Getting federation with ACS & ADFS to work with multiple instances – certificate issue

I recently built a solution that federates ADFS login through Azure Access Control Service (ACS). Everything worked fine for me using the standard “Add STS reference” functionality, but when I increased the instance count to 2 in Azure (no problem in the development environment) I started getting strange errors similar to this:


Now, being a security newbee, I won’t even try to explain the underlying issue, more than that it has to do with the encrypted cookies that are generated after login that are somehow tied to the server instance that generated the cookie and cannot be used by other servers. If we would have had sticky session, it might not have been a problem, but it is with Azure’s round robin load balancing.

The solution requires both coding to replace the cookie encryption, as well as using a self-generated certificate on all instances that is uploaded to Azure and referenced from web.config. Not very hard, but I struggled to find the solution online.

If you run into similar problems, I can highly recommend going through this guide in detail:

Don’t forget the step where you need to give Network Service access to your certificate for it to work in the development emulator:

Creating SSL certificate for Azure (wasted time on the wrong OS)

This is a shorter post than usual, hoping to help someone who is trying to add an SSL certificate to a Hosted Service in Azure and is a certificate newbie like myself. I just wasted almost an hour going about it in the wrong way, or actually on the wrong OS (as far as I can tell).

Short summary: Use a Windows Server, not Windows 7, to create your Certificate Signing Request (CSR), complete the certificate creation and export the needed .PFX file

I bought a certificate through GoDaddy, went through the certificate signing process from my Windows 7 machine, but was never able to export a .PFX file (option was greyed out) to upload on the Azure Management Portal. I tried and tried for over an hour, before I found some signs on the internet that the OS might play a difference. So I instead connected with Remote Desktop to one of my web role instances and went through the process there instead, and everything worked fine! I created my Certificate Signing Request using IIS Manager, uploaded it to GoDaddy (where I bought the SSL certificate), downloaded the created certificate, installed the intermediate certificate through MMC and then completed the certificate process through IIS by importing the .CRT file from GoDaddy. I could thereafter export the certificate from IIS as a .PFX file and upload it to Windows Azure.

I followed the step-by-step instructions here to generate the CSR and install the certificate in IIS 7:

Good luck!