ADFS WAP : No 443 Binding

Since the update to the ADFS certificates everything has been fine until I noticed we have no 443 binding on the ADFS WAP server, bear in mind there is no IIS you NEEDPowershell to fix ADFS WAP servers.

Get-WebApplicationProxySslCertificate

This will show you this:

HostName                           PortNumber  CertificateHash
--------                           ----------  ---------------
               49443    

It should look like this:

HostName                           PortNumber  CertificateHash
--------                           ----------  ---------------
                443      
               49443     

What is going on here – we seem to be down a mapping, so let’s fix this, use the command:

netsh http show sslcert

You get this:

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    Hostname:port                : :49443
    Certificate Hash             : 
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Enabled

Hmmm, ignoring the 0.0.0.0:443 mapping entry there is no ADFS listening on TCP:443……….ok so we need to fix this……..this is what is missing, the items we require are in bold people…..

Hostname:port                : :443
    Certificate Hash             : 
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

So, let’s get this added back, this is the command:

add sslcert hostnameport=<url:port> certhash= appid= certstorename= sslctlstorename=

So add the data from above into this command and you get this:

add sslcert hostnameport=adfs.fakedomain.com:443 certhash=660edcfc4c8aea6ed94ca418f751111111111111 appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY sslctlstorename=AdfsTrustedDevices

To use this you need to enter these commands, so you are in the command area to ADD a SSLCERT to the store….

1.       Netsh
2.       http

Then enter the command, you will get a “successful”
  
Then when you run this command again:

netsh http show sslcert

You will notice you see the TCP:443 binding – yayyy

Hostname:port                : :443
Certificate Hash             :
Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : AdfsTrustedDevices
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

You will also notice when you run this:

Get-WebApplicationProxySslCertificate

You get all the bindings:

HostName                           PortNumber  CertificateHash
--------                           ----------  ---------------
                443      
               49443