Directory Programming .NET

I have setup adfs web sso successfuly in intranet   , this is my configuration. 

sharepoint site https://qvsrv4.dev.sina.com/sharepoint/default.aspx

certificate is issued to qvsrv4.dev.sina.com

adfs server: https://adfserver.dev.sina.com/adfs/ls/

certificate is issued to adfserver.dev.sina.com

when access  https://qvsrv4.dev.sina.com/sharepoint/default.aspx ,it will authenticate by adfs server and redirect to https://qvsrv4.dev.sina.com/sharepoint/default.aspx .

now  i want to implement in production enviroment and want to be accessed  on internet

by load balancer configuration. it can access  on internet

https://sharepoint.sina.com     and https://adfsserver-auth.sina.com, it will show default iis page.

I change sharepoint site federation url to https://adfsserver-auth.sina.com/adfs/ls/federationserverservice.asmx

certificate is issued to qvsrv4.dev.sina.com

for adfs server , certificate is issued to adfserver.dev.sina.com

when end user access https://sharepoint.sina.comsharepoint/default.aspx  ,it will accept certificates issued by load balancer , current is issue to *.sina.com ,but in fact sharepoint can't commiute with adfs server . this is error message

User Action
Verify that the Federation Service SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store on the web server.

Verify that the SSL certificate is neither expired nor revoked.

Verify that the SSL certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

I want to ask the following questions ,

1:is sharepoint or adfs server cerficate issue correct ,  should it  issue to sharepoint.sina.com  not qvsrv4.dev.sina.com?

2: when I access https://adfsserver-auth.sina.com/adfs/ls/federationserverservice.asmx ,it show acess denied message, if use https://192.168.10.1/adfs/ls/federationserverservice.asmx , it can access and show getclaims() etc method.

3: Should sharepoint certificate be import to load balancer machine.

3:  if use load balancer , how to configure adfs and load balancer. should pay attention to something.

thanks

If you are putting the FS on the public internet behind a load balancer and the LB does SSL termination, I've found that it will not work when the FS endpoint is still configured to "allow client certificates".  That is the default because the proxy uses client cert auth but the web agent does not.

If you don't plan to use the proxy, you can just set it to "ignore" instead and then you should be able to get clean SSL.  The key is that you must get no certificate warnings when browsing to the FS fed server asmx endpoint URL from the web agent server.

Hope that helps!

I already set it to "ignore".but when visit FS fed server asmx endpoint URL, it shows

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

Assuming that anonymous auth is enabled in IIS for this resource, you might want to also verify that there are no file permissions problems either.  The IIS anonymous user needs read access to the file.

Otherwise, there could be a weird problem with IIS itself.  You might check the event logs to see if you can see anything.

I also want to verify that there is no actual problem with SSL in this exchange at all and the SSL handshake is working fine.

 if use loadbalancer.  configure adfs agent  or applications(Trust Policy- My organzization-->applications)

do  also need change to external url  instead of internal url ?

external url means can visit on internet such as https://sharepoint.sina.com   no https://qvsrv4.dev.sina.com/sharepoint/default.aspx (qvsrv4 is domain machine host name )

even anonymous auth is enabled, external url: https://adfsserver-auth.sina.com/adfs/ls/federationserverservice.asmx

can't be access

but can use internal host name such as https://adfserver.dev.sina.com/adfs/ls/ 

this is iis log.

2009-05-20 11:26:02 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 34
2009-05-20 11:26:04 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 41
2009-05-20 11:26:04 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 0
2009-05-20 11:26:06 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 0
2009-05-20 11:26:06 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 0
2009-05-20 11:26:07 192.168.40.9 GET /adfs/fs/FederationServerService.asmx - 443 - 192.168.1.152 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+GTB6;+InfoPath.2;+.NET+CLR+2.0.50727) 403 16 2148204809 0
2009-05-20 11:26:18 192.168.40.9 HEAD / - 443 - 192.168.40.254 - 200 0 0 0

because adfs web application can't communicate with adfs server.  this is adfs web application log.

I don't know what the problem here is.  If you can get to other resources on the fed server (perhaps a graphics file deployed under /adfs/ls/) then that would suggest a problem with this resource specifically or perhaps permissions of some sort.

There may be an SSL problem here, but I'm not sure why that would generate a response from IIS if there was. 

Unfortunately I don't have many more ideas for you as I haven't seen this particular problem and don't think it is directly related to ADFS but is more of a problem at the web server level.