WCF STS load balancing and certificate

Want to know what are the best practices for deploying custom WCF-Security Token Service (STS) in a load balancing environment that uses flags and encrypted tokens?

We use Cirtix NetScaler to handle load balancing and SSL termination (i.e. the certificate is only installed on the NetScaler server). STS has been designated to sign and encrypt tokens through the SigningCertificateName and EncryptionCertificateName application settings. However, the current web server configuration does not install a local certificate in its authentication store.

So my question is: –

>If the token is transmitted via SSL, do we need to worry Signing and encryption?
>Should we install a certificate on each web server or can we use a load balancer?
>Can we use the same certificate on each web server, or do we need to buy a certificate for each web server?

The STS that does not sign its token is of little use: without a signature, no relying party can distinguish Valid tokens issued by STS and maliciously spoofed tokens.

The certificate you install to support SSL is usually different from the STS signing certificate. The latter identifies the service, not the web server. Therefore, , Be sure to continue to install the SSL certificate on the load balancer. However, you need to install another certificate representing the service identity (using its private key) on each computer hosting the service to be used as the SigningCertificate. It should be each The same certificate on the server (it is the same service).

However, you usually don’t need to purchase such a certificate: you can issue it yourself – you just need to make sure that every potential relying party is configured to The certificate is recognized as a trusted STS, and the root issuer of the certificate is also trusted (if it is a self-signed certificate, it is the certificate itself; if a certificate server is used to issue the certificate, it is the root certificate).

Want to know what are the best practices for deploying custom WCF-Security Token Service (STS) in a load balancing environment that uses flags and encrypted tokens?

We use Cirtix NetScaler to handle load balancing and SSL termination (i.e. the certificate is only installed on the NetScaler server). STS has been designated to sign and encrypt tokens through the SigningCertificateName and EncryptionCertificateName application settings. However, the current web server configuration does not install a local certificate in its authentication store.

So my question is: –

>If the token is transmitted via SSL, do we need to worry Signing and encryption?
>Should we install a certificate on each web server or can we use a load balancer?
>Can we use the same certificate on each web server, or do we need to buy a certificate for each web server?

The STS that does not sign its token is of little use: Without the signature, no relying party can distinguish between the valid token issued by the STS and the maliciously deceived token

The certificate you install to support SSL is usually different from the STS signing certificate. The latter identifies the service, not the web server. Therefore, be sure to continue to install the SSL certificate on the load balancer However, you need to install another certificate representing the service identity (using its private key) on each computer hosting the service to be used as a SigningCertificate. It should be the same certificate on each server (it is the same service) .

However, you usually don’t need to purchase such a certificate: you can issue it yourself – you just need to make sure that every potential relying party is configured to recognize the certificate as a trusted STS and also trust the certificate’s Root issuer (if it is a self-signed certificate, it is the certificate itself; if a certificate server is used to issue the certificate, it is the root certificate).

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 2414 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.