(Btw: I have a 2012 AD FS server and a 2008 R2 domain controller). Select Create a new Federation Service and. I do have private key permissions set properly (like I do with the key generated from IIS) so I guess there is something else about the certificate that AD FS does not like. Thomas Stensitzki Start the AD FS configuration by using the link AD FS Federation Server Configuration Wizard. Recommendation: Use the same certificate as you use for SSL.
When I create a new Certificate template based on the web server certificate template, no matter what I do I get an ADFS event 133 (cannot access private key). By default, AD FS configures the SSL certificate provided upon initial configuration as the service communication certificate. Which does not have the life-time and keylength I want. The point is now: I only can use a certificate from a Enterprise Root CA if I request it from IIS (so a web server certificate). I choose the Enterprise Root CA because that way I can have SharePoint trust the CA Root certificate so I do not have to trust a new certificate every time the signing certificate updates. In my experience systems administrators forget to manage the updating of relying parties pro-actively. I've chosen not to use the automatic roll-over of the signing certificate because of the risk that my relying parties are no longer able to use the AD FS server when this occurs. I'm having difficulty using a certificate obtained from a Enterprise Root CA as a signing and / or Decryption certificate.
