Perhaps Tomasz and I should blog about this more for now. :)
Yeah, you guys do that please!
This looks like it's taking off, and some of it is a real black art for some
infrastructure people...
--Paul
----- Original Message -----
From: "Joe Kaplan" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, September 25, 2006 12:10 AM
Subject: Re: [ActiveDir] ADFS and certs
Yeah, the real step by step guide isn't so bad per say. What it tries to
do is give you a simple path to having an easy demo set up of ADFS going
so you can kick the tires. For that, it is ok. Where it doesn't cross
the gap very well is in providing guidance on how to apply the lessons
learned to real scenarios.
Because ADFS relies on certificates for both SSL/HTTP and the signing of
security tokens, you need certificates to use it. In order to get through
the step by step guide successfully, they chose to use the self-issued
model, as it is really the only simple way to get SSL certs without
spending money or setting up a CA. However, it does leave you with
self-signed certs, which is not where you want to end up.
I think that either the step by step guide needs to provide more guidance
and explanation of the steps and how to apply them, or the other
documentation for ADFS needs to fill this gap. As it stands now, there is
still no good guidance on how to procure your certificates and what the
various trade-offs are for the possible ways to go about this. People who
already know PKI will be able to fill in the details, but many people will
be left scratching their heads.
Perhaps Tomasz and I should blog about this more for now. :)
Joe K.
----- Original Message -----
From: "Tomasz Onyszko" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Sunday, September 24, 2006 3:16 PM
Subject: Re: [ActiveDir] ADFS and certs
Rick Kingslan wrote:
Joe, Tomasz -
Yep, you're right that it may tend to show a bad precedent for people to
follow. I haven't taken a look at these particular labs (and having
just come back from a long hiatus, I didn't see the referenced lab) but
is the guidance there as to what Best or Preferred Practices SHOULD BE?
You can check this lab here:
http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654&displaylang=en
No You will not find there any guidance on best practices there and maybe
this is not the best place, but I'm not aware of any other ADFS related
doc which deals in details with best practices and description of usage
for certificates in ADFS deployment.
If not - I find that the bigger problem than the fact that self-certs
are being used at all.
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
