|
1 | | -{/* --- |
| 1 | +--- |
2 | 2 | id: deploy-adfs-on-ecs |
3 | 3 | title: Deploy Active Directory Federation Services on ECS |
4 | 4 | tags: [security, saml, active-directory, ldap, adfs, microsoft] |
5 | | ---- */} |
| 5 | +--- |
6 | 6 |
|
7 | 7 | import React from 'react'; |
8 | 8 | import useBaseUrl from '@docusaurus/useBaseUrl'; |
@@ -354,6 +354,8 @@ And lastly, we need to issue the Certificate: |
354 | 354 | - **Key options**::**Make private key exportable**: Make sure this option is enabled |
355 | 355 | 8. Select the certificate template you just configured and click *Enroll*. |
356 | 356 |
|
| 357 | +<!-- TOOD think this step in not necessary anymore or should be used only when CA is signed by publicly trusted root CAs --> |
| 358 | + |
357 | 359 | <Carousel |
358 | 360 | width="100%" |
359 | 361 | height="400px" |
@@ -430,6 +432,86 @@ By default (in Microsoft Server 2016 and later) the sign-on page is off, so tryi |
430 | 432 | Set-AdfsProperties -EnableIdpInitiatedSignonPage $true |
431 | 433 | ``` |
432 | 434 |
|
| 435 | +## Automated Public TLS Certificate Management with WIN-ACME |
| 436 | + |
| 437 | +While an internal Certificate Authority (CA) is excellent for issuing token-signing and other internal-only certificates, your public-facing AD FS endpoint (`adfs.example.com`) requires a TLS certificate that is trusted by all external clients and cloud providers. This section details how to use WIN-ACME and Let's Encrypt to automate the issuance and renewal of a publicly trusted SSL certificate, complementing your internal CA in a hybrid-certificate model. |
| 438 | + |
| 439 | +This approach represents a security best practice: |
| 440 | + |
| 441 | +* **Let's Encrypt Certificate**: Used for the public-facing **SSL Certificate** to secure HTTPS traffic. It is trusted globally. |
| 442 | +* **Internal CA Certificate**: Used for the **Token-Signing** and **Token-Decryption** certificates, which should *not* be publicly trusted. |
| 443 | + |
| 444 | + |
| 445 | +### When to Use WIN-ACME for AD FS |
| 446 | + |
| 447 | +This method is necessary when your internal CA is not trusted by external partners or when client devices do not have your internal root CA certificate installed. It provides a free, automated way to maintain a trusted public endpoint. |
| 448 | + |
| 449 | +### Install WIN-ACME and Prepare for Validation |
| 450 | + |
| 451 | +First, download the latest [WIN-ACME](https://www.win-acme.com/) release and extract it to a permanent location like `C:\win-acme`. |
| 452 | + |
| 453 | + |
| 454 | + |
| 455 | +### Create the Automated Renewal Script |
| 456 | + |
| 457 | +Because AD FS does not use standard IIS bindings, we must use a script to apply the new certificate upon renewal. Create the directory `C:\Scripts` and save the following PowerShell script as `ADFSSSLRenewal.ps1`. This script is specifically designed to update *only* the SSL certificate, leaving your internal token-signing certificates untouched. |
| 458 | + |
| 459 | + |
| 460 | +<!-- TODO add second alternative adfs ssl --> |
| 461 | +```PowerShell |
| 462 | +# C:\Scripts\ADFSSSLRenewal.ps1 |
| 463 | +param($CertThumbprint) |
| 464 | +try { |
| 465 | + # Apply certificate to AD FS SSL binding with warning suppression |
| 466 | + Set-AdfsSslCertificate -Thumbprint $CertThumbprint -WarningAction SilentlyContinue |
| 467 | + |
| 468 | + # For ADFS 2016+ with alternate TLS binding mode, also update the certauth binding |
| 469 | + try { |
| 470 | + Set-AdfsAlternateTlsClientBinding -Thumbprint $CertThumbprint -Force $true -Confirm:$false -WarningAction SilentlyContinue |
| 471 | + Write-Output "Updated alternate TLS client binding for certificate authentication" |
| 472 | + } |
| 473 | + catch { |
| 474 | + Write-Warning "Could not update alternate TLS binding - may not be configured: $($_.Exception.Message)" |
| 475 | + } |
| 476 | + |
| 477 | + # Restart AD FS service without prompting |
| 478 | + Restart-Service adfssrv -Force -Confirm:$false |
| 479 | + |
| 480 | + Write-Output "AD FS certificate updated successfully for both endpoints: $CertThumbprint" |
| 481 | + exit 0 |
| 482 | +} |
| 483 | +catch { |
| 484 | + Write-Error "Failed to update AD FS certificate: $($_.Exception.Message)" |
| 485 | + exit 1 |
| 486 | +} |
| 487 | +``` |
| 488 | +
|
| 489 | +
|
| 490 | +### Request the Certificate and Configure Renewal |
| 491 | +
|
| 492 | +Now, run `wacs.exe` to request the certificate and set up the automated renewal task. |
| 493 | +
|
| 494 | +1. Open PowerShell as an Administrator and navigate to your WIN-ACME directory. |
| 495 | +2. Run the following command, replacing the email address with your own: |
| 496 | +
|
| 497 | +```PowerShell |
| 498 | +.\wacs.exe --source manual ` |
| 499 | + --host "adfs.example.com","certauth.adfs.example.com" ` |
| 500 | + --validation selfhosting ` |
| 501 | + --store certificatestore ` |
| 502 | + --certificatestore My ` |
| 503 | + --installation script ` |
| 504 | + --script "C:\Scripts\ADFSSSLRenewal.ps1" ` |
| 505 | + --scriptparameters "'{CertThumbprint}'" ` |
| 506 | + --emailaddress "admin@example.com" ` |
| 507 | + --accepttos |
| 508 | +``` |
| 509 | + |
| 510 | + |
| 511 | +This command tells WIN-ACME to get a certificate for `adfs.example.com` and `certauth.adfs.example.com`, validate it using the built-in web server, place it in the local computer's certificate store, and configure the renewal to run the `ADFSSSLRenewal.ps1` script. |
| 512 | + |
| 513 | + |
| 514 | + |
433 | 515 | ## Verification |
434 | 516 |
|
435 | 517 | Open the address `https://adfs.example.com/adfs/ls/idpinitiatedsignon.aspx`, in an incognito or private browsing session using your preferred browser, |
|
0 commit comments