ADFS 3.0 with Windows XP (??) Clients

Today I spent the day at a customers looking at a XP computer (I know they are supposed to be extinct) having problems authenticating using ADFS. As we know XP is using IE8 and IE8 in combination with XP does not support Server Name Indication. Turns out SNI is on by default in ADFS 3.0… bummer

Fortunately it is fixable:

Start by getting information about the SST Certificate using:

netsh http show sslcert

The we bind the IP:port combination to the SSL cert using (in an elevated command prompt):

netsh http add sslcert ipport=[ipaddress : port from above] certhash=[Certificate Hash from above] appid=[appid from above] certstorename=MY

These steps needs to be taken on both the ADFS server and the Web Application Proxy

IMPORTANT: This works as long as the Web Application proxy is not doing anything else but working as a “ADFS Proxy”

Link:
http://hindenes.com/trondsworking/2014/03/25/adfs-3-0-windows-xp-fail/

Leave a Reply

%d bloggers like this: