2

I'm following the following tutorial Configuring SharePoint 2010 and ADFS v2 End to End Because i want to use a single sign on between my sharepoint and crm 2011.

I have a sharepoint server, a crm server and an SQL server with ad fs 2.0.

When following the tutorial mentioned above. I come at the instruction to export the certificate used by adfs to sign the tokens it sends out.

"ADFS uses a certificate to sign the tokens it sends out."

But when i look at my certificate,

"... but there will always be ONLY one Primary token signing certificate. Click on that certificate, and then click on the View Certificate link in the right pane." Blockquote

then i see that my certificate don't contains a private key. I first didn't notice the difference between the screenshot in the tutorial and what i could see on my screen. But when i tried to import my certificate to the sharepoint server, i got an error saying that the certificate does not contain a private key.

How should i solve this problem? I'm trying for a long time to get this set up but every time something else goes wrong. I hope i can finish this soon with maybe a little help here on SO ;)

Thanks!

Arun Vinoth - MVP
  • 314
  • 1
  • 3
  • 15
ThdK
  • 123
  • 1
  • 7

1 Answers1

3

ADFS uses three certificates:

  • The service communications key (normally the one used by IIS for SSL)
  • Token decrypting
  • Token signing

Only the first has a private key. The other two are created when you install ADFS.

If you look at the tutorial, you'll see:

"In this particular case I chose to use the certificate I created for SSL on the ADFS web site. I’m not suggesting that this is needed or even recommend; it’s just what I chose to do. Now that you are viewing the certificate, click on the Details tab at the top of the dialog."

So what you need to do is add a token-signing certificate and choose for this purpose the SSL certificate. That way you will have a private key.

Or create your own (I use SelfSSL7) and use that. Note : Not in Production!

Refer: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates

rbrayb
  • 1,098
  • 1
  • 12
  • 20
  • 5 star answer! Thank you! I thought i maybe could do this but i was not sure. And i did not want to continue the tutorial without knowing if i did one step good or wrong. I hope i can continue to the end now :) –  Oct 20 '11 at 06:58
  • Ok, i'm having other problem now with certificate. When i try to select my certificate in the "edit bindings" section in IIS i get the following warning: --------------------------- Edit Site Binding --------------------------- One or more intermediate certificates in the certificate chain are missing. To resolve this issue, make sure that all of the intermediate certificates are installed. For more information, see http://support.microsoft.com/kb/954755. I've followed the instruction on that website but still no success. Do you know more about this too? –  Oct 20 '11 at 07:31
  • Not really. Do you have the intermediate certificates? e.g. see here : http://www.aip.im/2010/12/error-in-iis-when-adding-secure-binding-because-intermediate-certificate-is-missing/ – rbrayb Oct 24 '11 at 18:37