Certificate for ADFS

ramg1967 · July 10, 2020, 11:51am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I would like to install ADFS role on Domain Controller and use Let’s Encrypt certificate to complete ADFS configuration.

I will run ACME client on DC and follow the prompt to complete the process. Where and how do, I provide adfs certificate name (i.e want the certificate called adfs.ramlan.ca)?

My domain is: ramlan.ca

I ran this command:

It produced this output:

My web server is (include version): IIS 10 on Domain Controller

The operating system my web server runs on is (include version): Windows Server 2019 v1809

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes - As Admin

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

danb35 · July 10, 2020, 1:58pm

That's going to depend entirely on what client you use. For certbot, as with many other CLI clients, you'd add -d adfs.ramlan.ca to the command.

ramg1967 · July 10, 2020, 2:29pm

I will be using ACME client. For creating certificate should, I use option N or M and there after…

ramg1967 · July 10, 2020, 3:27pm

Here is the screen shot

danb35 · July 10, 2020, 3:38pm

I’m not in the least familiar with that client. I’d think you should use option M from this screen, but after that consult the documentation for that client and see how to specify a domain name and validate it.

ramg1967 · July 10, 2020, 4:26pm

OK will keep trying.

ramg1967 · July 11, 2020, 12:32pm

I am getting this error while generating new ssl certificate. Do, I need to add any record at GoDaddy (A Record or @ Record or anything)

JuergenAuer · July 11, 2020, 12:50pm

Hi @ramg1967

if you want to use http validation, a working webserver is required. That requires a public ip address your domain -> your ip.

See

ramg1967 · July 11, 2020, 1:49pm

Do, I have the option to pick https validation - if so do, I need to add any entry at GoDaddy and what selection, I should select during acme process?

I did not have this kind of issue when, I obtained SSL certificate for Exchange Server 2019. I did have few issue with autodiscover and firewall port forwarding. I fixed those issue and the certificate was issued and the renewal worked fine. Not this time for ADFS.

danb35 · July 11, 2020, 2:26pm

Why are you trying to obtain a cert for www.adfs.ramlan.ca? You’d said earlier that you only wanted one for adfs.ramlan.ca.

ramg1967 · July 11, 2020, 2:39pm

Yes one only. My domain is ramlan.ca and for adfs I want the certificate name adfs.ramlan.ca

See screen shots…

danb35 · July 11, 2020, 2:51pm

...which are of you doing something different than you did last time--at that time, it was trying to validate www.adfs.ramlan.ca. Now it isn't. That's good, but you still need DNS records set up pointing to your server.

ramg1967 · July 11, 2020, 3:26pm

You mean at GoDaddy or on the Router (Port Forwarding section)?

I did enable port forwarding for adfs server (Both Port 80 and 443) and firewall disabled.

danb35 · July 11, 2020, 3:40pm

Which would Let's Encrypt be able to see?

Those are good. Does either of them tell Let's Encrypt what IP address to use to connect to adfs.ramlan.ca?

ramg1967 · July 11, 2020, 3:56pm

On the local dns I created A record pointing to public ip address. Do, I still need to create a record on GoDaddy? Still getting same error. I am too weak in IIS. Might have to learn a lot and understand how IIS works…

orangepizza · July 11, 2020, 4:01pm

a public visiable record for LE’s server can see. A or AAAA record for http/tls-alpn challenge, txt record for dns challenge.

ramg1967 · July 11, 2020, 4:06pm

I was able to get it working. The screen shot. This is what I did

Local DNS - A record pointing to Public IP
GoDaddy - A record pointing to Public IP

Tried the certificate again and it completed successfully. I was able to export the certificate in PFX so, I can use it during ADFS role install and complete ADFS configuration.

This certificate is valid for 90 day and it will auto renew using task scheduler that is created as well.

Thanks for all the help. Maybe, I will document this entire process for future reference.

Ram

orangepizza · July 11, 2020, 4:22pm

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/where-to-place-a-federation-server
looks like this server shouldn’t visible from internet,(only ADSF proxy should) maybe you want to use different account with dns challenge, acme.sh supports that, but it’s bash script…

ramg1967 · July 11, 2020, 4:40pm

OK will check the link.

This is lab setup for adfs learning. After that, I will shutdown the system.

system · August 10, 2020, 4:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.