Adventures in Demoland Part 1: Windows Server 2012 R2 and Windows 8.1

When Windows 8.1 and Windows Server 2012 R2 preview hit us last week, I decided to start looking at my demo builds for things like our IT Camps, TechNet Live and TechEd events.   I found a really interesting article entitled:

Solution Guide: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

Sounded good to me, so I decided to go through it and was pleasantly surprised to find it was a step by step guide to setting up a lab to test this stuff.   Based on that, I figured I would set it up on Client Hyper-V for TechEd 2013 later in the year.   All was going well, until I got to the section where I needed to set up an SSL certificate for the ADFS1 server, and there were no directions at all, other than the following:

You will need to install a server SSL certificate on the ADFS1 server in the local computer store. The certificate MUST have the following attributes:

  • Subject Name (CN): adfs1.contoso.com
  • Subject Alternative Name (DNS): adfs1.contoso.com
  • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

For more information on setting up SSL certificates, see

And that’s LITERALLY what it said!   See, umm, what exactly?   Looks like the step by step doco for that is still some time away, so I decided to just get an Enterprise CA installed onto the DC myself and get the SSL cert stuff enrolled through the Web Site.   It struck me that possibly some of you out there might want some help with that, so below I list out a step by step guide to getting this done in the lab environment described through the solution guide.   Maybe if I’m lucky I will get this added to the actual Solution Guide online and get my name up in lights Smile

Macca’s Guide to the DC1 SSL Cert

First, we need to install Certificate Services on DC1:

  1. Open Server Manager and hit up the Add Roles and Features Wizard.
  2. Install Active Directory Certificate Services and when you get to the role features part of the wizard, you only need to choose Certification Authority and Certification Authority Web Enrollment. (Technically, you don't need the second option, but I find it easy to use the web site to grab the CA cert chain, so I install it.
  3. Take the defaults for the rest of the wizard and when the role has finished installing, click the link to finish configuring the service on the server.
  4. Choose to configure both role services.
  5. Leave all the defaults as is and mash next until you have finished (wipe your brow after all that hard work)

OK, now if you are like me, if there’s one thing you hate it’s when the Microsoft person does a demo involving a web site configured with HTTPS and up comes the chestnut error indicating they were too lazy to install the CA chain in their trusted root store, so we are going to sort that out.   Firstly though, we need to make sure the Certificate Services Web Site is secured properly with SSL, so we will need to create an SSL cert for IIS, which I have taken from the Wiki article at https://social.technet.microsoft.com/wiki/contents/articles/12039.active-directory-certificate-services-ad-cs-error-in-order-to-complete-certificate-enrollment-the-web-site-for-the-ca-must-be-configured-to-use-https-authentication.aspx :

  1. Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.
  2. Expand the certification authority so that you can see Certificate Templates.
  3. Right-click Certificate Templates and then click Manage. If you don't see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.
  4. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.
  5. In the General tab, under Template display name, type a name that you want to use for the template. For example, SSL Certificates.
  6. On the Security tab you must ensure the computer account has the ability to enroll for the template. To do so, click Add.
    • In Select Users, Computers, Service Accounts, or Groups, type the name of the user or group that you want to use for enrollment. Click Check Names, and then click OK.
    • Ensure that the user account or group that you want to use for enrollment is selected and then select the Allow checkbox that corresponds to the Enroll permission.
    • Click Add.
    • Click Object Types, select Computers, and then click OK.
    • Enter the name of the computer hosting the CA Web Enrollment pages, make sure you do this for ADFS1 as well. Click Check Names, and then click OK.
    • Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.
  7. On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox. (Observation: for the certificate to appear in th Certificate Web Enrollment, it will be necessary to click and choose Supply in the request, instead of Build from this Active Directory information)
  8. On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
  9. Close the Certificate Templates console and return to the Certificate Authority console.
  10. In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  11. In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.
  12. Go through this process again, duplicating the Web Server template, naming it ADFS SSL Certificate and leaving the Subject Name tab at the defaults.

We now need to request an SSL cert for IIS to use on DC1:

  1. On the IIS server hosting the CA Web Enrollment pages, open an MMC console. To do so, you can open a command prompt, the run dialog box, or Windows PowerShell, type mmc and then press ENTER.
  2. In the new MMC console (Console1) click File, and then click Add/Remove Snap-in.
  3. From the list of Available snap-ins, select Certificates and then click Add.
  4. Select Computer account and then click Next.
  5. In Select Computer the Local computer is selected by default. Click Finish and then click OK.
  6. Expand Certificates (Local Computer) and then right-click Personal. Click All Tasks, and then click Request New Certificate.
  7. On the Certificate Enrollment wizard, click Next.
  8. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and then click Next.
  9. On Certificate Enrollment, select SSL Certificates, click Enroll. Click Finish.

Now we enable SSL on the Default Web Site so we can use https on the certsrv site:

  1. On the IIS server hosting the CA Web Enrollment pages, open the Internet Information Services (IIS) Manager.
  2. Expand the server and Sites nodes until you can see Default Web Site.
  3. Click Default Web Site.
  4. On the Actions pane, click Bindings.
  5. In Site Bindings, click Add.
  6. In Add Site Binding, set Type to https.
  7. Set SSL certificate to the certificate that you issued to the server. You can confirm you have the correct certificate by clicking View. The certificate's purpose should be Ensures the identity of a remote computer. To further verify, you can click the Details tab of the certificate. Select Enhanced Key Usage and ensure that it reads Server Authentication (1.3.6.1.5.5.7.3.1) . Click OK.
  8. On Add Site Binding, click OK. On Site Bindings, click Close.

OK, we can now use https://dc1.contoso.com/certsrv without getting the fail warning message.

Now, jump over to your ADFS1 box and we need to get an SSL cert installed for this one with the extra Subject Alternative name.   The cool thing is that we already have one of the SAN’s we need through the certificate template, so I have cut down your work by 2 thirds Smile:  First, however, you need to get the root cert of the CA into the Trusted Root Store and we can do this by hitting https://dc1.contoso.com/certsrv , downloading the CA chain and putting it into Trusted Root store.

Basically, after this you just need to open up the Certificates MMC similar to what you did before to enrol the SSL Cert for DC1, but this time follow the instructions found at  https://technet.microsoft.com/en-us/library/ff625722(v=WS.10).aspx under the section titled “To Use the Certificate Enrollment Wizard with an Enterprise CA” to add the enterpriseregistration SAN to the certificate.

After this, you are ready to start installing and configuring ADFS as per the Solution Guide!