ADFS Certificate Renewal

When the ADFS SSL certificate expires, then the ADFS service got interrupted. The replacement of the SSL certificate is the only solution to get the service back.

Import and replace SSL certificate in AD FS server


1.    Create CSR for new Certificate.

  • Open MMC through run.
  • ·         File> Add/Remove Snap In.
  • ·         Certificates > add.
  • ·         Computer Account > Next.
  • ·         Local Computer > Finish.
  • ·         OK
  • ·         Expand Certificates (Local Computer) > Personal.
  • ·         Right click on Personal.
  • ·         All Tasks > Advanced Operations > Create Custom Request.
  • ·         Next > Custom Request> proceed without enrollment policy > Next.
  • ·         Select Template (No Template) Legacy Key > Request format should be PKCS #10 > Next.
  • ·         Expand Details > Click on Properties.
  • ·         General > Enter Friendly Name > Description > Apply.
  • ·         Subject > Select Type and Value as per existing Certificate > Apply.
  • ·         Private Key > Expand Cryptographic Service Provider (CSP) > Microsoft RSA SChannel Cryptographic Provider (Encryption).
  • ·         Expand Key Options > Select Key Size > 2048 > Select Make Private Key Exportable and all should be Uncheck > Apply > OK.
  • ·         Browse File Location where want to store CSR request > Enter Name for request file.
  • ·         File Format should be Base 64 > FINISH.
  • ·         Open RUN > MMC > File > Add/ Remove Snap In > Certificates > Add > Computer account > Next > local Computer > Finish > OK.
  • ·         Expand Certificate Enrollment > Certificates and check if the certificate request shows up in the right panel.
  • ·         Verify the CSR file with csr decoder web urls.

 

…................................................................................................................................................ 

2.    Import / Replace Certificate in ADFS server.

·         Post get certificate from certificate vendor copy that certificate in that server from where we have raised CSR.

  • ·         Open RUN > MMC > File > Add/ Remove Snap In > Certificates > Add > Computer account > Next > local Computer > Finish > OK.
  • ·         Expand Certificates (Local Certificate) > Personal > Certificates.
  • ·         Right click on Certificates > All tasks > Import....
  • ·         Browse SSL certificate file which is provided by CA vendor that file should be in cert format > Next > OK.
  • ·         Provide read access to the ADFS service Account, Post installation of new certificate right click on that certificate > All Tasks > Manage Private Keys.
  • ·         Add ADFS service account >Enter service account name > check names > OK > check Allow for Read except should be uncheck.
  • Ø  Export that certificate to Import in WAP server.
  • Ø  Right click on new certificate > All Tasks > Export.
  • Ø  Check on yes, export the private key > next.
  • Ø  Select the export format should be Personal Information Exchange -PKCS (.PFX) with Include all certificates in the certification path if possible > Next.
  • Ø  Select Password then set a password to the certificate > Next.
  • Ø  Define export file store location then finish.
  • ·         Launch the AD FS Management Console, expand Service item within the left pane and click Certificates. Under Service communications the certificate is displayed as expired. Click the link Set Service Communications Certificate to set the new certificate.
  • ·         The system presents all the installed certificates. Select the valid certificate and click OK.
  • ·         Click OK to close the message. The Expiration Date of the certificate
  • ·         under Service communications has been updated.
  • ·         Restart the AD FS service.
  • ·         Changes made in the GUI does not change the configuration based on HTTP.sys. To complete the configuration, we need to identify the thumbprint of the certificate and execute a PowerShell command. Right click the new imported SSL certificate and select Open.
  • ·         Select Details tab, find the Thumbprint for the new certificate and write it down removing the space.
  • ·         Copy that thumbprint and paste in notepad then remove unwanted space from that thumbprint.
  • ·         Open PowerShell and set that thumbprint using Set-AdfsSslCertificate –Thumbprint <ThumbprintCertificate>
  • ·         Post execution of command then Restart the ADFS service.
  • ·         Test and verify new certificates from other internal client/ server machines.

---------------------------------------------------------------------------------------------------------------------------

 

3.    Import / Replace Certificate in ADFS WAP server.

·         Log onto the WAP server and import the new certificate previously copied from the AD FS server.

  • ·         Open RUN > MMC > File > Add/ Remove Snap In > Certificates > Add > Computer account > Next > local Computer > Finish > OK.
  • ·         Expand Certificates (Local Certificate) > Personal > Certificates.
  • ·         Right click on Certificates and select All Tasks > Import option.
  • ·         Select the path of certificate to import.
  • ·         Enter certificate credential then click on finish.
  • ·         We need to identify the thumbprint of the certificate and execute a PowerShell command. Right click the new imported SSL certificate and select Open.
  • ·         Select Details tab, find the Thumbprint for the new certificate and write it down removing the space.
  • ·         Copy that thumbprint and paste in notepad then remove unwanted space from that thumbprint.
  • ·         Open PowerShell and set that thumbprint for web application proxy using Set-WebApplicationProxySslCertificate –Thumbprint <ThumbprintCertificate>
  • ·         Post command execution restart the web application proxy service.
  • ·         Check and verify new certificate from external network.
  • Ø  A not well documented step is also necessary to complete the overall procedure. Checking the WAP Application certificate, the ExternalCertificateThumbprint is still pointing to the old Thumbprint. Take note also of the value in the ID field. Get-WebApplicationProxyApplication | fl
  • Ø  From the AD FS server, double checking the AD FS certificate you can recognize the AD FS Thumbprint is different from the WAP External Certificate.
  • Ø  To update also the WAP Application certificate, from the WAP Server PowerShell console run the following command:    Set-WebApplicationProxyApplication –ExternalCertificateThumbprint <ThumbprintCertificate>
  • Ø  Checking the WAP Application certificate once again, the External Certificate now reports the correct Thumbprint. Get-WebApplicationProxyApplication | fl

-----------------------------------------------------------------------------------------------------------------------------

4.    Manually Update ADFS certificate on O365 domain.

·         When you manually update the AD FS certificates, you must update the Office 365 domain as well. Accessing the Event Viewer 381 in the AD FS server you may find the certificate is pointing to a wrong Thumbprint due to not updated certificates in Office 365 domain

  • ·         To update your Office 365 domain, you must use Exchange online PowerShell command. Run the following command and enter your cloud service Administrator account credentials to access the cloud service: $cred=Get-Credential
  • ·         Enter the credential then connect to the cloud using Connect-MsolService –Credential $cred
  • ·         Check current sign in certificates in ADFS Get-ADFSCertificate –CertificateType token-signing.
  • ·         To generate new certificate using Update-ADFSCertificate –CertificateType token-signing.
  • ·         Verify the update to check if the certificate has been created using Get-ADFSCertificate –CertificateType token-signing.
  • ·         A primary and a secondary certificate have been created with new Thumbprint values. In AD FS Management Console the new certificates are displayed under Token-signing area.

==========================================================================


5.    Broken Trust relationship from WAP to ADFS.

à         Condition1 : Whilst the local AD FS authentication starts working again, trying to connect Office 365 the access to web application can't be completed. Looking at the Event Viewer, the WAP server is not able to contact the AD FS server. (Event ID: 422 ADFS) [unable to retrieve proxy configuration data from federation service.]

à         Condition 2: The AD FS server reports is not possible for WAP server to authenticate. (Event ID : 276 ADFS) [ The federation server proxy was not able to authenticate to the federation service]

Ø  Solution: Re-establish Trust between WAP and ADFS.

·         From WAP server, retrieve the list of installed certificates with the command:   Get-ChildItem -path cert:\LocalMachine\My

·         The error displayed in the Event Viewer (event id: 422) reports that the trusted certificate begins with Thumbprint <Old thumbprint> while the imported certificate begins with <new thumbprint>.

·         To re-establish trust between AD FS and WAP, on the WAP server run the following command entering the local Domain Administrator account credentials, if asking the credential.   Install-WebApplicationProxy -CertificateThumbprint <ThumbprintCertificate> -FederationServiceName <sts.domain.com>

·         The configuration is being performed in the system, When the process has been completed, the system displays the message DeploymentSucceded.

·         Under Token-decrypting area the Expiration Date of the certificate is now shown as valid.

·         The trust between WAP and AD FS has been restored as confirmed in the Event Viewer. (Event ID :245 ADFS) [successfully retrieve the configuration].