ADFS 3.0 SSL Update


Updating the ADFS and ADFS SSL Certificates are you, well if so read on....

ADFS servers are domain joined, whereas ADFS WAP servers are in a workgroup, I have also colour coded the servers and the commands I used below, so the colour goes with the type of server you are logged into.

You need to import the new SSL certificate on all ADFS servers, this includes ADFS and ADFS WAP – as all the servers use the certificate for the SSL bindings of the service ADFS.

Add to SCOM maintenance mode

Add all ADFS servers into maintenance mode, ensure they stay in “maintenance”

Snapshot all ADFS VM’s (if virtualized

Take a snapshot of all the VM’s above, ensure you do NOT make the guest OS memory with that snapshot it’s not required

ADFS Server : Add “adfssrv” and “drs” to SSL certificate

  1. You need to add the “adfssrv” and “drs” service accounts which are local to each WAP server, this can be done by opening the local certificate MMC by running “certlm.msc”
  2.  The new certificate is selected, here you need to right click choose All Tasks then Manage Private keys
  3.  The “adfssrv” and “drs” are missing so click add, change to local server and enter this : NT SERVICE\adfssrv; NT SERVICE\drs
  4.  When you complete this, it will add the services, you will need to ensure they have read access, they do not need full control….. 

ADFS Server : Service Communications Certificate Update

Run this to get the current data:

Get-AdfsCertificate

CertificateType : Service-Communications
IsPrimary       : True
StoreLocation   : LocalMachine
StoreName       : My
Thumbprint      :


Copy the Thumbprint which will copy like this:

aa bb cc 11 22 33 44 55 66 77 aa bb cc dd ee 88 99 

Remove the spaces from the thumbprint, this is critical, like this:

aabbcc11223344556677aabbccddee8899 

Now you have the new thumbprint you need to run this:

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint "aabbcc11223344556677aabbccddee8899"

To check this is now the live certificate use the command:

Get-AdfsCertificate

CertificateType : Service-Communications
IsPrimary       : True
StoreLocation   : LocalMachine
StoreName       : My
Thumbprint      :

Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……

ADFS Server : Update ADFS SSL Certificate

Run this to get the current data:

Get-AdfsSslCertificate

adfs.severntrent.co.uk      443       
localhost                             443        
adfs.severntrent.co.uk      49443    

The thumbprint in this example is the same, so I will use this same thumbprint again, note that it may be different depending on what you are updating…..so let’s update it….

Set-AdfsSslCertificate -Thumbprint "660edcfc4c8aea6ed94ca418f7517903bd274947"

Then we need to check it:

Get-AdfsSslCertificate

localhost                             443        aabbcc11223344556677aabbccddee8899 
adfs.severntrent.co.uk        443      aabbcc11223344556677aabbccddee8899 
adfs.severntrent.co.uk        49443    aabbcc11223344556677aabbccddee8899 

Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……

ADFS WAP Server : Update WAP Proxy SSL Certificate

You need to run the "Windows Powershell" not the "Windows Powershell x86" - the modules for ADFS WAP are NOT avaliable in the x32 version, you also need to run as Administrator (yes, even if you are one already)

Run this to get the current data:

Get-WebApplicationProxySslCertificate

adfs.severntrent.co.uk               443             
adfs.severntrent.co.uk               49443         

The thumbprint in this example is the same, so I will use this same thumbprint again, note that it may be different depending on what you are updating…..so let’s update it….

Set-WebApplicationProxySslCertificate -Thumbprint "660edcfc4c8aea6ed94ca418f7517903bd274947"

Then we need to check it:

Get-WebApplicationProxySslCertificate

adfs.severntrent.co.uk                443            aabbcc11223344556677aabbccddee8899
adfs.severntrent.co.uk               49443         aabbcc11223344556677aabbccddee8899

Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……

Check the Event Log

If you have made a change it a good idea to ensure nothing has gone wrong, so open the event viewer and pop yourself in here:

Look for an event ID 200, which is ADFS stopped, then like below it should go 245,252,198 then 245 – if you see a list of RED errors – you made a mistake – check your configuration.

Check Live ADFS SSL Certificate

Start Internet Explorer and visit this URL : https:///adfs/ls/idpinitiatedsignon.htm

Click the Padlock then view certificates:

You should see the new expiry here or 2019 (in this instance)
  
Remove from SCOM maintenance mode

Remove all ADFS servers from maintenance mode and then ensure for the next 30 minutes no valid alerts or issues arise.

Remove Snapshot all ADFS VM’s

Remove all snapshot of all the VM’s above, by using “Delete All” from snapshot manager.