ADFS 3.0 HTTP Proxy & CRL Checking
5 Sep
During an implementation project I found myself in a situation where authentication on my ADFS environment failed, due to the impossibility to perform CRL checking. At that moment we didn’t have access to the outbound proxy yet, so I had to temporarily disable CRL checking for the relying parties. I used the following commands:
1 2 3 |
//Command to get the Certificate Revocation List check properties of the Relying Party // Get-AdfsRelyingPartyTrust | Select-Object Name, Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck |
1 2 3 |
//Command to Disable the Certificate Revocation List check properties of the Relying Party // Get-AdfsRelyingPartyTrust -Name NAME | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None |
You can use the following CRL properties per relying party in ADFS:
- None
- CheckEndCert
- CheckEndCertCacheOnly
- CheckChain
- CheckChainCacheOnly
- CheckChainExcludeRoot
- CheckChainExcludeRootCacheOnly
When we finally got access to the Outbound Proxy we needed to configure the WinHTTP proxy so ADFS actually could use it:
1 2 3 4 5 6 7 |
//Command to get the current WinHTTP proxy // netsh winhttp show proxy // //Command to configure a new WinHTTP proxy with bypasses for *.domain.local and *.domain2.local // netsh winhttp set proxy your.http.proxy:8080 "<local>;*.domain.local;*.domain2.local" |
And re-enable CRL checking:
1 2 3 |
//Command to enable the Certificate Revocation List Check Properties of the Relying Party (back to default settings) // Get-AdfsRelyingPartyTrust -Name NAME | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck CheckChainExcludeRoot -EncryptionCertificateRevocationCheck CheckChainExcludeRoot |
After this change and restarting the ADFS Service, ADFS could succesfully perform CRL checking and authentication succeeded.
Comments