Certificate Requirements for Federation Server Proxies

Applies To: Windows Server 2008

Servers that are running the Federation Service Proxy component of Active Directory Federation Services (AD FS) are required to use the following types of certificates:

  • Secure Sockets Layer (SSL), server authentication certificates: Federation server proxies use SSL, server authentication certificates to secure Web server traffic communication with Web clients. Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign.

    When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. For more information, see When to Create a Federation Server Proxy Farm.

    It is important to verify that the subject name in the server authentication certificate matches the Domain Name System (DNS) name of the Federation Service endpoint URL in the trust policy.

For general information about using SSL certificates, see IIS 7.0: Configuring Secure Sockets Layer in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkID=108544) and IIS 7.0: Configuring Server Certificates in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkID=108545).

  • SSL client authentication certificates: Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication enhanced key usage (EKU) that chains to a trusted root CA on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate.


Do not use a certificate that was issued by your enterprise CA for client authentication of an Active Directory user (especially a domain administrator) because the private key is stored on the federation server proxy. Storing a private key on the federation server proxy allows an administrator or a successful attacker to assume the identity that the certificate represents.

For general information about installing certificates when you use Microsoft Certificate Services as your enterprise CA, see IIS 7.0: Create a Domain Server Certificate in IIS 7.0 ([http://go.microsoft.com/fwlink/?LinkID=108548](http://go.microsoft.com/fwlink/?linkid=108548)).  
For information about installing a self-signed certificate, see IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 ([http://go.microsoft.com/fwlink/?LinkID=108271](http://go.microsoft.com/fwlink/?linkid=108271)).  


Token-signing certificates do not have to be issued for federation server proxies.

If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate must be able to contact the server that distributes the CRLs. The type of CRL determines what ports are used.