question

MattHarman-9487 avatar image
0 Votes"
MattHarman-9487 asked MattHarman-9487 action

ADFS - Self signed or enterprise CA issued token certificates are not working from the outside

Hello,

It is time for our ADFS token certificate renewal as it is expiring soon. We have been using a certificate from Sectigo (public CA) and it has worked great. However, all of the public CAs are now expiring their certificates in just one year. So going forward, we want to have our token be a self signed or issued from our enterprise CA. It appears Microsoft actually recommends using their self signed certificate for the token certificate. I can then update the expiration date for 3 years.

That said, our initial testing was good. I temporarily changed the new token certificate to be our primary. I updated a couple SSO apps to use the new token cert. The SSO connection worked if our device is on the internal network. Any device outside the network fails. I also want to mention that some of our apps did work from the outside and inside.

We have an ADFS server and a web proxy server. I'm not sure where the issue is.

Anyone have any ideas? Any help would be greatly appreciated.

Thank you,
Matt

adfs
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you sure you are reffering to the Token Signing certificate here?

The Token Signing certificate can be a self signed. Applications using the token needs to disable revocation check on that cert then (although quite frankly it seems that the majority of apps don't even bother checking by dafeult anyways).

If you have devices outside the environment failing, it does not seem to be related with the change you described.

We'll need to see some logs :) Error messages, user's experience, screenshots etc...

0 Votes 0 ·

It is either the token signing or the encryption certificates.

I setup a test environment. I enrolled in a certificate from our inhouse enterprise CA server. I used it for the token signing and encryption certificates. I set it as the primary for both. I then added the certificate to Zoom. It had no issues connecting internally and externally.

I did the same thing to production and I get a SAML error. The only thing in production that I know is different is production uses Kemp load balancers.

Also to note, I tried a selfsigned certificate in both test and production environments. Both fail with SAML errors when trying to SSO into the application.

I tried a certificate from Sectigo and no issues at all. SSO goes right through without a problem.

I didn't see anything in the logs that helped but I can check again tonight.

Any help is appreciated.

0 Votes 0 ·

0 Answers