Freigeben über


Replace certificates on ADFS 3.0

In my test environment I wanted to replace self-signed certificates with publicly trusted ones.

Follow these steps if you want to achieve the same:

  • RDP to your ADFS 3.0 server
  • Import the new certificate to the Machine’s Personal Store
  • Make sure you have a private key that corresponds to this certificate. If not, go to the PC you requested the certificate on, export it from there and make sure to include the private key,

image

  • Assign the proper permissions to the Private Key for the ADFS Managed Service Account:

image

  • Make sure to select “Service Accounts” in when searching for the account.

image

  • Now switch to AD FS management, drill down to Certificates and select “Set Service Communication Certificate”

image

  • You will be prompted for the required certificate. If you don’t see the new certificate in the list of available certificates – it means you either don’t have the private key that corresponds to this certificate OR you didn’t import the cert correctly.

(next commands have to be done too - thanks Jaguar who mentioned this in a comment)

  • Run Get-AdfsSslCertificate. Make a note of the thumbprint of the new certificate.
    • If it's unclear which certificate is new, open MMC snappin, locate the new certificate and scroll down in the list of properties to see the thumbprint.
  • Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  • Restart the ADFS service

Optionally when using Web Application Proxy(s):

  • Copy and import the new certificate to the Web Application Proxy/Proxies which are not domain joined. Make sure the certificate is imported into the Machine Personal Store.
  • Switch the certificate on the Web Application Proxy, I personally did this by reinstalling the Web Application Proxy (requires a reboot) but it’s much easier to use the “Set-WebApplicationProxySslCertificate” cmdlet.

Consider leaving a reply in case this post helped you. Thanks!

Comments

  • Anonymous
    January 01, 2003
    Thanks so much for the rebinding commands. Why aren't those in the official docs?!
    • Anonymous
      January 31, 2017
      But it is in the docs !! You only have to take some time to read it. Remember it's not any different from any webapp you're publishing. So no worry it says intune, the actions are the same !Look here :https://technet.microsoft.com/nl-nl/library/dn781428(v=ws.11).aspx
  • Anonymous
    January 01, 2003
    Oh what a lovely post. Many thanks. I am still stuck.
    I had a publicly trusted wildcard cert for my domain (it worked for OWA, SharePoint, OA, and I could also use it for ADFS and WAP. Brilliant. BUT when I got to device registration I found I need a SAN on the certificate called entrepriseregistration.mydomain.com.
    Since my cert comes from Godaddy, I can't have SAN on a wildcard cert, so I will have to use a UCC SAN cert instead.
    Before I rekey a certificate, are there any other SANS I need (apart from SIP, OWA, EDGE, MAIL, AUTODISCOVER, ENTERPRISEREGISTRATION... ?
    • Anonymous
      August 11, 2016
      I'd also consider certauth.adfs.mydomain.com (where adfs.mydomain.com is your ordinary federation service URL) .. that also covers scenarios for AD FS as an enrollment (CA) agent in Windows Server 2016 ..
  • Anonymous
    November 22, 2013
    As part of our deployment of ADFS 3.0 (to replace our ADFS 1.1), we had to replace the first SSL certificate that we cut. After doing the usual process (including replacing it in the ADFS console), our federation proxies could not talk to the internals. Neither could my workstation using a hosts file to communicate directly to one of the internal FS servers. Looking at the ADFS Admin log (or the Debug log), it showed a yellow on a thumbprint that it could not find. This is what we had to do:
  1. Get the thumbprint of the replacement SSL cert.
  2. Copy it to notepad and remove the spaces.
  3. Open powershell on one of the FS servers.
  4. Run Get-AdfsSslCertificate. This showed the thumbprint still "stuck" in ADFS, the old one.
  5. Run Set-AdfsSslCertificate -Thumbprint xxxxthumbprintofthenewsslcertxxxxx   (without spaces).
  6. Restart the ADFS service on both internal FS servers and all was well again. Sounds like a bug to me. Regards,
  • Anonymous
    December 05, 2013
    Not a bug. Since there is no IIS, that step has been replaced with Powershell, you have to do something similar on the Proxies as well. In addition, we ran into the following:
  1. We used our current code signing certificate from Digicert for the new system - and used it for the token decryption certificate.
  2. Our testing showed that WIA worked but FBA did not - the web form simply refreshed at login. A yellow warning appeared in the log about discarding corrupt cookie.
  3. After 3.5 days with our MCS engineer and PSS top level support, the issue was that the code signing cert did not have key usage/enhanced key usage terminology required for the token decryption cert.
  4. We generated a self signed cert with the proper terminology and the issue was resolved.
  • Anonymous
    April 10, 2014
    Jaguar, great stuff! Saved me a huge headache. Running your commands fixed my issue. Massive thanks!
  • Anonymous
    July 02, 2014
    Thanks Jaguar, the blog post is incomplete indeed, I had to run your Set-AdfsSslCertificate command to complete the configuration.
  • Anonymous
    July 20, 2014
    Just had to do this and it's saved me so many problems - you sir are a star!
  • Anonymous
    September 08, 2014
    Thx a lot, worked!
  • Anonymous
    September 10, 2014
    Many thanks for this article, saved me a lot of headaches trying to figure out the cert updating process.
  • Anonymous
    September 25, 2014
    Understood that it isn't a bug but Microsoft has the ability to program that process into the GUI. One shouldn't require searching in a blog to resolve a problem that Microsoft pragmatically didn't or neglected to do. If the web service is built into ADFS then the ADFS console or PowerShell cmdlets should complete the configuration wholly not partially causing hours of support. (I guess one assumes that "SET" means set.)
  • Anonymous
    October 08, 2014
    I just went through a ADFS Farm Name change and ran into a issue where the old SSL Certs were still showing in the command Get-AdfsSslCertificate

    This caused ADFS to return a Unauthorized Error if I tried to issue a token under the new farm name, but using the old farm name would still work (Invoke-WebRequest : The remote server returned an error: (401) Unauthorized.).

    I had to go into netsh http and delete the old SSL bindings from each ADFS Server using the following command:
    netsh http delete sslcert hostnameport={oldname}:49443
    netsh http delete sslcert hostnameport={oldname}:443

    Also shout out to ADFS Team for their ADFSDiagnostics module! (https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31) The PowerShell Test-AdfsServerToken cmdlet is awesome.
  • Anonymous
    October 30, 2014
    Saved my day. Thank you
  • Anonymous
    November 16, 2014
    thanks to all who contributed to this and especially Scott R. the netsh commands did the trick to get the cert back in and functioning.

    One other thing to note in my cases when copying the SetAdfsSslCertificate command from Notepad into my PS window there was a little garbage character ahead of the thumbprint that was causing the command to fail....didn't see it the first 2 times I tried...darn surface 2 small screen and tired eyes!
  • Anonymous
    December 01, 2014
    Just used this article and it was helpful. Thank You.
  • Anonymous
    January 10, 2015
    Thank you so much!

    If the "Get-AdfsSslCertificate" shows only the old certificate, get the thumbprint of the new certificate using mmc's Certificates snap-in, and then use it with the "Set-AdfsSslCertificate -Thumbprint" command.
  • Anonymous
    January 19, 2015
    How does the new SSL certificate get installed onto the other ADFS 3.0 servers in the ADFS farm? I have a primary ADFS server and a secondary in NLB. Typically ADFS changes occur on the primary and those changes get synced to the secondary. I have imported the renewed certificate on the primary and it is working properly but the secondary is not receiving this configuration. I have imported the SSL certificate into the machine MY store on the secondary and I have assigned permission to the service account. The problem is that I am unable to issue PowerShell commands to install this certificate because it is the secondary and will not perform the commands.
  • Anonymous
    January 30, 2015
    GREAT! That stupid Set-ADFSSslCertificate command needed to be run as well... THANKS it's a life saver
  • Anonymous
    February 18, 2015
    I have the same question as Mark Ringo, if running ADFS in a load balance state, how do we get the non-primary ADFS server to use the new SSL Cert? Would love hearing if someone has a solution. Great article for ADFS servers, would recommend updating with ADFS Proxy method as well, would be helpful to get this all in one place.
  • Anonymous
    March 09, 2015
    muchas gracias! Set-AdfsSslCertificate is what I needed to resolve System Event Log being rampaged by Error 15021.
  • Anonymous
    March 24, 2015
    The comment has been removed
  • Anonymous
    March 24, 2015
    Egert +1
  • Anonymous
    March 27, 2015
    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!
  • Anonymous
    March 27, 2015
    In case anyone still need an answer for how to update the certs on the secondary ADFS servers.

    Set-ADFSSslCertificate command needs to be run on ALL ADFS servers !!!!!!
  • Anonymous
    May 15, 2015
    Get-ChildItem -path cert:LocalMachineMy

    Will return a Thumbprint that you will not have to edit spaces out of.
  • Anonymous
    July 06, 2015
    a very detailed and simplified post http://blogs.perficient.com/microsoft/2014/05/office-365-replacing-the-ssl-certificate-in-ad-fs-3-0/
  • Anonymous
    October 18, 2015
    just tried this, but it didn't automatically update the SSL cert on the IIS site of my ADFS server - I've manually updated that to the new cert
  • Anonymous
    December 03, 2015
    Thanks to everyone that contributed to this post, it saved me a lot of work! However, my configuration was still not working until I did this:
    http://blogs.technet.com/b/rmilne/archive/2015/04/20/adfs-2012-r2-web-application-proxy-2d00-re_2d00_establish-proxy-trust.aspx
    Once the trust was re-established everything turned green!
  • Anonymous
    March 15, 2016
    If Mark Ringo is still looking for an answer, the best thing to do is temporarily change your secondary ADFS server to primary:

    Set-AdfsSyncProperties -Role PrimaryComputer

    Once you're done, change it back to a secondary server:
    Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of your ADFS primary server}
    • Anonymous
      May 10, 2016
      I ran into a similar scenario as Mark Ringo I believe. I was replacing the expired certificate in a 3 server farm and think I stopped the ADFS service on the secondary service before just in the event that things went south...... upon startup now the secondary ADFS service fails with error about a cert being expired or revoked (the old one). Get-adfssync status shows it not having sync'd with the primary in a few months now. I am hoping these steps to change it to primary, update the certificate, and change it back should resolve the issue. Once it can start again using the new certificate it should be able to talk to the primary to get all the changes that have been made and get back in sync.
  • Anonymous
    July 09, 2016
    Hi and thanks so far,maybe you can add a link to this article concerning re-establishing Proxy trust:https://blogs.technet.microsoft.com/rmilne/2015/04/20/adfs-2012-r2-web-application-proxy-re-establish-proxy-trust/or just add the important PowerShell lines:on WAP:Install-WebApplicationProxy –CertificateThumprint 3EFF626CD4CAECDB6F84DB5FB4FCF580ACF629E2 -FederationServiceName adfs.tailspintoys.caThanks again
  • Anonymous
    September 28, 2016
    The comment has been removed
  • Anonymous
    November 16, 2016
    Thank you
  • Anonymous
    November 18, 2016
    Thanks Pieter!
  • Anonymous
    August 08, 2017
    This worked fine. You may want to put note in there that if you are using a System Account for ADFS you just need to ensure the SYSTEM user has the appropriate rights.
    • Anonymous
      August 08, 2017
      Scratch that. I was looking at my WAP servers when looking at the services. Youre correct with the Service account
  • Anonymous
    January 04, 2018
    Thanks for the post. We've an issue updating the certificates in combination with SharePoint 2013. When accessing SP through the WAP we get a http error 500. The certificate has been updated on the WAP, ADFS server and SharePoint. Anyone any idea why the 500 error?
  • Anonymous
    February 20, 2018
    Check new CertHat Windows Client, it takes care about ADFS certificates, renewal, notifications about expiration of signing and encrypting self signed certificates, WAP installation, etc.