We use Cirtix NetScaler to handle load balancing and SSL termination (i.e. the certificate is only installed on the NetScaler server). STS has been designated to sign and encrypt tokens through the SigningCertificateName and EncryptionCertificateName application settings. However, the current web server configuration does not install a local certificate in its authentication store.
So my question is: –
>If the token is transmitted via SSL, do we need to worry Signing and encryption?
>Should we install a certificate on each web server or can we use a load balancer?
>Can we use the same certificate on each web server, or do we need to buy a certificate for each web server?
The certificate you install to support SSL is usually different from the STS signing certificate. The latter identifies the service, not the web server. Therefore, , Be sure to continue to install the SSL certificate on the load balancer. However, you need to install another certificate representing the service identity (using its private key) on each computer hosting the service to be used as the SigningCertificate. It should be each The same certificate on the server (it is the same service).
However, you usually don’t need to purchase such a certificate: you can issue it yourself – you just need to make sure that every potential relying party is configured to The certificate is recognized as a trusted STS, and the root issuer of the certificate is also trusted (if it is a self-signed certificate, it is the certificate itself; if a certificate server is used to issue the certificate, it is the root certificate).
Want to know what are the best practices for deploying custom WCF-Security Token Service (STS) in a load balancing environment that uses flags and encrypted tokens?
We use Cirtix NetScaler to handle load balancing and SSL termination (i.e. the certificate is only installed on the NetScaler server). STS has been designated to sign and encrypt tokens through the SigningCertificateName and EncryptionCertificateName application settings. However, the current web server configuration does not install a local certificate in its authentication store.
So my question is: –
>If the token is transmitted via SSL, do we need to worry Signing and encryption?
>Should we install a certificate on each web server or can we use a load balancer?
>Can we use the same certificate on each web server, or do we need to buy a certificate for each web server?
The STS that does not sign its token is of little use: Without the signature, no relying party can distinguish between the valid token issued by the STS and the maliciously deceived token
The certificate you install to support SSL is usually different from the STS signing certificate. The latter identifies the service, not the web server. Therefore, be sure to continue to install the SSL certificate on the load balancer However, you need to install another certificate representing the service identity (using its private key) on each computer hosting the service to be used as a SigningCertificate. It should be the same certificate on each server (it is the same service) .
However, you usually don’t need to purchase such a certificate: you can issue it yourself – you just need to make sure that every potential relying party is configured to recognize the certificate as a trusted STS and also trust the certificate’s Root issuer (if it is a self-signed certificate, it is the certificate itself; if a certificate server is used to issue the certificate, it is the root certificate).