Freigeben über


AD FS Configuration – SSL certificate must be from a public certificate authority

We’re seeing a lot of activity in configuring environments for use of the AX mobile apps. One of the more complex steps in the configuration is setting up Active Directory Federation Services (AD FS).  One consistent issue we are seeing is lack of an SSL cert issued from a certificate authority (CA). Since the mobile app is exchanging credentials and tokens with AD FS, SSL is used to avoid eavesdropping on that exchange.  

In some cases a “self-signed” or “self-issued” cert is being used. Unfortunately in that case the mobile app won’t make an authentication request to AD FS since SSL isn’t correctly enabled. In order to use SSL, the site to which the mobile app is communicating (in this case AD FS) must have an SSL certificate issued from a recognized CA. The CA validates that the certificate is being issued to the owner of the domain from which the mobile app requests authentication. The cost for SSL certs ranges from less than 100 USD and up.

There is also another certificate involved in AD FS configuration known as the token signing cert. The purpose of that cert is to sign the token which is being provided to the mobile app after authenticating the user’s credentials. The token signing cert can be self-signed and does not need to be issued from a CA.

Following are some helpful references:

Here’s a link which explains the certificate requirements for AD FS https://technet.microsoft.com/en-us/library/dd807040(v=ws.10).aspx

This article explains the process to request a cert from a CA https://msdn.microsoft.com/en-us/library/windowsazure/gg981937.aspx.

For general information about SSL, refer to this article https://msdn.microsoft.com/en-us/library/windows/desktop/aa364691(v=vs.85).aspx.

Hopefully that will help clear up some of the confusion about SSL certs and AD FS.

Comments

  • Anonymous
    March 04, 2014
    There's really no excuse with people like startssl giving fully trusted ones away for free and even the pay for ones being so cheap these days.  Though it strikes me as odd that you guys don't provide them to your customers when you buy windows server.
  • Anonymous
    March 12, 2014
    Simon, appreciate your comment - good point about low or no-cost SSL certs.  Regarding your question about providing certs with windows. I don't speak for the windows team, but to be clear Microsoft does not operate as a certificate authority.  So that's why we defer to 3rd-party CAs to issue SSL certs.thanks!!
  • Anonymous
    April 01, 2014
    can wild card certs be used?thanks
  • Anonymous
    April 04, 2014
    Hi Phill, that's a great question! It's not a scenario that we've actively tested. I'll take a look and get back to you with more information.Thanks!
  • Anonymous
    April 15, 2014
    The comment has been removed
  • Anonymous
    September 25, 2014
    You can get it to work with a self-signed certificate, but you'll need to import that certificate on you mobile device. This did the job on my Windows Phone (7.8), but doesn't seem to work on an iPhone