Updating the ADFS and ADFS SSL Certificates are you, well if so read on....
ADFS servers are domain joined, whereas ADFS WAP servers are in a workgroup, I have also colour coded the servers and the commands I used below, so the colour goes with the type of server you are logged into.
You need to import the new SSL certificate on all ADFS servers, this includes ADFS and ADFS WAP – as all the servers use the certificate for the SSL bindings of the service ADFS.
Add to SCOM maintenance mode
Add all ADFS servers into maintenance mode, ensure they stay in “maintenance”
Snapshot all ADFS VM’s (if virtualized)
Take a snapshot of all the VM’s above, ensure you do NOT make the guest OS memory with that snapshot it’s not required
ADFS Server : Add “adfssrv” and “drs” to SSL certificate
- You need to add the “adfssrv” and “drs” service accounts which are local to each WAP server, this can be done by opening the local certificate MMC by running “certlm.msc”
- The new certificate is selected, here you need to right click choose All Tasks then Manage Private keys
- The “adfssrv” and “drs” are missing so click add, change to local server and enter this : NT SERVICE\adfssrv; NT SERVICE\drs
- When you complete this, it will add the services, you will need to ensure they have read access, they do not need full control…..
ADFS Server : Service Communications Certificate Update
Run this to get the current data:
Get-AdfsCertificate
CertificateType : Service-Communications
IsPrimary : True
StoreLocation : LocalMachine
StoreName : My
Thumbprint :
Copy the Thumbprint which will copy like this:
aa bb cc 11 22 33 44 55 66 77 aa bb cc dd ee 88 99
Remove the spaces from the thumbprint, this is critical, like this:
aabbcc11223344556677aabbccddee8899
Now you have the new thumbprint you need to run this:
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint "aabbcc11223344556677aabbccddee8899"
To check this is now the live certificate use the command:
Get-AdfsCertificate
CertificateType : Service-Communications
IsPrimary : True
StoreLocation : LocalMachine
StoreName : My
Thumbprint :
Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……
ADFS Server : Update ADFS SSL Certificate
Run this to get the current data:
Get-AdfsSslCertificate
adfs.severntrent.co.uk 443
localhost 443
adfs.severntrent.co.uk 49443
The thumbprint in this example is the same, so I will use this same thumbprint again, note that it may be different depending on what you are updating…..so let’s update it….
Set-AdfsSslCertificate -Thumbprint "660edcfc4c8aea6ed94ca418f7517903bd274947"
Then we need to check it:
Get-AdfsSslCertificate
localhost 443 aabbcc11223344556677aabbccddee8899
adfs.severntrent.co.uk 443 aabbcc11223344556677aabbccddee8899
adfs.severntrent.co.uk 49443 aabbcc11223344556677aabbccddee8899
Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……
ADFS WAP Server : Update WAP Proxy SSL Certificate
You need to run the "Windows Powershell" not the "Windows Powershell x86" - the modules for ADFS WAP are NOT avaliable in the x32 version, you also need to run as Administrator (yes, even if you are one already)
Run this to get the current data:
Run this to get the current data:
Get-WebApplicationProxySslCertificate
adfs.severntrent.co.uk 443
adfs.severntrent.co.uk 49443
The thumbprint in this example is the same, so I will use this same thumbprint again, note that it may be different depending on what you are updating…..so let’s update it….
Set-WebApplicationProxySslCertificate -Thumbprint "660edcfc4c8aea6ed94ca418f7517903bd274947"
Then we need to check it:
Get-WebApplicationProxySslCertificate
adfs.severntrent.co.uk 443 aabbcc11223344556677aabbccddee8899
adfs.severntrent.co.uk 49443 aabbcc11223344556677aabbccddee8899
Restart the Active Directory Federation Services service, to make it so Mr Sulu and make the new certificate live……
Check the Event Log
If you have made a change it a good idea to ensure nothing has gone wrong, so open the event viewer and pop yourself in here:
Look for an event ID 200, which is ADFS stopped, then like below it should go 245,252,198 then 245 – if you see a list of RED errors – you made a mistake – check your configuration.
Check Live ADFS SSL Certificate
Start Internet Explorer and visit this URL : https:///adfs/ls/idpinitiatedsignon.htm
Click the Padlock then view certificates:
You should see the new expiry here or 2019 (in this instance)
Remove from SCOM maintenance mode
Remove all ADFS servers from maintenance mode and then ensure for the next 30 minutes no valid alerts or issues arise.
Remove Snapshot all ADFS VM’s
Remove all snapshot of all the VM’s above, by using “Delete All” from snapshot manager.