Replace ADFS/WAP SSL certificates

As every year I had to replace the SSL certificates on my ADFS/WAP infrastructure. And as every year I’m searching the internet how to do this 🙂 Usual search results are:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap

https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2013/11/13/replace-certificates-on-adfs-3-0/

But unfortunately both are not 100% complete and accurate. Here is my procedure.

On the ADFS Server:

  • Import the new SSL certificate in the computers „MY“ certificate store.
  • Run a elevated Powershell to get the thumbprint of the certificate.
    cd cert:
    cd localmachine
    cd my
    dir

    Identify the thumbprint in the output. In my case: 1E8B377DD54B7650612C98E4B8816501B4BB4985

  • Switch ADFS service communication certificate to the new SSL certificate with this cmdlet
    Set-AdfsCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 -CertificateType Service-Communications
  • Set the ADFS SSL certificate with this cmdlet and proof it with netsh
    Set-AdfsSslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 
    
    netsh http show sslcert
  • Verifiy that „read“ access for the ADFS service account was granted on the certificate. Open „certlm.msc“, select the new SSL certificate and select „All Tasks / Manage private keys“.
    Since this is a „Virtual Account“ we can see „NT SERVICE\adfssrv“ should have read access.
    private-key
  • Restart the ADFS service
    Restart-Service adfssrv

On the WAP Server:

  • Import the new SSL certificate in the computers „MY“ certificate store.
  • Configure the WAP service for the new certificate with this cmdlet.
    Set-WebApplicationProxySslCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985
  • Re-establish the proxy trust with this cmdlet.
    Install-WebApplicationProxy -CertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 -FederationServiceName sts.youradfsservice.com
  • This step is missing in most documentations if you have existing WAP published applications. Since every published application is configured seperately with a SSL certificate we had to change every app. All applications in my infrastructure were published with the same certificate, so I’m able to switch all apps to the new certificate with this cmdlet:
    Get-WebApplicationProxyApplication | Set-WebApplicationProxyApplication -ExternalCertificateThumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985

7 Responses to Replace ADFS/WAP SSL certificates

  1. Tim P says:

    Danke!

  2. Michael maertzdorf says:

    Any idea what might be the reason that if one follows your instructions that

    1) WAP shows new certificate
    2) ADFS keeps showing the old certificate

    Note: Using a Internally (via CA server) generated certificate valid for 4 years.

    • Wolfgang says:

      Showing where? ADFS console, Powershell, Browser? Addtl. I think you should go away from 4y certs since some platforms are not accepting this duration, e.g. iOS max 398d.

      • Michael maertzdorf says:

        I ran the following command (with my own thumprint)

        Set-AdfsCertificate -Thumbprint 1E8B377DD54B7650612C98E4B8816501B4BB4985 -CertificateType Service-Communications

        Now

        I ran:

        netsh http show sslcert

        And the old certificate still shows

        In the „AD FS Service Communications“ MMC, it shows the new certificate onder „service communications“.

      • Michael maertzdorf says:

        I resolved the ADFS „internal“ issue

        using the following:

        https://community.spiceworks.com/topic/2202908-adfs-4-0-and-powershell-issue-with-set-adfssslcertificate

        e.g. use „netsh“ to remove the old certificates and install the new certificate

        Next up is to re-establish a trust between WAP and ADFS.

      • Wolfgang says:

        There are two „set-afdscertificate“ steps documented in the blog article. One with the „-CertificateType“ option and the second without. It looks that you may missed the second?

  3. Michael maertzdorf says:

    To hopefully help other with this well.
    After the usage of the netsh commands to replace the certificate for http.sys, the trust between WAP and ADFS was „gone“ / broken in my case e.g. externally.

    I did the following to resolve the issue:

    Configure Schannel to no longer send the list of trusted root certificate authorities during the TLS/SSL handshake process
    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    On the server that is running IIS or on the IAS server on which you experience this problem, set the following registry entry to false:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    Value name: SendTrustedIssuerList
    Value type: REG_DWORD
    Value data: 0 (False)

    Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    On the proxy server DisableRenegoOnClient = 0 (or remove entry)
    On the ADFS server DisableRenegoOnClient = 0 (or remove) and DisableRenegoOnServer = 0 (or remove)

    In my case the keys were not there, so I made them as DWORD entries.

    And last but not least I ended up having the following errors:

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
    Additional Data Exception details: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). —> System.Net.HttpListenerException: Access is denied at System.Net.HttpListener.AddAllPrefixes() at System.Net.HttpListener.Start() at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() — End of inner exception stack trace — at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen() at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener) at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback) at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)


    There was an error in enabling endpoints of Federation Service.
    Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
    Additional Data Exception details: System.Net.HttpListenerException (0x80004005): Access is denied at System.Net.HttpListener.AddAllPrefixes() at System.Net.HttpListener.Start() at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize) at Microsoft.IdentityServer.Web.PassiveProtocolListener.Start() at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

    I resolved this one by grating the ADFS account local-admin rights on the ADFS server.
    One could alternatively use netsh to set correct Access to the links:

    https://social.technet.microsoft.com/Forums/en-US/2df3ef95-b0e1-4a89-96ce-3fd4edd7a7f9/failed-to-start-endpoint-https49443adfsportal?forum=ADFS

    Seems to be a Server2016 / 2019 issue/bug

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

%d Bloggern gefällt das: