No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Publicly signed certificate necessary for IMAP access through ADFS

  • This post has 1 Reply |
  • 2 Followers
  • It appears you need a certificate signed by a trusted root CA set as the Service Communications cert in ADFS in order for IMAP (and likely Outlook) to be able to authenticate with federated credentials.    http://technet.microsoft.com/en-us/library/dd807040%28WS.10%29.aspx  only recommends to use a cert signed by a trusted CA, but, rather, it seems to be a requirement.

    Thanks,

     

    ..Sean.

  • Sean

    You could use certificates that are not Signed by trusted Root CA but you will run the risk of clients and users having constant popups or windows informing them that the Certificate is not trusted until they trust the chain that it was issued from.   It can be done but we recommend a Certificate from a publicly trusted source.

    Below  is a bit of info from the

    "Install Active Directory Federation Services 2.0 for use with identity federation Document "

    Found here http://community.office365.com/enus/office365/w/sbetainformation/single-sign-on-id-federation.aspx

    Recommendations

    Certificate type

    Recommendations

    Token signing certificate

     

    We recommend that you use the default settings for token signing certificates: self-signed and auto-rollover. For more information, see Certificate Requirements for Federation Servers.

    Token encryption certificate

     

    We recommend that you use the default settings for token encryption certificates: self-signed and auto-rollover. Clients do not need to trust this kind of certificate, but other security token services (STS) and relying parties do.

    Service communications certificate

     

    This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. Additionally the name of the certificate must match the name of the site. This is especially important if Internet clients will be accessing the federation server.

    SSL certificate

     

    This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. This is especially important if Internet clients will be accessing the federation server.

    Proxy certificate

     

    This is similar to the service communications certificate above used by external clients. This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. This is especially important if Internet clients will be accessing the federation server proxy.

     

Page 1 of 1 (2 items)