Understanding Certificates Used by AD FS

Applies To: Windows Server 2008, Windows Server 2008 R2

In any Active Directory Federation Services (AD FS) design, various certificates must be used to secure communication and facilitate user authentication and authorization requests that are made to federation servers, federation server proxies, and AD FS-enabled Web servers.

For general information about certificates, see Public Key Infrastructure for Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=19936).

Certificates used by federation servers

Each federation server is required to have a server authentication certificate and a token-signing certificate before it can participate in AD FS communications. The trust policy requires an associated certificate, known as a verification certificate, which is the public key portion of the token-signing certificate.

Server authentication certificates

The federation server uses Secure Sockets Layer (SSL) server authentication certificates to secure Web services traffic for communication with Web clients or the federation server proxy. These certificates are requested and installed through the Internet Information Services (IIS) snap-in.

Token-signing certificates

Each federation server uses a token-signing certificate to digitally sign all security tokens that it produces. Because each security token is digitally signed by the account partner, the resource partner can verify that the security token was in fact issued by the account partner and that it was not modified. This helps prevent attackers from forging or modifying security tokens to gain unauthorized access to resources.

Digital signatures on security tokens are also used in the account partner when there is more than one federation server. In this situation, the digital signatures verify the origin and integrity of security tokens that are issued by other federation servers in the account partner. The digital signatures are verified with verification certificates.

Note

Each token-signing certificate contains a private key that is associated with the certificate.

Verification certificates

Verification certificates verify that a security token was issued by a valid federation server and that it was not modified. Verification certificates are actually the token-signing certificates of other federation servers.

To verify that a security token was issued by a given federation server and not modified, the federation server must have a verification certificate for the federation server that issued the security token. For example, if federation server A issues a security token and sends the security token to federation server B, federation server B must have a verification certificate (federation server A's token-signing certificate) for federation server A.

Note

Unlike a token-signing certificate, a verification certificate does not contain the private key that is associated with the certificate.

Certificates used by federation server proxies

Servers that are running the Federation Service Proxy role service are required to use a client authentication certificate and a server authentication certificate.

Client authentication certificates

Each federation server proxy uses an SSL client authentication certificate to authenticate to the Federation Service. Any certificate with client authentication extended key usage (EKU) can be used as a federation server proxy client authentication certificate. A copy of the federation server proxy client authentication certificate is stored on both the federation server proxy and in the trust policy of the federation server. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate.

Note

The Trust Policy user interface (UI) in the Active Directory Federation Services snap-in refers to client authentication certificates as Federation Service Proxy (FSP) certificates.

Server authentication certificates

The federation server proxy uses SSL server authentication certificates to secure Web services traffic for communication with Web clients. These certificates are requested and installed through the Internet Information Services (IIS) Manager snap-in.

Certificates used by AD FS-enabled Web servers

Each AD FS-enabled Web server that hosts an AD FS Web Agent uses SSL server authentication certificates to securely communicate with Web clients. These certificates are requested and installed through the Internet Information Services (IIS) Manager snap-in.