About This Guide

This guide provides step-by-step instructions for configuring a basic identity federation deployment between Microsoft Active Directory Federation Services 2 ! "AD FS 2 !# and $ovell Access Manager "$AM# by using the Security Assertion Mar%up &anguage "SAM&# 2 ! "http'((go microsoft com(fwlin%() &in%*d+,-.--/# protocol0 specifically its 1eb 2rowser SS3 4rofile and 5TT4 43ST binding

Terminology Used in This Guide

Throughout this document0 there are numerous references to federation concepts that are called by different names in AD FS 2 ! and SAM& documentation The following table assists in drawing parallels between the two concepts AD FS 2.0 Name Security To%en SAML Name Assertion Con e!t A pac%age of security information0 describing a user0 created and consumed during a federated access re6uest 4artner in a federation that creates security to%ens for users 4artner in a federation that consumes security to%ens for providing access to applications Data about users that is sent inside security to%ens

7laims 4rovider 8elying 4arty 7laims

*dentity 4rovider "*D4# Service 4rovider "S4# Assertion attributes

*n this deployment0 you have the option to configure one or both of the following two scenarios' AD FS 2 ! as 7laims 4rovider and $AM as 8elying 4arty $AM as 7laims or *dentity 4rovider and ADFS 2 ! as 8elying 4arty or Service 4rovider

"rere#uisites and $e#uirements

, 2 Two servers0 one to host AD FS 2 ! and the other to host $AM AD FS 2 ! is deployed' The test deployment that was created in the AD FS 2 ! Federation with a 1*F Application Step-by-Step 9uide "http'((go microsoft com(fwlin%()&in%*d+,-.--:# is used as starting point for this lab That lab uses a single 1indows Server 2!!; 82 instance "fsweb contoso com# to host both the AD FS 2 ! federation server and a 1indows *dentity Foundation "1*F# sample application *t presumes the availability of a <7ontoso com= domain0 in which fsweb contoso com is a member server The same computer can act as the domain controller and federation server in test deployments $AM is deployed' The $AM environment in this lab is hosted by a fictitious company called nam e>ample com 3nly the *dentity Server component of $AM is re6uired for this federation For more information about installation and deployment of $AM0 refer the $AM documentation "http'((www novell com(documentation(novellaccessmanager.,(#

Note% ?ou can download the evaluation version of $AM from $ovell@s download portal "http'((download novell com#

Linu& 'n(ironment
$AM Anvironment' $AM . , S4B or . 2' S&AS ,, S4, /B bit Note% $AM supports both 1indows and &inu> *n this guide0 we will discuss the identity federation deployment in the &inu> environment

'nsure )" Conne ti(ity

Ansure that $AM "nam e>ample com# and AD FS 2 ! "fsweb contoso com# systems have *4 connectivity between them The 7ontoso com domain controller0 if running on a separate computer0 does not re6uire *4 connectivity to the $AM system *f $AM firewall is set up0 open the ports re6uired for the *dentity Server to communicate with Administration 7onsole For more information about these ports0 see Setting Cp Firewalls in $ovell Access Manager . , S4B Setup 9uide For 5TT4S communication0 you can use iptables to configure this for T74 ;BB. or BB. See Translating the *dentity Server 7onfiguration 4ort in $ovell Access Manager . , S4B *dentity Server 9uide For bac%-channel communication with cluster members0 you need to open two consecutive ports for the cluster0 for e>ample :;!, and :;!2 The initial port ":;!,# is configurable See 7onfiguring a 7luster with Multiple *dentity Servers in $ovell Access Manager . , S4B *dentity Server 9uide

Con*igure Name $esolution

The hosts file on the AD FS 2 ! computer "fsweb contoso com# is used to configure name resolution of the partner federation servers and sample applications

+eri*y Clo , Syn hroni-ation

Federation events have a short time to live "TT&# To avoid errors based on time-outs0 ensure that both computers have their cloc%s synchroniDed Note% For information about how to synchroniDe a 1indows Server 2!!; 82 domain controller to an *nternet time server0 see article ;,/!B2 in the Microsoft Enowledge 2ase "http'((go microsoft com(fwlin%()&in%*D+/!B!2# 3n S&AS ,,0 use the command sntp -4 no -p pool ntp org to synchroniDe time with the *nternet time server

Con*iguring NAM as Claims or )dentity "ro(ider and AD FS 2.0 as $elying "arty or Ser(i e "ro(ider
This section e>plains how to configure a setup in which a user "using $AM# gets federated access to the 1*F sample application through AD FS 2 ! This setup uses the SAM& 2 ! 43ST profile This section includes' 7onfiguring $AM 7onfiguring AD FS 2 !

$ote'

Con*iguring NAM
This section includes' Adding a new service provider connection using metadata A>port *dentity 4rovider metadata to a file

Note% To deploy this identity federation for $AM . , S4. and above0 create a new contract with uri <urn'oasis'names'tc'SAM&'2 !'ac'classes'4assword= and name password form method

Adding a Ne. Ser(i e "ro(ider Conne tion Using Metadata

Cse the AD FS metadata to add a service provider using AD FS 2 ! into $AM

To Get AD FS 2.0 Metadata (Trim AD FS Metadata for NAM)

, 2 . B I Access the AD FS server metadata C8& https'((FFADFS "hostname or *4#(FederationMetadata(2!!:-!/(FederationMetadata >ml Save the AD FS metadata file 3pen the saved AD FS metadata file in $otepad0 1ord4ad0 or any >ml editor# 8emove the F8oleDescriptorG tags from metadata For e>ample0 remove the following tabs' F8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportAnumeration+http'(( HHG HHH F(8oleDescriptorG F8oleDescriptor >si'typ+=fed'SecurityTo%enServiceType= protocolSupportAnumeration+http'(( HHHG F(8oleDescriptorG Save the changes

To Add a New Service Provider Connection Usin Metadata

, 2 *n $AM Administration 7onsole0 select Devices G Identity Server G Edit G SAML 2.0 7lic% New G Add Service Provider

. B I / :

Specify a name by which you want to refer to the provider in the Name field Select Metadata Te>t from the Sour e list 4aste the copied AD FS metadata "trimmed one# in the Te&t field 7lic% Next > Finish. Cpdate *dentity Server.

To Add AD FS Server Tr!sted Certificate A!t"orit#

, 2 . B I / : ; Download 7ertificate Authority "7A# from the AD FS server *n the $AM Administration 7onsole0 select Security G Certi ic!tes > "rusted #oots 7lic% I$%ort Specify a name for the certificate and browse for ADFS 7A 7lic% &'. 7lic% U!loaded AD FS CA 7lic% Add to "rusted Store and select on*ig store Cpdate *dentity Server

To Create Attri$!te Set in NAM

, 2 . B I / : ; *n the $AM Administration 7onsole0 select De(i es / )dentity Ser(ers / Shared Settings G Attribute Sets / clic% Ne. 4rovide the attribute set name as adfs-attributes 7lic% Ne&t with the default selections *n the Create Attribute Set section0 clic% Ne. Select ldapattribute mail from the Lo al attribute list Specify email in the $emote attribute field Select http'((schemas >mlsoap org(ws(2!!I(!I(identity(claims( from the $emote names!a e list 7lic% 01 8epeat steps /-,! to add the cn attribute

,! 7lic% Ne. ,, Select ldapattribute cn from the Lo al attribute list ,2 Specify name in the $emote attribute field ,. Select http'((schemas >mlsoap org(ws(2!!I(!I(identity(claims( from the $emote names!a e list ,B 7lic% 01 ,I Cpdate *dentity Server

To Confi !re a Service Provider in NAM

, 2 . B Select ADFS service provider in the SAML 2.0 tab 7lic% Authenti ation $es!onse Select 2inding to "0ST Specify the name identifier format default value0 select unspecified along with the defaults

I / : ; -

7lic% Attributes Select adfs-attributes from the Attribute set list Select re6uired attributes to be send with authentication from right to left "for e>ample0 mail0 cn attributes# 7lic% 01 Cpdate *dentity Server

'&!ort )dentity "ro(ider Metadata to a File

Access https'((FF*dentity server *4 ( dns nameGG';BB.(nidp(saml2(metadata in a browser and save the page as an >ml file For e>ample' namJmetadata >ml AD FS 2 ! will use this file to automate set up of the $AM 7laims 4rovider instance

Con*iguring AD FS 2.0
This section includes' Adding a claims provider using metadata Aditing claim rules for claims provider trust Aditing claim rules for the 1*F Sample Application 7hanging AD FS 2 ! Signature Algorithm

Adding a Claims "ro(ider Using Metadata

Cse the metadata import capabilities of AD FS 2 ! to create the A>ample com claims provider The metadata includes the public %ey that is used to validate security to%ens signed by $AM

To Add a %e&#in Part# Usin Metadata

, 2 . B I / : *n AD FS 2 !0 in the console tree0 right-clic% the C(!i$s Provider "rusts folder0 and then clic% Add C(!i$s Provider "rust to start the Add 7laims 4rovider Trust 1iDard 7lic% St!rt 3n the Se(ect D!t! Source page0 select *mport data about the claims provider from a file. *n the Federation metadata file location field0 clic% )rowse. $avigate to the location where you saved namJmetadata >ml earlier0 clic% &%en0 and then clic% Next. *n the S%eci y Dis%(!y N!$e page0 enter NAM '&am!le 7lic% Next > Ne&t / Close

'diting Claim $ules *or a Claims "ro(ider Trust

The following claim rule describes how the data from $AM is used in the security to%en that is sent to the 1*F sample application

To 'dit C&aim %!&e for a C&aims Provider Tr!st

, 2 . B I 3pen the 'dit Claim $ules window 3r0 in the AD FS 2 ! center pane0 under Claims "ro(ider Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules *n the A e!tan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 select the 4ass Through or Filter an *ncoming 7laim option 7lic% Ne&t *n the Con*igure Claim $ule page0 use the following values'
Name +alue

7laim rule name *ncoming claim type *ncoming name *D format / : ; -

$ame *D 8ule $ame *D Cnspecified

Select the 4ass through all claim values and clic% Finish 7lic% Add #u(e *n the Se(ect #u(e "e$%(!te page0 select the Pass Through or Filter an Incoming Claim option 7lic% Next.

,! *n the Con i*ure C(!i$ #u(e page0 in C(!i$ ru(e n!$e0 use the following values
Name +alue

7laim rule name *ncoming claim type

$ame 8ule $ame

,, &eave the 4ass through all claim values option selected and clic% Finish ,2 To ac%nowledge the security warning0 clic% 3es ,. 7lic% 01

'diting Claim $ules *or the 4)F Sam!le A!!li ation

At this point0 incoming claims have been received at AD FS 2 !0 but rules that describe what to send to the 1*F sample application have not yet been created Adit the e>isting claim rules for the sample application to ta%e into account the new $AM e>ternal claims provider

To 'dit t"e C&aim %!&es for t"e ()F Sam*&e A**&ication

, 2 . B I *n AD FS 2 !0 clic% #e(yin* P!rty "rusts. 8ight-clic% +IF S!$%(e A%% and then clic% Edit C(!i$ #u(es. *n the Issu!nce "r!ns or$ #u(es tab0 clic% Add #u(e. *n the Se(ect #u(e "e$%(!te page0 clic% P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$> Next *n the Con*igure Claim $ule page0 enter the following values

Name 7laim rule name *ncoming claim type / : ; -

+alue 4ass $ame 8ule $ame

&eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. *n the Issu!nce "r!ns or$ #u(es tab0 clic% Add #u(e. *n the Se(ect #u(e "e$%(!te page0 clic% P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$ 7lic% Next.

,! *n the Con i*ure C(!i$ #u(e page0 enter the following values Name 7laim rule name *ncoming claim type *ncoming $ame *D format +alue 4ass $ame *D 8ule $ame *D Cnspecified

,, &eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. ,2 7lic% &'. Note% *f you configured the optional Step /' 7hange AuthoriDation 8ules when you were testing the original AD FS 2 ! with 1*F Step-by-Step 9uide deployment0 ensure that you add bac% the "ermit All Users issuance authoriDation rules for the 1*F sample application before testing this scenario 3r0 as an alternative0 add a new "ermit or Deny Users 2ased on an )n oming Claim rule allowing incoming $ame *D + KohnLe>ample com to access the application

Changing AD FS 2.0 Signature Algorithm

2y default0 $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations 2y default0 AD FS 2 ! e>pects partners to use S5A-2I/ 7omplete the following steps to set AD FS 2 ! to e>pect S5A-, for interoperability with $AM Note% The same procedure is recommended for AD FS 2 ! 8elying 4arty Trusts that use $AM *f the $AM S4 signs authn8e6uests0 artifact resolution re6uests0 or logout re6uests0 AD FS 2 ! errors will occur unless this signature algorithm setting is changed

To C"an e AD FS 2.0 Si nat!re A& orit"m

, 2 . B *n AD FS 2 !0 clic% Claims "ro(ider Trusts 8ight-clic% NAM '&am!le G "ro!erties *n the Adv!nced tab0 select S5A-, in the Se ure 5ash Algorithm list 7lic% &'.

Certi*i ation Authority6)ssued Signing7'n ry!tion Certi*i ates

For security reasons0 production federation deployments re6uire the use of digitally signed security to%ens0 and as an option allow encryption of security to%en contents Self-signed private %ey certificates0 which are generated from inside the AD FS 2 ! and $AM products0 are used for signing security to%ens As an alternative0 organiDations can use a private %ey certificate that is issued by a certificate authority "7A# for signing and encryption The primary benefit of using certificates is that a 7A issues is the ability to chec% for possible certificate revocation against the certificate revocation list "78&# from the issuing 7A 2oth in AD FS 2 ! and in $AM0 78& chec%ing is enabled by default for all partner connections0 if the certificate being used by the partner includes a 78& Distribution 4oint "7D4# e>tension This has implications in federation deployments between $AM and AD FS 2 !' *f a signing(encryption certificate provided by one side of a federation includes a 7D4 e>tension0 that location must be accessible by the other side@s federation server 3therwise0 78& chec%ing fails0 resulting in a failed access attempt $ote that 7D4 e>tensions are added by default to certificates that are issued by Active Directory 7ertificate Services "AD 7S# in 1indows Server 2!!; 82 *f the signing(encryption certificate does not include a 7D4 e>tension0 no 78& chec%ing is performed by AD FS 2 ! or $AM

To Disa$&e C%+ C"ec,in -*tion

*n &inu> *dentity 4rovider' , 2 Modify the (var(opt(novell(tomcatI(conf(tomcatI conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . , S4. and . , S4B# Modify the (var(opt(novell(tomcat:(conf(tomcat: conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . 2#

*n AD FS 2 !' , 2 7lic% Start G Administrati(e Tools G 4indo.s "o.erShell Modules Anter the following command in the 4owerShell command prompt' set-ADFSClaimsProviderTrust TargetName NAM Example SigningCerti i!ate"evo!ationC#e!$ None

Note% ?ou can ma%e many configuration changes to AD FS 2 ! using the 1indows 4owerShell command-line and scripting environment For more information0 see the AD FS 2 ! 1indows 4owerShell Administration section of the AD FS 2 ! 3perations 9uide "http'((go microsoft com(fwlin%()&in%*d+,-B!!I# and the AD FS 2 ! 7mdlets 8eference "http'((go microsoft com(fwlin%()&in%*d+,::.;-#

Test NAM as Claims "ro(ider and AD FS 2.0 as $elying "arty

*n this scenario0 Mohn from A>ample com accesses the 7ontoso 1*F sample application Note% 7lear all the coo%ies in *nternet A>plorer on the AD FS 2 ! computer "fsweb contoso com# To clear the coo%ies0 clic% Tools G )nternet 0!tions G Delete under 2ro.sing 5istory0 and then select coo%ies for deletion

Accessin t"e ()F Sam*&e A**&ication

, 2 3n the AD FS 2 ! computer0 open a browser window0 and then navigate to https'((fsweb contoso com(7laimsAware1ebApp1ithManagedSTS(default asp> The first page prompts you to select your organiDation from a list Select $AM A>ample0 and then clic% 7ontinue to sign in Note% This page did not appear in the previous e>ample when you were redirected to AD FS 2 ! This is because at that point there was only one *dentity 4rovider registered in AD FS 2 ! 1hen only one *dentity 4rovider is available0 AD FS 2 ! forwards the re6uest to that *dentity 4rovider by default . The $AM login page appears Anter the user name 8ohn0 type the password test9 and then clic% Lo*in.

Con*iguring AD FS 2.0 as Claims or )dentity "ro(ider and NAM as $elying "arty or Ser(i e "ro(ider
This section e>plains how to configure an application through AD FS 2 ! that gets federated access to an application using $ovell Access Manager "$AM# The setup uses the SAM& 2 ! 43ST profile

Con*iguring NAM
This section discusses how to add a new *dentity 4rovider connection using metadata

Adding a Ne. )dentity "ro(ider Conne tion Using Metadata

AD FS metadata is used to add an identity provider using AD FS 2 ! in to $AM To Get AD FS 2.0 Metadata , 2 . B Access AD FS server metadata C8& https'((FFADFS hostname or *4(FederationMetadata(2!!:!/(FederationMetadata >ml Save AD FS metadata data 3pen the AD FS metadata file in $otepad "or 1ord4ad or >ml editor# 8emove the F8oleDescriptorG tags from metadata For e>ample0 remove the following tags' I F8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportAnumeration+http'(( HHG HHH F(8oleDescriptorG F8oleDescriptor >si'type+=fed'SecurityTo%enServiceType= protocolSupportAnumeration+http'(( HHHG F(8oleDescriptorG

Save the changes

To Add a New )dentit# Provider Connection Usin Metadata

, 2 . B I / : ; *n $AM Administrative 7onsole0 select Devices G Identity Server. 7lic% Edit. Select SAML 2.0 7lic% New G Identity 4rovider Anter the name as ADFS in the Name field Select Metadata Te>t from the Sour e list 4aste the copied ADFS metadata "trimmed# te>t in the Te&t field 7lic% Next. Specify an alphanumeric value that identifies the card in the ID field

,! Specify the image to be displayed on the card in the I$!*e field ,, Cpdate *dentity Server

To Add AD FS Server Tr!sted Certificate A!t"orit#

, 2 . B I / : ; Download 7A from the AD FS server *n $AM Administration 7onsole0 select Security G Certi ic!tes. Select "rusted #oots 7lic% I$%ort Anter the certificate name0 and browse for AD FS 7A 7lic% 01 7lic% uploaded AD FS 7A 7lic% Add to "rusted Store and select config store Cpdate *dentity Server

To Confi !re )dentit# Provider in NAM

, 2 . B I / Select AD FS *dentity 4rovider in the SAML 2.0 tab 7lic% Authentic!tion C!rd G Authentic!tion #e,uest Select $es!onse "roto ol 2inding to "0ST $AMA *dentifier Format as Transient 7lic% &'. Cpdate *dentity Server

Con*igure AD FS 2.0
This section discusses' Adding a 8elaying 4arty using metadata Aditing 7laim 8ules for 8elaying 4arty Trust

Adding a $elaying "arty Using Metadata

The metadata import capability of AD FS 2 ! is used to create a 8elaying 4arty The metadata includes the public %ey that is used to validate security to%ens that are signed by $AM

To Add a %e&#in Part# Usin Metadata

, 2 . B I / : *n AD FS 2 !0 right-clic% the $elaying "arty Trusts folder0 and then clic% Add $elaying "arty Trust to start the Add 8elaying 4arty Trust 1iDard 7lic% Start 3n the Sele t Data Sour e page0 select *mport data about the claims provider from a file *n the Federation metadata *ile lo ation section0 clic% 2ro.se $avigate to the location where you saved namJmetadata >ml earlier0 clic% 0!en G Ne&t *n the S!e i*y Dis!lay Name page0 enter $AM A>ample 7lic% Ne&t G Ne&t G Close

'diting Claim $ules *or a $elaying "arty Trust

This section describes how data from AD FS is used in the security to%en that is sent to $AM

To 'dit C&aim %!&e for a %e&a#in Part# Tr!st

, 2 . B I / The 'dit Claim $ules dialog bo> should already be open *f not0 in the AD FS 2 ! center pane0 under $elying "arty Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules *n the )ssuan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 leave the Send &DA4 Attributes as 7laims option selected0 and then clic% Ne&t *n the Con*igure Claim $ule page0 enter 9et attributes in the Claim rule name field Select Active Directory from the Attribute Store list *n the Ma!!ing o* LDA" attributes section0 create the following mappings LDA" Attribute Cser4rincipal$ame Mail : ; 7lic% Finish *n the )ssuan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 select Transform an *ncoming 7laim9 and then clic% Ne&t 0utgoing Claim Ty!e C4$ A-Mail Address

,! *n the Con*igure Claim $ule page0 use the following values Name 7laim rule name Transient $ame *D Mapping 8ule Mail ,, 7lic% Finish +alue *ncoming $ame *D format Transient *dentifier A-Mail Address

C"an in AD FS 2.0 Si nat!re A& orit"m

2y default $AM uses the Secure 5ash Algorithm , "S5A-,# for signing operations0 and by default AD FS 2 ! e>pects partners to use S5A-2I/ 4erform the following steps to setup AD FS 2 ! to e>pect S5A-, for interoperability with $AM *dentity 4rovider , 2 . *n AD FS 2 !0 clic% Claims "ro(ider Trusts G right-clic% "ing '&am!le G "ro!erties *n the Ad(an ed tab0 select S5A6: in the Se ure 5ash Algorithm list 7lic% 01

Certi*i ation Authority6)ssued Signing7'n ry!tion Certi*i ates

This section includes' Disabling 78& 7hec%ing 3ption in &inu> *dentity 4rovider Disabling 78& 7hec%ing 3ption in AD FS 2 !

For more information about signing(encryption certificates0 see 7ertification Authority-*ssued Signing(Ancryption 7ertificates

Disa$&in C%+ C"ec,in -*tion in +in!. )dentit# Provider

, 2 Modify the (var(opt(novell(tomcatI(conf(tomcatI conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . , S4. and . , S4B# Modifythe (var(opt(novell(tomcat:(conf(tomcat: conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . 2#

To Disa$&e C%+ C"ec,in -*tion

, 2 7lic% Start G Administrati(e Tools G 4indo.s "o.erShell Modules Anter the following command in the 4owerShell command prompt' set-ADFSCRelayingPartyTrust TargetName NA !"am#le$ SigningCerti%icateRe&ocationChec' None

AD FS 2.0 'n ry!tion Strength

*n AD FS 2 !0 encryption of outbound assertions is enabled by default Assertion encryption occurs for any 8elying 4arty or service provider for which AS FS 2 ! possesses an encryption certificate 1hen it performs encryption0 AD FS 2 ! uses 2I/-bit Advanced Ancryption Standard "AAS# %eys0 or AAS2I/ *n contrast0 by default 4ingFederate supports a wea%er algorithm "AAS-,2;# Failing to reconcile these conflicting defaults can result in failed SS3 attempts Alternatives for addressing this issue include the following'

Disa$&in encr#*tion in AD FS 2.0

To disable the encryption in AD FS 2 !0 complete the following steps' , 2 7lic% Start G Administrati(e Tools G 4indo.s "o.erShell Modules Anter the following command in the 1indows 4owerShell command prompt' set-ADFSRelyingPartyTrust TargetName NA !"am#le$ !ncry#tClaims (False

$e*eren es% AD FS 2.0 2asi s

This section includes' Con*iguring the to,en6de ry!ting erti*i ate Adding 7A certificates at AD FS 2 ! Debugging AD FS 2.0

Con*iguring the To,en6de ry!ting Certi*i ate

, 2 . 3pen the AD FS 2 ! Management tool0 clic% Start G Administrati(e Tools G AD FS 2.0 Management 3n the left-pane0 e>pand the Ser(i e folder and clic% Certi*i ates *n the Certi*i ates section0 select Add To,en6De ry!ting Certi*i ate 1hile configuring the To%e-decrypting certificate0 an error may occur prompting to run the following 4owerShell commands' A))-PSSna#in icroso%t.A)%s.Po*erShell Set-ADFSPro#erties -AutoCerti%icateRollo&er (%alse 8un these to select other certificate The certificate must be installed on the server The certificates are configured on the **S Manager' B I / 7lic% Start G Administrati(e Tools G )nternet )n*ormation Ser(i es ;))S< Manager 7lic% Ser(erName 7lic% Ser(er Certi*i ates in the ))S Section

Adding CA Certi*i ates to AD FS 2.0

, 2 . B *n 1indows0 Start G $un G mm Attach snapshot certificates as service Select AD FS *mport 7A certificate to trusted authorities

Debugging AD FS 2.0
,/ *n Avent Niewer0 clic% A!!li ations G AD FS ,: ?ou can access the trouble shooting help here' ,; http'((technet microsoft com(en-us(library(adfs2-troubleshooting-certificate-problems S2;1S ,!S2- asp> ,- http'((/B B ,, 2I2(fr-fr(library(adfs2-troubleshooting-certificate-problemsS2;1S ,!S2- asp>

Power S"e&& Commands /e&*

2! http'((technet microsoft com(en-us(library(adfs2-help-using-windows-powershellS2;1S ,!S2- asp> 2, http'((technet microsoft com(en-us(library(adfs2-powershell-e>amplesS2;1S ,!S2- asp>