Shut Up, Laura

Putting them all in one place for my own reference and anyone else who needs it.

How to make it go:

• On ADFSACCOUNT, import the Token-signing certificate from ADFSRESOURCE into the local computer's Personal store.
• On ADFSRESOURCE, import the Token-signing certificate from ADFSACCOUNT into the local computer's Personal store.
• On ADFSWEB, import the root CA for ADFSRESOURCE into the local computer's Trusted Root Certificates store.
• On ADFSCLIENT, import the root CA for ADFSACCOUNT, ADFSRESOURCE, and ADFSWEB into the local computer's Trusted Root Certificates store. (NB: the claimapp sample app will still work if you miss this part, you'll just get one or more "IE doesn't like this cert, do you want to continue?" prompts nagging at you when you attempt to test from the client.)

All of these can be exported as .cer files; at no point do you need to go exporting private keys from one machine to another. (I think the docs reference exporting the ADFSRESOURCE cert to ADFSWEB as a .pfx file, but I made it work without doing so, for my part.)  You will achieve more reliable results if you import the certs using the Certificates MMC, not Internet Explorer, and if you do so while signed on as a local admin on the respective box, so that the certs land in the computer's cert store rather than a user-specific store. The docs indicate that the ADATUM test user doesn't need to be a local admin on the client box to run the sample app, and it doesn't...but doing the leg-work to make the certs behave as desired is another story.

To see if you have achieved self-signed certificate nirvana, confirm that you can navigate to the following URLs from the client without receiving any cert errors:

• https://adfsaccount.adatum.com (NB: will return a blank page. That's fine, you just want to confirm that you can get there without any cert errors.)
• https://adfsaccount.adatum.com/adfs/fs/federationserverservice.asmx (Will return a standard-looking ASP.NET ASMX page.)
• https://adfsresource.treyresearch.net (Also blank, but should fire up with no cert errors.)
• https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx (Standard-looking ASMX page.)
• https://adfsweb.treyresearch.net (Another blank one.)

The moral of this story being, of course, that self-signed certificates will be the death of me before this day is over.

So. The 2008 ADFS Step-by-Step guide.  (Thank you Matt for the link, once again.)

The ADFS part?  Fairly easy, if you don't count the trailing '/' in the definition of the application URL that, as it turns out, really really matters! and cost me 30 minutes of head-scratching right at the end after I'd figured out everything else.

Now, the PKI (read: "everything else") part? Took me the whole fracking weekend to get it right. I don't know if the docs are only 90% of the way there, or if I just wasn't reading carefully enough. JoeK does not kid when he tells you that "publicly-signed PKI certificates are the key to salvation when configuring ADFS."

I shall now officially dub the last 3 days: "The ADFS Weekend of Repeated and Abject Failures, though Happily Everything Ended Well."  Too long for a t-shirt slogan, but otherwise captures things quite nicely.

Burn Notice returns to us on July 10th. I am...ridiculously amped.

http://technet2.microsoft.com/windowsserver2008/en/library/a018ccfe-acb2-41f9-9f0a-102b80a3398c1033.mspx?mfr=true

It's the same basic "playing around with AD FS" scenario that was released as a .DOC file for R2 - treyresearch and adatum and a claims-aware web app, puts the FSA and FSR on a DC, uses self-signed certs...though it's not actually all that hard to install AD CS on the DCs and use an enterprise CA instead of self-signed for this purpose. All the usual "not for production use" caveats are in effect: for those familiar with the phrase, it's "the bouncy slide" in action.

I'm listing it here because I seriously had no idea that this had been updated for 2008 until the link was sent to me, and my Google-fu usually doesn't let me down that hard, so maybe someone else can't find it either. 

The consolation prize is that my "muddling around and doing what made sense in my head" has actually been a pretty good match to documentation that I hadn't yet seen, so rock on with my bad self, and all.

(Side note - the navigation on that jump-off page actually isn't the greatest - if you're looking for "Click here for step 1", "Click here for step 2", etc., on the main pane, you're not going to find it. Rather, you'll need to expand the nav-bar in the left-hand pane to drill down to the actual steps involved.)

If your idea of "taking a break" from working is to lie out in the grass under the sun...and listen to an ADFS podcast on your iPod (Hi Matt!), then you just might be an Identity nerd.