Microsoft Enterprise Mobility Suite Tips

Enterprise Mobility stuff worth sharing -- by Pieter Wigleven (Technical Solution Professional MSFT)

Replace certificates on ADFS 3.0

Replace certificates on ADFS 3.0

  • Comments 8
  • Likes

In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

image

  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:

image

  • Make sure to select “Service Accounts” in when searching for the account.

image

  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

image

  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too - thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.

  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!

Comments
  • As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:

    1. Get the thumbprint of the replacement SSL cert.

    2. Copy it to notepad and remove the spaces.

    3. Open powershell on one of the FS servers.

    4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.

    5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).

    6. Restart the ADFS service on both internal FS servers and all was well again.

    Sounds like a bug to me. Regards,

  • Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:

    1. We used our current code signing certificate from Digicert for the new system - and used it for the token decryption certificate.

    2. Our testing showed that WIA worked but FBA did not - the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.

    3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.

    4. We generated a self signed cert with the proper terminology and the issue was resolved.

  • Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!

  • Oh what a lovely post. Many thanks. I am still stuck.
    I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called entrepriseregistration.mydomain.com.
    Since my cert comes from Godaddy, I can't have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.
    Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION... ?

  • Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.

  • Just had to do this and it's saved me so many problems - you sir are a star!

  • Thx a lot, worked!

  • Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment