Share via


Certificate requirements for ADFS-enabled Web servers

Applies To: Windows Server 2003 R2

Each Web server that hosts an Active Directory Federation Services (ADFS) Web Agent requires a Secure Sockets Layer (SSL) server authentication certificate to communicate securely with Web clients. Publicly issued certificates are recommended for SSL server authentication certificates. However, if you are deploying the ADFS Web Single Sign-On (SSO) design, using either a public or corporate certification authority (CA) to obtain your server authentication certificate is sufficient.

Note

Token-signing certificates and SSL client authentication certificates are not necessary for ADFS-enabled Web servers.

If you will be hosting additional ADFS components, such as the Federation Service or the Federation Service Proxy, on an already established ADFS-enabled Web server, it is not necessary to obtain additional server authentication certificates for each of those components. The ADFS Web Agent, the Federation Service, and the Federation Service Proxy can use a single server authentication certificate simultaneously. For more information about hosting multiple ADFS components on an ADFS-enabled Web server, see Where to place an ADFS-enabled Web server.

You can request and install server authentication certificates through the Microsoft Management Console (MMC) snap-in for Internet Information Services (IIS). For more general information about using SSL certificates, see Configuring Secure Sockets Layer (https://go.microsoft.com/fwlink/?linkid=62785) and Obtaining Server Certificates (https://go.microsoft.com/fwlink/?linkid=62479).

Certificate requirements for an ADFS-enabled Web server farm

In an ADFS-enabled Web server farm scenario, Web servers must obtain server authentication certificates in one of the following ways for ADFS to work:

  • Share the same certificate: Web servers can share the same server authentication certificate across the farm. To share the same certificate across the Web servers, export the private key of that certificate and install it on the appropriate Web site for each Web server.

    For more information, see Export the private key portion of a server authentication certificate and Import a server authentication certificate to the default Web site.

  • Obtain individual certificates: If you decide to obtain separate server authentication certificates for each Web server in a farm, you must ensure that the subject names for each of the individual server authentication certificates match. The subject name value for a server authentication certificate is used to identify the computer that the certificate represents.

    Note

    Certification authorities (CAs) such as Microsoft Certificate Services create the subject name from the common name (CN) of the requestor that is obtained in Active Directory.

For more information about configuring an ADFS-enable Web server farm, see When to create an ADFS-enabled Web server farm.