ADFS: Bring your own CA cert for Certificate Based Authentication (MFA)
Setup
- ADDS & ADCS on one 2012R2 server
- ADFS 2012 R2 Server
- WAP 2012 R2 Server
- IIS 2012R2 server
- Demo sample Application http://aka.ms/sampapp
Steps
1. Webconfig
Update sampapp webconfig file with your ADFS token signing cert thumbprint
2. RP trust
Create a Sampapp relying party trust at ADFS
3. Auth
Go to ADFS secondary Auth and configure Cert Auth as "Secondary" Auth
4. Login
Login any client machine and request normal "User" cert from your internal CA
5. Port
You need to check port 49443 is enabled on firewall between client to WAP.
Ref. https://technet.microsoft.com/en-us/library/dn554247.aspx?f=255&MSPPError=-2147217396
Now, internal cert auth works fine, if the certificate doesn't have "http" endpoints in AIA/CDP distribution path over LDAP.
External if you try to use internal cert via WAP at this point. it will fail and you won't see any error at ADFS Either.
Reason: your internal cert may have CRL\AIA path as 'ldap'. This wont work at WAP end if it not a domain joined
Either :you can reissue the cert with 'http' path to work over external or disable revocation (at step 6) which is less recommended
If you wanna know more, Go to WAP server and do below logging, Else jump to step 6.
You can enable CAPI2 Logging and you would see Revocation of client certificate must be failing at WAP and WAP would reset the connection at port 49443
6. Disable revocation checking on port 49443 at the WAP server
Disable this via netsh http show sslcert
Hostname:port : sts.naveerap.msftonlinerepro.com:49443
Certificate Hash : 36a06b1af35a389a04398f985765932b009dab98
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Delete the endpoint
netsh http>delete sslcert hostnameport=sts.naveerap.msftonlinerepro.com:49443
SSL Certificate successfully deleted
Re-add the endpoint with verifyclientcertrevocation=Disable
PS C:\Users\nagaCSC.baz> netsh
netsh>http
netsh http>add sslcert hostnameport=localhost:49443 certhash=36a06b1af35a389a04398f985765932b009dab98 appid={5d89a20c-be
ab-4389-9447-324788eb944a} certstorename=MY clientcertnegotiation=Enable verifyclientcertrevocation=Disable
SSL Certificate successfully added
Now you should see in the output “netsh http show sslcert” as below on WAP server
Hostname:port : localhost:49443
Certificate Hash : 36a06b1af35a389a04398f985765932b009dab98
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Uou are all set, It should work with your internal cert via WAP. you see cert passed via port 49443
Fiddler Sample
Do check out Sample Fiddler in this and check out packet number "24" , Both Request and Response. you see the cert negotiated fine
Still need a help, reach with your case number to Microsoft.Happy to help you.
PS: If you want to have Non-domain joined windows or Mobile devices. you need to have export with private key of user cert and import on the devices.