You are on page 1of 15

About This Guide

This guide provides step-by-step instructions for configuring a basic identity federation deployment between Microsoft® Active Directory® Federation Services 2 ! "AD FS 2 !# and $ovell Access Manager "$AM# by using the Security Assertion Mar%up &anguage "SAM&# 2 ! "http'((go microsoft com(fwlin%() &in%*d+,-.--/# protocol0 specifically its 1eb 2rowser SS3 4rofile and 5TT4 43ST binding

Terminology Used in This Guide
Throughout this document0 there are numerous references to federation concepts that are called by different names in AD FS 2 ! and SAM& documentation The following table assists in drawing parallels between the two concepts AD FS 2.0 Name Security To%en SAML Name Assertion Con e!t A pac%age of security information0 describing a user0 created and consumed during a federated access re6uest 4artner in a federation that creates security to%ens for users 4artner in a federation that consumes security to%ens for providing access to applications Data about users that is sent inside security to%ens

7laims 4rovider 8elying 4arty 7laims

*dentity 4rovider "*D4# Service 4rovider "S4# Assertion attributes

*n this deployment0 you have the option to configure one or both of the following two scenarios' • • AD FS 2 ! as 7laims 4rovider and $AM as 8elying 4arty $AM as 7laims or *dentity 4rovider and ADFS 2 ! as 8elying 4arty or Service 4rovider

"rere#uisites and $e#uirements
, 2 Two servers0 one to host AD FS 2 ! and the other to host $AM AD FS 2 ! is deployed' The test deployment that was created in the AD FS 2 ! Federation with a 1*F Application Step-by-Step 9uide "http'((go microsoft com(fwlin%()&in%*d+,-.--:# is used as starting point for this lab That lab uses a single 1indows Server 2!!; 82 instance "fsweb contoso com# to host both the AD FS 2 ! federation server and a 1indows® *dentity Foundation "1*F# sample application *t presumes the availability of a <7ontoso com= domain0 in which fsweb contoso com is a member server The same computer can act as the domain controller and federation server in test deployments $AM is deployed' The $AM environment in this lab is hosted by a fictitious company called nam e>ample com 3nly the *dentity Server component of $AM is re6uired for this federation For more information about installation and deployment of $AM0 refer the $AM documentation "http'((www novell com(documentation(novellaccessmanager.,(#

.

. /B bit Note% $AM supports both 1indows and &inu> *n this guide0 we will discuss the identity federation deployment in the &inu> environment 'nsure )" Conne ti(ity Ansure that $AM "nam e>ample com# and AD FS 2 ! "fsweb contoso com# systems have *4 connectivity between them The 7ontoso com domain controller0 if running on a separate computer0 does not re6uire *4 connectivity to the $AM system *f $AM firewall is set up0 open the ports re6uired for the *dentity Server to communicate with Administration 7onsole For more information about these ports0 see Setting Cp Firewalls in $ovell Access Manager . . See Translating the *dentity Server 7onfiguration 4ort in $ovell Access Manager . S4B or .!. . . 82 domain controller to an *nternet time server0 see article . S4B *dentity Server 9uide Con*igure Name $esolution The hosts file on the AD FS 2 ! computer "fsweb contoso com# is used to configure name resolution of the partner federation servers and sample applications +eri*y Clo . ./!B2 in the Microsoft Enowledge 2ase "http'((go microsoft com(fwlin%()&in%*D+/!B!2# 3n S&AS .# is configurable See 7onfiguring a 7luster with Multiple *dentity Servers in $ovell Access Manager .. S4B *dentity Server 9uide For bac%-channel communication with cluster members0 you need to open two consecutive ports for the cluster0 for e>ample :. 2' S&AS . or BB. Syn hroni-ation Federation events have a short time to live "TT&# To avoid errors based on time-outs0 ensure that both computers have their cloc%s synchroniDed Note% For information about how to synchroniDe a 1indows Server 2!!.!..Note% ?ou can download the evaluation version of $AM from $ovell@s download portal "http'((download novell com# Linu& 'n(ironment $AM Anvironment' $AM .0 use the command sntp -4 no -p pool ntp org to synchroniDe time with the *nternet time server .BB.!2 The initial port ":. S4B Setup 9uide For 5TT4S communication0 you can use iptables to configure this for T74 . S4. and :.

Con*iguring NAM as Claims or )dentity "ro(ider and AD FS 2.0 Metadata (Trim AD FS Metadata for NAM) . S4. B • • I Access the AD FS server metadata C8& https'((FFADFS "hostname or *4#(FederationMetadata(2!!:-!/(FederationMetadata >ml Save the AD FS metadata file 3pen the saved AD FS metadata file in $otepad0 1ord4ad0 or any >ml editor# 8emove the F8oleDescriptorG tags from metadata For e>ample0 remove the following tabs' F8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportAnumeration+http'(( HHG HHH F(8oleDescriptorG F8oleDescriptor >si'typ+=fed'SecurityTo%enServiceType= protocolSupportAnumeration+http'(( HHHG F(8oleDescriptorG Save the changes To Add a New Service Provider Connection Usin Metadata .0 7lic% New G Add Service Provider . 2 . 2 *n $AM Administration 7onsole0 select Devices G Identity Server G Edit G SAML 2.0 as $elying "arty or Ser(i e "ro(ider This section e>plains how to configure a setup in which a user "using $AM# gets federated access to the 1*F sample application through AD FS 2 ! This setup uses the SAM& 2 ! 43ST profile This section includes' • • 7onfiguring $AM 7onfiguring AD FS 2 ! $ote' Con*iguring NAM This section includes' • • Adding a new service provider connection using metadata A>port *dentity 4rovider metadata to a file Note% To deploy this identity federation for $AM . Ser(i e "ro(ider Conne tion Using Metadata Cse the AD FS metadata to add a service provider using AD FS 2 ! into $AM To Get AD FS 2. and above0 create a new contract with uri <urn'oasis'names'tc'SAM&'2 !'ac'classes'4assword= and name password form method Adding a Ne. .

Download 7ertificate Authority "7A# from the AD FS server *n the $AM Administration 7onsole0 select Security G Certi ic!tes > "rusted #oots 7lic% I$%ort Specify a name for the certificate and browse for ADFS 7A 7lic% &'. 2 .. B I / : . Select ldapattribute mail from the Lo al attribute list Specify email in the $emote attribute field Select http'((schemas >mlsoap org(ws(2!!I(!I(identity(claims( from the $emote names!a e list 7lic% 01 8epeat steps /-. Select ldapattribute cn from the Lo al attribute list . B Select ADFS service provider in the SAML 2. Select http'((schemas >mlsoap org(ws(2!!I(!I(identity(claims( from the $emote names!a e list .2 Specify name in the $emote attribute field . B I / : . To Add AD FS Server Tr!sted Certificate A!t"orit# . 2 . 4rovide the attribute set name as adfs-attributes 7lic% Ne&t with the default selections *n the Create Attribute Set section0 clic% Ne... . 2 .! 7lic% Ne.B 7lic% 01 . 7lic% U!loaded AD FS CA 7lic% Add to "rusted Store and select on*ig store Cpdate *dentity Server To Create Attri$!te Set in NAM .0 tab 7lic% Authenti ation $es!onse Select 2inding to "0ST Specify the name identifier format default value0 select unspecified along with the defaults .! to add the cn attribute . *n the $AM Administration 7onsole0 select De(i es / )dentity Ser(ers / Shared Settings G Attribute Sets / clic% Ne. B I / : Specify a name by which you want to refer to the provider in the Name field Select Metadata Te>t from the Sour e list 4aste the copied AD FS metadata "trimmed one# in the Te&t field 7lic% Next > Finish. Cpdate *dentity Server.I Cpdate *dentity Server To Confi !re a Service Provider in NAM .

B I / : *n AD FS 2 !0 in the console tree0 right-clic% the C(!i$s Provider "rusts folder0 and then clic% Add C(!i$s Provider "rust to start the Add 7laims 4rovider Trust 1iDard 7lic% St!rt 3n the Se(ect D!t! Source page0 select *mport data about the claims provider from a file. *n the Federation metadata file location field0 clic% )rowse.0 This section includes' • • • • Adding a claims provider using metadata Aditing claim rules for claims provider trust Aditing claim rules for the 1*F Sample Application 7hanging AD FS 2 ! Signature Algorithm Adding a Claims "ro(ider Using Metadata Cse the metadata import capabilities of AD FS 2 ! to create the A>ample com claims provider The metadata includes the public %ey that is used to validate security to%ens signed by $AM To Add a %e&#in Part# Usin Metadata .I / : . $avigate to the location where you saved namJmetadata >ml earlier0 clic% &%en0 and then clic% Next.(nidp(saml2(metadata in a browser and save the page as an >ml file For e>ample' namJmetadata >ml AD FS 2 ! will use this file to automate set up of the $AM 7laims 4rovider instance Con*iguring AD FS 2. - 7lic% Attributes Select adfs-attributes from the Attribute set list Select re6uired attributes to be send with authentication from right to left "for e>ample0 mail0 cn attributes# 7lic% 01 Cpdate *dentity Server '&!ort )dentity "ro(ider Metadata to a File Access https'((FF*dentity server *4 ( dns nameGG'. *n the S%eci y Dis%(!y N!$e page0 enter NAM '&am!le 7lic% Next > Ne&t / Close 'diting Claim $ules *or a Claims "ro(ider Trust The following claim rule describes how the data from $AM is used in the security to%en that is sent to the 1*F sample application .BB. 2 .

! *n the Con i*ure C(!i$ #u(e page0 in C(!i$ ru(e n!$e0 use the following values Name +alue 7laim rule name *ncoming claim type $ame 8ule $ame . &eave the 4ass through all claim values option selected and clic% Finish . 7lic% 01 'diting Claim $ules *or the 4)F Sam!le A!!li ation At this point0 incoming claims have been received at AD FS 2 !0 but rules that describe what to send to the 1*F sample application have not yet been created Adit the e>isting claim rules for the sample application to ta%e into account the new $AM e>ternal claims provider To 'dit t"e C&aim %!&es for t"e ()F Sam*&e A**&ication . - $ame *D 8ule $ame *D Cnspecified Select the 4ass through all claim values and clic% Finish 7lic% Add #u(e *n the Se(ect #u(e "e$%(!te page0 select the Pass Through or Filter an Incoming Claim option 7lic% Next. 2 . *n the Se(ect #u(e "e$%(!te page0 clic% P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$> Next *n the Con*igure Claim $ule page0 enter the following values . B I 3pen the 'dit Claim $ules window 3r0 in the AD FS 2 ! center pane0 under Claims "ro(ider Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules *n the A e!tan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 select the 4ass Through or Filter an *ncoming 7laim option 7lic% Ne&t *n the Con*igure Claim $ule page0 use the following values' Name +alue 7laim rule name *ncoming claim type *ncoming name *D format / : ... *n the Issu!nce "r!ns or$ #u(es tab0 clic% Add #u(e. . 2 . 8ight-clic% +IF S!$%(e A%% and then clic% Edit C(!i$ #u(es.To 'dit C&aim %!&e for a C&aims Provider Tr!st . B I *n AD FS 2 !0 clic% #e(yin* P!rty "rusts.2 To ac%nowledge the security warning0 clic% 3es .

2 .Name 7laim rule name *ncoming claim type / : . *n the Se(ect #u(e "e$%(!te page0 clic% P!ss "hrou*h or Fi(ter !n Inco$in* C(!i$ 7lic% Next.0 Signature Algorithm 2y default0 $AM uses the Secure 5ash Algorithm . *n the Issu!nce "r!ns or$ #u(es tab0 clic% Add #u(e. .2 7lic% &'. - +alue 4ass $ame 8ule $ame &eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. B *n AD FS 2 !0 clic% Claims "ro(ider Trusts 8ight-clic% NAM '&am!le G "ro!erties *n the Adv!nced tab0 select S5A-. for interoperability with $AM Note% The same procedure is recommended for AD FS 2 ! 8elying 4arty Trusts that use $AM *f the $AM S4 signs authn8e6uests0 artifact resolution re6uests0 or logout re6uests0 AD FS 2 ! errors will occur unless this signature algorithm setting is changed To C"an e AD FS 2. .# for signing operations 2y default0 AD FS 2 ! e>pects partners to use S5A-2I/ 7omplete the following steps to set AD FS 2 ! to e>pect S5A-. in the Se ure 5ash Algorithm list 7lic% &'. &eave the P!ss throu*h !(( c(!i$ v!(ues option selected0 and then clic% Finish. .0 Si nat!re A& orit"m .! *n the Con i*ure C(!i$ #u(e page0 enter the following values Name 7laim rule name *ncoming claim type *ncoming $ame *D format +alue 4ass $ame *D 8ule $ame *D Cnspecified . Note% *f you configured the optional Step /' 7hange AuthoriDation 8ules when you were testing the original AD FS 2 ! with 1*F Step-by-Step 9uide deployment0 ensure that you add bac% the "ermit All Users issuance authoriDation rules for the 1*F sample application before testing this scenario 3r0 as an alternative0 add a new "ermit or Deny Users 2ased on an )n oming Claim rule allowing incoming $ame *D + KohnLe>ample com to access the application Changing AD FS 2.. "S5A-.

2 7lic% Start G Administrati(e Tools G 4indo. 2# *n AD FS 2 !' .in -*tion *n &inu> *dentity 4rovider' .-B!!I# and the AD FS 2 ! 7mdlets 8eference "http'((go microsoft com(fwlin%()&in%*d+. S4B# Modify the (var(opt(novell(tomcat:(conf(tomcat: conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . S4. 2 Modify the (var(opt(novell(tomcatI(conf(tomcatI conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM .-# .erShell Modules Anter the following command in the 4owerShell command prompt' set-ADFSClaimsProviderTrust –TargetName “NAM Example” –SigningCerti i!ate"evo!ationC#e!$ None Note% ?ou can ma%e many configuration changes to AD FS 2 ! using the 1indows 4owerShell command-line and scripting environment For more information0 see the AD FS 2 ! 1indows 4owerShell Administration section of the AD FS 2 ! 3perations 9uide "http'((go microsoft com(fwlin%()&in%*d+.s "o.Certi*i ation Authority6)ssued Signing7'n ry!tion Certi*i ates For security reasons0 production federation deployments re6uire the use of digitally signed security to%ens0 and as an option allow encryption of security to%en contents Self-signed private %ey certificates0 which are generated from inside the AD FS 2 ! and $AM products0 are used for signing security to%ens As an alternative0 organiDations can use a private %ey certificate that is issued by a certificate authority "7A# for signing and encryption The primary benefit of using certificates is that a 7A issues is the ability to chec% for possible certificate revocation against the certificate revocation list "78&# from the issuing 7A 2oth in AD FS 2 ! and in $AM0 78& chec%ing is enabled by default for all partner connections0 if the certificate being used by the partner includes a 78& Distribution 4oint "7D4# e>tension This has implications in federation deployments between $AM and AD FS 2 !' • *f a signing(encryption certificate provided by one side of a federation includes a 7D4 e>tension0 that location must be accessible by the other side@s federation server 3therwise0 78& chec%ing fails0 resulting in a failed access attempt $ote that 7D4 e>tensions are added by default to certificates that are issued by Active Directory 7ertificate Services "AD 7S# in 1indows Server 2!!.. . . and .::. 82 *f the signing(encryption certificate does not include a 7D4 e>tension0 no 78& chec%ing is performed by AD FS 2 ! or $AM • To Disa$&e C%+ C"ec.

sing 5istory0 and then select coo%ies for deletion Accessin t"e ()F Sam*&e A**&ication . .Test NAM as Claims "ro(ider and AD FS 2. The $AM login page appears Anter the user name 8ohn0 type the password test9 and then clic% Lo*in.0 as $elying "arty *n this scenario0 Mohn from A>ample com accesses the 7ontoso 1*F sample application Note% 7lear all the coo%ies in *nternet A>plorer on the AD FS 2 ! computer "fsweb contoso com# To clear the coo%ies0 clic% Tools G )nternet 0!tions G Delete under 2ro. 2 3n the AD FS 2 ! computer0 open a browser window0 and then navigate to https'((fsweb contoso com(7laimsAware1ebApp1ithManagedSTS(default asp> The first page prompts you to select your organiDation from a list Select $AM A>ample0 and then clic% 7ontinue to sign in Note% This page did not appear in the previous e>ample when you were redirected to AD FS 2 ! This is because at that point there was only one *dentity 4rovider registered in AD FS 2 ! 1hen only one *dentity 4rovider is available0 AD FS 2 ! forwards the re6uest to that *dentity 4rovider by default .

7lic% Edit.Con*iguring AD FS 2. 2 . B Access AD FS server metadata C8& https'((FFADFS hostname or *4(FederationMetadata(2!!:!/(FederationMetadata >ml Save AD FS metadata data 3pen the AD FS metadata file in $otepad "or 1ord4ad or >ml editor# 8emove the F8oleDescriptorG tags from metadata For e>ample0 remove the following tags' • • I F8oleDescriptor >si'type+=fed'ApplicationServiceType= protocolSupportAnumeration+http'(( HHG HHH F(8oleDescriptorG F8oleDescriptor >si'type+=fed'SecurityTo%enServiceType= protocolSupportAnumeration+http'(( HHHG F(8oleDescriptorG Save the changes To Add a New )dentit# Provider Connection Usin Metadata .0 7lic% New G Identity 4rovider Anter the name as ADFS in the Name field Select Metadata Te>t from the Sour e list 4aste the copied ADFS metadata "trimmed# te>t in the Te&t field 7lic% Next.! Specify the image to be displayed on the card in the I$!*e field . Specify an alphanumeric value that identifies the card in the ID field . Cpdate *dentity Server . )dentity "ro(ider Conne tion Using Metadata AD FS metadata is used to add an identity provider using AD FS 2 ! in to $AM To Get AD FS 2. 2 . *n $AM Administrative 7onsole0 select Devices G Identity Server. Select SAML 2.0 as Claims or )dentity "ro(ider and NAM as $elying "arty or Ser(i e "ro(ider This section e>plains how to configure an application through AD FS 2 ! that gets federated access to an application using $ovell Access Manager "$AM# The setup uses the SAM& 2 ! 43ST profile Con*iguring NAM This section discusses how to add a new *dentity 4rovider connection using metadata Adding a Ne..0 Metadata . B I / : .

Download 7A from the AD FS server *n $AM Administration 7onsole0 select Security G Certi ic!tes. 2 .se $avigate to the location where you saved namJmetadata >ml earlier0 clic% 0!en G Ne&t *n the S!e i*y Dis!lay Name page0 enter $AM A>ample 7lic% Ne&t G Ne&t G Close . B I / : *n AD FS 2 !0 right-clic% the $elaying "arty Trusts folder0 and then clic% Add $elaying "arty Trust to start the Add 8elaying 4arty Trust 1iDard 7lic% Start 3n the Sele t Data Sour e page0 select *mport data about the claims provider from a file *n the Federation metadata *ile lo ation section0 clic% 2ro. Cpdate *dentity Server Con*igure AD FS 2.0 tab 7lic% Authentic!tion C!rd G Authentic!tion #e.To Add AD FS Server Tr!sted Certificate A!t"orit# . Select "rusted #oots 7lic% I$%ort Anter the certificate name0 and browse for AD FS 7A 7lic% 01 7lic% uploaded AD FS 7A 7lic% Add to "rusted Store and select config store Cpdate *dentity Server To Confi !re )dentit# Provider in NAM . 2 . B I / : .uest Select $es!onse "roto ol 2inding to "0ST $AMA *dentifier Format as Transient 7lic% &'. B I / Select AD FS *dentity 4rovider in the SAML 2.0 This section discusses' • • Adding a 8elaying 4arty using metadata Aditing 7laim 8ules for 8elaying 4arty Trust Adding a $elaying "arty Using Metadata The metadata import capability of AD FS 2 ! is used to create a 8elaying 4arty The metadata includes the public %ey that is used to validate security to%ens that are signed by $AM To Add a %e&#in Part# Usin Metadata . 2 .

.! *n the Con*igure Claim $ule page0 use the following values Name 7laim rule name Transient $ame *D Mapping 8ule Mail . 2 . "S5A-. 7lic% Finish +alue *ncoming $ame *D format Transient *dentifier A-Mail Address C"an in AD FS 2.# for signing operations0 and by default AD FS 2 ! e>pects partners to use S5A-2I/ 4erform the following steps to setup AD FS 2 ! to e>pect S5A-. *n AD FS 2 !0 clic% Claims "ro(ider Trusts G right-clic% "ing '&am!le G "ro!erties *n the Ad(an ed tab0 select S5A6: in the Se ure 5ash Algorithm list 7lic% 01 Certi*i ation Authority6)ssued Signing7'n ry!tion Certi*i ates This section includes' • • Disabling 78& 7hec%ing 3ption in &inu> *dentity 4rovider Disabling 78& 7hec%ing 3ption in AD FS 2 ! . 7lic% Finish *n the )ssuan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 select Transform an *ncoming 7laim9 and then clic% Ne&t 0utgoing Claim Ty!e C4$ A-Mail Address .0 Si nat!re A& orit"m 2y default $AM uses the Secure 5ash Algorithm . B I / The 'dit Claim $ules dialog bo> should already be open *f not0 in the AD FS 2 ! center pane0 under $elying "arty Trusts0 right-clic% NAM '&am!le0 and then clic% 'dit Claim $ules *n the )ssuan e Trans*orm $ules tab0 clic% Add $ule *n the Sele t $ule Tem!late page0 leave the Send &DA4 Attributes as 7laims option selected0 and then clic% Ne&t *n the Con*igure Claim $ule page0 enter 9et attributes in the Claim rule name field Select Active Directory from the Attribute Store list *n the Ma!!ing o* LDA" attributes section0 create the following mappings LDA" Attribute Cser4rincipal$ame Mail : .'diting Claim $ules *or a $elaying "arty Trust This section describes how data from AD FS is used in the security to%en that is sent to $AM To 'dit C&aim %!&e for a %e&a#in Part# Tr!st . for interoperability with $AM *dentity 4rovider . 2 .

2 7lic% Start G Administrati(e Tools G 4indo. .in -*tion in +in!.0 'n ry!tion Strength *n AD FS 2 !0 encryption of outbound assertions is enabled by default Assertion encryption occurs for any 8elying 4arty or service provider for which AS FS 2 ! possesses an encryption certificate 1hen it performs encryption0 AD FS 2 ! uses 2I/-bit Advanced Ancryption Standard "AAS# %eys0 or AAS2I/ *n contrast0 by default 4ingFederate supports a wea%er algorithm "AAS-. 2 Modify the (var(opt(novell(tomcatI(conf(tomcatI conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . S4B# Modifythe (var(opt(novell(tomcat:(conf(tomcat: conf file and add MANAJ34TS+OPQMANAJ34TSR -Dcom novell nidp server37S478&+falseO "*n $AM . and . )dentit# Provider .erShell Modules Anter the following command in the 4owerShell command prompt' set-ADFSCRelayingPartyTrust –TargetName “NA !"am#le$ –SigningCerti%icateRe&ocationChec' None AD FS 2.s "o.in -*tion .0 To disable the encryption in AD FS 2 !0 complete the following steps' .2.For more information about signing(encryption certificates0 see 7ertification Authority-*ssued Signing(Ancryption 7ertificates Disa$&in C%+ C"ec.# Failing to reconcile these conflicting defaults can result in failed SS3 attempts Alternatives for addressing this issue include the following' Disa$&in encr#*tion in AD FS 2.erShell Modules Anter the following command in the 1indows 4owerShell command prompt' set-ADFSRelyingPartyTrust –TargetName “NA !"am#le$ –!ncry#tClaims (False . 2 7lic% Start G Administrati(e Tools G 4indo. S4. 2# To Disa$&e C%+ C"ec.s "o. .

2I2(fr-fr(library(adfs2-troubleshooting-certificate-problemsS2. http'((technet microsoft com(en-us(library(adfs2-troubleshooting-certificate-problems S2..1S ..A)%s.0 Management 3n the left-pane0 e>pand the Ser(i e folder and clic% Certi*i ates *n the Certi*i ates section0 select Add To..$e*eren es% AD FS 2.!S2.en6de ry!ting Certi*i ate .en6De ry!ting Certi*i ate 1hile configuring the To%e-decrypting certificate0 an error may occur prompting to run the following 4owerShell commands' A))-PSSna#in icroso%t. B *n 1indows0 Start G $un G mm Attach snapshot certificates as service Select AD FS *mport 7A certificate to trusted authorities Debugging AD FS 2.: ?ou can access the trouble shooting help here' .!S2./ *n Avent Niewer0 clic% A!!li ations G AD FS .0 2asi s This section includes' • • • Con*iguring the to. 2 .en6de ry!ting erti*i ate Adding 7A certificates at AD FS 2 ! Debugging AD FS 2.0 Con*iguring the To.asp> .1S .http'((/B B . 3pen the AD FS 2 ! Management tool0 clic% Start G Administrati(e Tools G AD FS 2.Po*erShell Set-ADFSPro#erties -AutoCerti%icateRollo&er (%alse 8un these to select other certificate The certificate must be installed on the server The certificates are configured on the **S Manager' B I / 7lic% Start G Administrati(e Tools G )nternet )n*ormation Ser(i es .))S< Manager 7lic% Ser(erName 7lic% Ser(er Certi*i ates in the ))S Section Adding CA Certi*i ates to AD FS 2. 2 .asp> .0 .0 .

1S .!S2.Power S"e&& Commands /e&* 2! http'((technet microsoft com(en-us(library(adfs2-help-using-windows-powershellS2.asp> .1S .asp> 2. http'((technet microsoft com(en-us(library(adfs2-powershell-e>amplesS2.!S2.