Certificate Requirements for AD FS-Enabled Web Servers

Applies To: Windows Server 2008

Each Web server that hosts an Active Directory Federation Services (AD FS) Web Agent requires a Secure Sockets Layer (SSL) server authentication certificate to communicate securely with Web clients. Publicly issued certificates are recommended for SSL server authentication certificates. However, if you are deploying the AD FS Web Single-Sign-On (SSO) design, using either a public or corporate certification authority (CA) to obtain your server authentication certificate is sufficient.


Token-signing certificates and SSL client authentication certificates are not necessary for AD FS-enabled Web servers.

If you will be hosting additional AD FS components, such as the Federation Service or the Federation Service Proxy, on an already established AD FS-enabled Web server, it is not necessary to obtain additional server authentication certificates for each of those components. The AD FS Web Agent, the Federation Service, and the Federation Service Proxy can use a single server authentication certificate simultaneously. For more information about hosting multiple AD FS components on an AD FS-enabled Web server, see Where to Place an AD FS-Enabled Web Server.

You can request and install server authentication certificates through the Microsoft Management Console (MMC) snap-in for Internet Information Services (IIS). For more general information about using SSL certificates, see IIS 7.0: Configuring Secure Sockets Layer in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=108544) and IIS 7.0: Configuring Server Certificates in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=108545).

Certificate requirements for an AD FS-enabled Web server farm

In an AD FS-enabled Web server farm scenario, Web servers must obtain server authentication certificates in one of the following ways for AD FS to work:

  • Share the same certificate: Web servers can share the same server authentication certificate across the farm. To share the same certificate across the Web servers, export the private key of that certificate and install it on the appropriate Web site for each Web server.

    For more information, see Export the Private Key Portion of a Server Authentication Certificate and Import a Server Authentication Certificate to the Default Web Site.

  • Obtain individual certificates: If you decide to obtain separate server authentication certificates for each Web server in a farm, you must ensure that the subject names for each of the individual server authentication certificates match. The subject name value for a server authentication certificate is used to identify the computer that the certificate represents.


CAs, such as Microsoft Certificate Services, create the subject name from the common name (CN) of the requester that is obtained in Active Directory Domain Services (AD DS).

For more information about configuring an AD FS-enabled Web server farm, see When to Create an AD FS-Enabled Web Server Farm.