To allow a seamless SSO experience (via a hidden SAML login to My1Login) it is necessary for the ADC to have an HTTPS binding on its internal endpoint. This is because the SAML login to My1Login must communicate with the ADC from the user’s browser and the XHTML mechanism for this does not work if it makes http rather than https calls.  Looking at the diagram below, all the requests (1, 2, 3 & 4) must have the same binding.

1.1         Overview

You will be creating a certificate on your Domain Controller and binding it to the ADC endpoint.

1.2         Prerequisites

1. Active Directory Certificate Services installed
2. Certificate generation uses SHA256 rather than SHA1
   

1.2.1        Generating SHA256 Certificates from Windows

Most modern browsers will complain if a certificate uses the default SHA1 hashing algorithm. 

The following steps will configure your server to generate certificates using SHA256 hashing.  Or you can create a copy of the Web Server template and configure it appropriately.

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

1.3         Create a Suitable Certificate

This section shows one method for creating a suitable certificate.  You can use any method you are familiar with, provided the Subject Name and SAN match the pattern described here.

The following diagram illustrates the settings used in this document: the server hostname will be “adc-server”, domain is “dev.my1login” and the ADC will be assumed to be on its default port of 47810.

The certificate’s subject must match the FQDN of the ADC Server, in this case

“adc-server.dev.my1login”.

The certificate must also have a valid SAN (Subject Alternative Name) otherwise Chrome version 58 or later will report a security exception.

1.4         Certificate Generation using AD Certificate Services

This assumes that you have installed the AD Certificate Services on the domain controller and that you've generated a root CA for the domain.

This process should be carried out on the ADC server and will result in the certificate being generated an installed on the server.

The screen shots in this section show the configuration for the above example.

1. On the ADC server, run MMC and open the Certificates snap in
   
1. Select the Computer account / Local computer options
   
2. Drill down to the Personal / Certificates folder
3. Right click on Certificates and select All Tasks -> Request New Certificate…
4. Click Next on the initial screen.
5. Click Next on the Select Certificate Enrolment Policy screen
   

You will now configure the Web Server template.

If you do not see the Web Server template, then either:

The template may not have been added to the Certification Authority’s list. 
Right click on Certificate Templates, click New / Certificate Template to Issue and add the certificate template.

- or -

Your user/computer does not have permission to use (Enrol) that template.  You will need to have the correct permissions set against the template.  This is managed from Certificate Templates Console.  Details on using this tool may be found at

https://technet.microsoft.com/en-us/library/cc772457(v=ws.11).aspx

If you can see the Web Server template:       

1. Check the tick box beside the Web Server template
   
2. Click on the blue text, beside the information icon, to launch the configuration screen.

We have found that the following settings work with Chrome’s SAN requirements:

1. In the Subject Name area, select the Type as Common name and enter the FQDN of the ADC server.
   
1. ​In our example this is adc-server.dev.my1login
   

·       In the Alternative Name area, select the Type as DNS and also enter the same FQDN of the ADC server.

·       Click the Add > buttons beside each area.

·       Click Ok

·       Ensuring that the Web Server tick box is checked, click on Enroll.

You should now see the certificate in the snap-in.

1.5         Using a Publicly Issued Certificate

If you do not have AD Certificate services, then you can bind a publicly issued certificate (single domain or wildcard) to the ADC endpoint.

If you choose to take this approach the fully qualified domain name of the certificate must resolve to the IP address of the server on which the ADC is installed.  This can be done via AD DNS services (preferred) or a public DNS server if there is no other option.

1.6         Bind the Certificate to the ADC

From the ADC Management App, select the Certificate Binding tab.

If the Selected Certificate drop down does not show any certificates, and you’ve just created one, then changing the “Only Load Valid Certificates” checkbox state will force a re-load of all certificates on the server that match the machine’s hostname.

Select the required certificate in the Selected Certificate drop down.

Unless you have any requirement not to do so, then leave the Bind to IP Address at 0.0.0.0 and click the Bind to Selected IP button.

The Bound Certificate and Bound To IP:Port boxes will update to show the new binding.