Directory Programming .NET

Active Directory and ADAM programming support for .NET developers

Welcome to Directory Programming .NET Sign in | Join | Help

Home

Forums

Files

Roller

Directory Programming .NET » General Discussions » ADFS Discussions » Disable CRL Checking For Single Account Partner?

Disable CRL Checking For Single Account Partner?

Last post 03-23-2010, 1:38 PM by joe. 2 replies.


	Sort Posts: Previous Next

03-19-2010, 4:20 PM 7996

rcalderoni
Joined on 09-23-2008
Posts 66

Disable CRL Checking For Single Account Partner?

Reply Quote

We have an upcoming Account Partner that wants to use an internal CA to provide their certificates for ADFS. How do I disable CRL Checking for ADFS for this Account Partner only?

Also, how do I import their CA certificate chain so that it is trusted?

Report abuse

03-22-2010, 9:51 AM 7999 in reply to 7996

rcalderoni
Joined on 09-23-2008
Posts 66

Re: Disable CRL Checking For Single Account Partner?

Reply Quote

I did find this: http://technet.microsoft.com/en-us/library/cc738754%28WS.10%29.aspx

However I have no idea what to do with this script, where to put it, where/when to run it, does it need to run over and over? Need to be integrated into the ADFS code? Need to run it just once? I don't get it.

Report abuse

03-23-2010, 1:38 PM 8005 in reply to 7999

joe
Joined on 04-05-2006
Chicago, IL
Posts 2,866

Re: Disable CRL Checking For Single Account Partner?

Reply Quote

I usually do this by manually changing the trust policy file and setting the setting that says "CheckChainExcludeRoot" to "None" for any specific configured partner that you want to disable this on. You also need to increment the trust policy version (which is near the top of the file) by one anytime you make a manual change. Edit the file with the mmc closed.

In Win2K8 ADFS v1, there is a setting in the UI for this but in 2K3 you must do this directly in the trust policy.

In ADFS v2, you have to do this with PowerShell. :)

Report abuse