Update Local Development Environment Certificates

One day my local development stops working. I was setting them up one year ago for a specific project. My development environment is using certificates for client-server communication. I know for sure that the certificates were expired. The ADFS signing token certificate and self-sign SSL certificate were expired.

A small problem! But the real problem is that I cannot remember what should be done step by step. A year is long enough for an occasional task. Not anymore! This time I will document here for … the next years.

Generate self-sign certificate

Microsoft has a very detail page for it. In my case, I just need this piece of code

New-SelfSignedCertificate -DnsName "tad.local" -CertStoreLocation "cert:\LocalMachine\My"

Once generated, go to my personal certificate store

  1. Export the certificate to file.
  2. Import it into the trusted authority store.
  3. Delete the old certificate.
  4. Update SSL certificate in IIS

ADFS signing token and decryption token certificates

Open PowerShell in the ADFS server and type in these commands

Run each command in PowerShell

The rest is to update the application configs to reflect the changes.

Setup a Full Federation Scenario with Web Application, Web Service, Windows Client, and ADFS Server Development Environment – Part 1

As a developer, we participate in many projects. In each project, there is a kind of Framework-Ready. By having framework-ready, developers just need to focus on developing business functionalities. It is a good setup, a good environment. Each person focuses on their best.

I have been working in Federation-Business-Application where the interaction is complicated, secured. And it needs a lot of environment setup. Most of the time, there is already Framework-Ready setup; I just use it.

So far so good, except I have not had enough skill in those areas. What if I have to setup a full environment locally for my sake of testing/experiencing? I felt pain just thinking about it.

5-4-3-2-1 GO! I decided to give it a GO.

Scenario

The common scenario is that there are 3 components

  1. WCF Web Service: The central service taking care of business application/logic. This service is secured and not exposed to the outside world.
  2. WPF (Windows)/Console Client: A UI application that will allow users to do their jobs internally. This client will connect to WCF service. Most of the time, users used this client has a lot of permissions.
  3. ASP.NET Web MVC Application: A public web application that allows public users to interact with the WCF Service. This application supports a subset limited of functionalities.
  4. ADFS Server: User management is done by AD FS Server.

The implementation of those applications are out of the scope, and not that interested either. The interesting part is the communication between them in a development environment.

I want to setup something like this

Scenario
General overview of components

I want to have

  1. A local AD FS server
  2. https communication between services
  3. Use Windows Identity Foundation (WIF) to manage login

Ask Google

I can explain the whole thing in words, in my mind, in the logic. I would have thought that I googled and get the job done. Reality? Google gives me so many information. All the information I need is out there. The problem is when you actually start to read them and apply in your job.

Why? Because Google can give you pieces, but you have to connect them. Google cannot help you connect the dots.

That said, I will use those piece and write the way I connect them. You might have your own way.

AD FS Server

Sounds a trivial task. Sounds like I can google it and follow the instructions. But, hell NO. Problem? Because I do not have System Administration background. Therefore, I have had a hard time understand the relationship between components. I could not draw a mental representation of them.

Googling around, I know that I have to setup things called: Domain Service (AD DS), Certificate Service (AD CS), and Federation Service (AD FS). Unfortunately, none of them knows me 🙁 I do not know them either 😛

So instead of following the instructions, I decided to make sense of them first. I have to draw a picture of them, AKA mental representation.

At the minimum, I need 3 things: Users, Certificates, and Login.

Active Directory Domain Services (AD DS)

Less than a second, I can find this useful document from Microsoft Docs.

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

My take:

ADDS allows me to create and manage users. That’s it! That is all I need to know.

Active Directory Certificate Services (AD CS)

Now that I have users. I need certificates to setup https communication. ADCS allows me to generate certificates that use in my lab environment. It does so many other things. However, all I need is some valid certificates to use for development purpose.

Turn it on with the instruction from Microsoft Site.

Active Directory Federation Services (AD FS)

And finally, I need to setup ADFS. There is a perfect instruction here. If you are a developer, you should check out the Microsoft Docs. At the highest abstract level (at least to my understanding), what it does is that it gives you a nice login form. It manages users who consume your service.

My ADFS Local
My AD FS Local Server. 3 services in a computer

With very little knowledge about Administration, Server, I manage to install just enough for my needs. Once I know what I have to install, it is rather easy to do. Because most of the information you need is already there, for free. The most important thing is to figure what I need, and how to make sense of them.

In my development environment, I decided

  • Everything is in one single Virtual Machine (Hyper-V from Windows)
  • Computer name: DC01. Because I might want to have other servers later on.
  • Domain: tad.local
  • AD FS: adfs.tad.local
  • Windows Server 2016 Data Center (trial version for 180 days)

The main purpose of this post is to document what I understood about them. I do not write the detail of installation processes and other problems I have had while doing it. I did that for 2 purposes

  1. Those instructions are already there, well-written, on the internet.
  2. After 6 months, when the trial is over, I have to reinstall everything again. That is a good test for my understanding. The more I do the more skill I get.

 

Next

I want to take advantage of the setup by exploring various scenarios

  1. A website uses AD FS for login.
  2. A WCF Service which serves the requests from the Website.
  3. How about a Windows Client application consumes the service? Oh yes, there is.

Again, one can easily find those topics on the internet. Nothing is new in here. I just try to write it in my own way, my own understanding.

The more I write, the better I am.