Re: [ActiveDir] ADFS and certs

Sun, 24 Sep 2006 16:10:45 -0700

Yeah, the real step by step guide isn't so bad per say. What it tries to do is give you a simple path to having an easy demo set up of ADFS going so you can kick the tires. For that, it is ok. Where it doesn't cross the gap very well is in providing guidance on how to apply the lessons learned to real scenarios.
Because ADFS relies on certificates for both SSL/HTTP and the signing of security tokens, you need certificates to use it. In order to get through the step by step guide successfully, they chose to use the self-issued model, as it is really the only simple way to get SSL certs without spending money or setting up a CA. However, it does leave you with self-signed certs, which is not where you want to end up. 


I think that either the step by step guide needs to provide more guidance 
and explanation of the steps and how to apply them, or the other 
documentation for ADFS needs to fill this gap.  As it stands now, there is 
still no good guidance on how to procure your certificates and what the 
various trade-offs are for the possible ways to go about this.  People who 
already know PKI will be able to fill in the details, but many people will 
be left scratching their heads.


Perhaps Tomasz and I should blog about this more for now.  :)

Joe K.


----- Original Message ----- 
From: "Tomasz Onyszko" <[EMAIL PROTECTED]>

To: <ActiveDir@mail.activedir.org>
Sent: Sunday, September 24, 2006 3:16 PM
Subject: Re: [ActiveDir] ADFS and certs



Rick Kingslan wrote:

Joe, Tomasz -


Yep, you're right that it may tend to show a bad precedent for people to 
follow.  I haven't taken a look at these particular labs (and having just 
come back from a long hiatus, I didn't see the referenced lab) but is the 
guidance there as to what Best or Preferred Practices SHOULD BE?


You can check this lab here:
http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654&displaylang=en


No You will not find there any guidance on best practices there and maybe 
this is not the best place, but I'm not aware of any other ADFS related 
doc which deals in details with best practices and description of usage 
for certificates in ADFS deployment.



If not - I find that the bigger problem than the fact that self-certs are 
being used at all.



--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx






















					Reply via email to