We’re seeing a lot of activity in configuring environments for use of the AX mobile apps. One of the more complex steps in the configuration is setting up Active Directory Federation Services (AD FS). One consistent issue we are seeing is lack of an SSL cert issued from a certificate authority (CA). Since the mobile app is exchanging credentials and tokens with AD FS, SSL is used to avoid eavesdropping on that exchange.
In some cases a “self-signed” or “self-issued” cert is being used. Unfortunately in that case the mobile app won’t make an authentication request to AD FS since SSL isn’t correctly enabled. In order to use SSL, the site to which the mobile app is communicating (in this case AD FS) must have an SSL certificate issued from a recognized CA. The CA validates that the certificate is being issued to the owner of the domain from which the mobile app requests authentication. The cost for SSL certs ranges from less than 100 USD and up.
There is also another certificate involved in AD FS configuration known as the token signing cert. The purpose of that cert is to sign the token which is being provided to the mobile app after authenticating the user’s credentials. The token signing cert can be self-signed and does not need to be issued from a CA.
Following are some helpful references:
Here’s a link which explains the certificate requirements for AD FS http://technet.microsoft.com/en-us/library/dd807040(v=ws.10).aspx.
This article explains the process to request a cert from a CA http://msdn.microsoft.com/en-us/library/windowsazure/gg981937.aspx.
For general information about SSL, refer to this article http://msdn.microsoft.com/en-us/library/windows/desktop/aa364691(v=vs.85).aspx.
Hopefully that will help clear up some of the confusion about SSL certs and AD FS.
There's really no excuse with people like startssl giving fully trusted ones away for free and even the pay for ones being so cheap these days. Though it strikes me as odd that you guys don't provide them to your customers when you buy windows server.
Simon, appreciate your comment - good point about low or no-cost SSL certs. Regarding your question about providing certs with windows. I don't speak for the windows team, but to be clear Microsoft does not operate as a certificate authority. So that's why we defer to 3rd-party CAs to issue SSL certs.
can wild card certs be used?
Hi Phill, that's a great question! It's not a scenario that we've actively tested. I'll take a look and get back to you with more information.
I'm having trouble getting the current pre-sales demo image working - event viewer reports
xxxxxx.servicebus.windows.net.servicebus.windows.net/Config is OFFLINE!
Any ideas ?
You can get it to work with a self-signed certificate, but you'll need to import that certificate on you mobile device. This did the job on my Windows Phone (7.8), but doesn't seem to work on an iPhone