADFS 3.0 on Windows 2012 R2

ADFS only allows imports through the GUI in the .PFX format.  To get around this, add your certificate to the Machine’s Personal Store before configuring the first server in the farm.

Hit WINKEY+R to get to the Run line.

Run Certlm.msc

Select the Machine Personal, right click and Select All Tasks > Advanced Operations > Custom Request.  See our blog entry on correctly formatting a CSR.

 

In ADFS 3.0 you can support a Workplace Join after 2012 R2 domain controllers are in place.  If you are going to support this feature, you need to add a Subject Alternate Name (SAN) to your certificate for ADFS:

enterpriseregistration.YOURDOMAIN.TLD

The name has to be “enterpriseregistration” without quotes.  This is a canned name like autodiscover for Exchange.

2012 R2 Certificate request

 

Click Properties

Certificate request properties 2012 R2

An Example of the ADFS 3.0 Certificate request settings:

CSP and Key Length for 2012 R2 certifcates
I normally recommend a larger key size than the minimum.  The defacto minimum these days (2015) is 2048 bits but this is only due to industry players like Microsoft and Google forcing the issue.  Many certificates still rely on 1024 bit keys.  Given that the industry will continue to probably move to larger keys as a panacea for insecure protocols, a bigger key may save you from having to replace the certificate before its lifetime expires.  What about the CPU overhead of a larger key?  Modern systems with 64 bit architecture and multiple cores will be largely unaffected by the minimal increase in CPU overhead.  If you are doing this on a machine that would be affected, Windows 2012 R2 probably should not be installed on it anyway.

After you receive the certificate, install it on the server with ADFS 3.0

Installing the certificate on ADFS 3.0 on Windows 2012 R2

If you will be creating a second machine in the farm, you can export the certificate via a .PFX file.  Make sure to export the private key.  The export procedure is the same for ADFS 2.0.  





How to Configure SSL Certificates for ADFS 2.0

The single most important step when correctly configuring ADFS (Active Directory Federated Services) is the SSL certificate.  This is true if you are using it for Office 365 or for any other purpose.  You should be installing ADFS on a Windows 2008 R2 server and it should be fully patched.  From the server that will be the primary ADFS server in the ADFS server farm you need to create the CSR.  You do not use the IIS certificate manager.  The certificate can be generated via certutil.exe  or the Exchange commandlets but the GUI (Graphical User Interface) is the simplest approach for many people.  Don’t use a self signed certificate or you will be cleaning up a mess when you finally move things into production.

VE Industries specializes in single sign on, ADFS, Azure, Office 365 and Active Directory.  We can help you with your ADFS implementation.  Contact us and we are happy to assist you.

Creating the CSR

To generate the certificate CSR (Certificate Signing Request) for ADFS (Active Directory Federation Services) you have to use the certificate manager MMC (Microsoft Management Console) snapin or run certmgr.msc.  This will open the certificate repository.  Right click on the Personal store and select All Tasks, Advanced Operations, Create Custom Request.  This will start the wizard.   Click Next and then overcome the first challenge.  In the Certificate Enrollment Policy screen, click and highlight Proceed without enrollment policy  

Change the Template Option to Legacy Key

The next screen is where the details become important.

Settings for ADFS 2.0 SSL certificates

An ADFS 2.0 SSL certificate has a couple of critical settings.

  1. The URL of the ADFS server must be set as in Subject Name of the certificate and should be set as a common name or CN.  That means the veindustries.com implementation would be fs.veindustries.com and the format of the subject name is CN=fs.veindustries.com.  You can utilize a SAN certificate (Subject Alternate Name certificate) if you like to cover the other server names but the Subject Name on the certificate will become the service name in ADFS so don’t mess it up.
  2. The Key Length must be 2048 or higher.
  3. The Private Key must be exportable.
  4. Don’t set the Subject Name be the same as the server.

Configure the certificate via the Properties before clicking Next. Add the subject name and any other server names using the Directory Name type.  I usually set the Friendly Name as the DNS name of the cert so it can be tracked easily later.  Set Server Authentication and Client Authentication in Enhanced Key Usage.  Update the private key and the key length as well.

Installing the Cert

After you click OK, you can move on to the export of the key.  Upload the CSR to the your favorite CA.  When you install the cert you can continue with the ADFS configuration.  Based on a quirk with permission on private keys and how Microsoft does the certificate requests and storage, you may receive an error such as an Event ID 133.  See http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-federation-service-startup-and-shutdown-problems%28v=ws.10%29.aspx .  The ADFS service account needs permissions to read the private key and the private key needs to be in the same store as the certificate.  Let us help you!