Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 773 other subscribers


  • LinkedIn
  • RSS Feed for Posts
  • Twitter
  • StumbleUpon

[Solved] HOW TO renew ADFS certificate on federation and WAP proxy server

To make everything clear, here’s the data to make the problem clear:

Old certificate:

New certificate

ADFS01 => internal ADFS server
ADFSProxy => ADFS Proxy server (WAP) in DMZ

This week I had an customer, who wasn’t able to log in to Office 365.
They weren’t able to connect to Sharepoint of Outlook.
A quick peak learned me that the ADFS server the real problem was.

The ADFS certificate was expired.
So I had to renew the certificate on the internal ADFS server and on the WAP Proxy server


Renew the certificate by the Remote Access Management Console wasn’t possible:
The operation stopped due to an unknown general error. Error code 0x8007520c

Checking the Web Application Proxy Server: The service is stopped


Trying to start the service resulted in an Error:
Windows Could not start the Web Application Proxy Service service on Local Computer.
Error 0x80190191: Unauthorized (401).

The remote Access Management Console wasn’t working properly, so I wasn’t able to renew the certificate the easy was, therefor I started the powershell way


Checking the current certificates
dir cert:\LocalMachine\my

=> Write down the Thumbprint of this Certificate

First Enable certificate Rollover

Set-ADFSProperties -AutoCertificateRollover $true


Import the new certificate on ADFS01

On the ADFS01 server import the certificate for

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94
Set-AdfsCertificate -CertificateType Token-Encryption -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94
Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

You can check this in ADFS01 => start AD FS Management => Service => Certificates


On the ADFSProxy server

Set-WebApplicationProxySslCertificate -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

And check the certificate


Remote Access Management Console wizard

When at this point your not able to start the Remote Access Management Console wizard, go to the registry

Go to HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus

Change the value of ProxyConfigurationStatus to 1

You can now start the Web Application Proxy Service service, and you can rerun the wizard Remote Access Management Console

Or you can install the certificate by means of powershell:


Install-WebApplicationProxy –CertificateThumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94 –FederationServiceName STS.


Check the certificates on both servers:

dir cert:\LocalMachine\my


certutil -repairstore my *


netsh http show sslcert


On the ADFS01 server



If you see the old certificate, you need to renew the last certificate :

Set-AdfsSslCertificate –Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94


The last action is to update your federation on ADFS01:

Update-MsolFederatedDomain -DomainName


For more info:

You can test your ADFS :