No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Certificate Requirements

This question is answered This question is answered

Hi,

 

We are looking at implementing a Staged Exchange Migration to Office365. Currently we have an Exchange 2003 environment with OWA and RPC configured via our TMG server which uses a Public Verisign certificate of mail.domain.com.

 

We are going to implement ADFS and dircsync and I was wondering whether we could utilise the existing certificate to get ADFS working without breaking OWA or RPC.

 

Cheers
Nathan

Verified Answer
  • Hello Nathan,

    Certificates play the most critical role in securing communications between federation servers, federation server proxies, Office 365, and web clients. The requirements for certificates vary, depending on whether you are setting up a federation server or a federation server proxy computer.

    When deploying a federate server, a SSL certificate is required. Because this certificate must be trusted by clients of AD FS 2.0, you should use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root.  Meanwhile, the Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS 2.0 that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365 and this name must be Internet-routable.

    For detailed requirements of certificates, I suggest you see the "Certificate requirements" section in following article:
    Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

    Additional Information
    ===============
    How to publish AD FS 2.0 endpoints on to the internet using Microsoft ISA or TMG
    http://community.office365.com/en-us/w/sso/293.aspx

    Thank you.

    Jack Sun

All Replies
  • Hello Nathan,

    Certificates play the most critical role in securing communications between federation servers, federation server proxies, Office 365, and web clients. The requirements for certificates vary, depending on whether you are setting up a federation server or a federation server proxy computer.

    When deploying a federate server, a SSL certificate is required. Because this certificate must be trusted by clients of AD FS 2.0, you should use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root.  Meanwhile, the Subject name of this SSL certificate is used to determine the Federation Service name for each instance of AD FS 2.0 that you deploy. For this reason, you may want to consider choosing a Subject name on any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365 and this name must be Internet-routable.

    For detailed requirements of certificates, I suggest you see the "Certificate requirements" section in following article:
    Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

    Additional Information
    ===============
    How to publish AD FS 2.0 endpoints on to the internet using Microsoft ISA or TMG
    http://community.office365.com/en-us/w/sso/293.aspx

    Thank you.

    Jack Sun

  • Hello Nathan,

    Just to add to this a bit, since you already have a third party trusted certificate with the name mail.company.com on it you can simply ensure that your ADFS endpoint uses that same name. If that is all in order you should be good to go to use the same certificate, you would just need to setup the TMG rules accordingly. The instructions for that were provided by Jack above.

    -Timothy Heeney (MSFT)

  • Hello Nathan,

    Did the above replies answer your questions? If the information is helpful, please show this thread as answered so others may benefit from the information. Thank you.

    Jack Sun