Collaborate without boundaries
Options
Thread details
  • 1 Reply
  • 2 Subscribers
  • Postedover 3 years ago
Top contributors
mchv2.0
1779 Posts
Robert Edward
709 Posts
AppRiver_DPetree
385 Posts
Jesper Stahle
362 Posts
TheAperture
200 Posts
Connect with us
Office 365   Forums   Manage Office 365   Publicly signed certificate necessary for IMAP access through ADFS
  • Advanced

Publicly signed certificate necessary for IMAP access through ADFS

Publicly signed certificate necessary for IMAP access through ADFS

  • This post has 1 Reply |
  • 2 Followers
  • Posted by
    on 11/16/2010 1:21 PM

    It appears you need a certificate signed by a trusted root CA set as the Service Communications cert in ADFS in order for IMAP (and likely Outlook) to be able to authenticate with federated credentials.    http://technet.microsoft.com/en-us/library/dd807040%28WS.10%29.aspx  only recommends to use a cert signed by a trusted CA, but, rather, it seems to be a requirement.

    Thanks,

     

    ..Sean.
  • Posted by
    on 11/17/2010 10:11 PM

    Sean

    You could use certificates that are not Signed by trusted Root CA but you will run the risk of clients and users having constant popups or windows informing them that the Certificate is not trusted until they trust the chain that it was issued from.   It can be done but we recommend a Certificate from a publicly trusted source.

    Below  is a bit of info from the

    "Install Active Directory Federation Services 2.0 for use with identity federation Document "

    Found here http://community.office365.com/enus/office365/w/sbetainformation/single-sign-on-id-federation.aspx

    Recommendations

    Certificate type

    Recommendations

    Token signing certificate

     

    We recommend that you use the default settings for token signing certificates: self-signed and auto-rollover. For more information, see Certificate Requirements for Federation Servers.

    Token encryption certificate

     

    We recommend that you use the default settings for token encryption certificates: self-signed and auto-rollover. Clients do not need to trust this kind of certificate, but other security token services (STS) and relying parties do.

    Service communications certificate

     

    This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. Additionally the name of the certificate must match the name of the site. This is especially important if Internet clients will be accessing the federation server.

    SSL certificate

     

    This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. This is especially important if Internet clients will be accessing the federation server.

    Proxy certificate

     

    This is similar to the service communications certificate above used by external clients. This certificate needs to be trusted by clients. It should either be issued by a public certification authority (CA) or by a CA that chains up to a publically trusted root. This is especially important if Internet clients will be accessing the federation server proxy.

     
Page 1 of 1 (2 items)