Management

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 780 other subscribers

Social

  • LinkedIn
  • RSS Feed for Posts
  • Twitter
  • StumbleUpon

[Solved] HOW TO renew ADFS certificate on federation and WAP proxy server

To make everything clear, here’s the data to make the problem clear:

Old certificate:
XXXXXXX6F895C3574F92DC7D6C7DE3DE4BCA6920

New certificate
XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

ADFS01 => internal ADFS server
ADFSProxy => ADFS Proxy server (WAP) in DMZ

This week I had an customer, who wasn’t able to log in to Office 365.
They weren’t able to connect to Sharepoint of Outlook.
A quick peak learned me that the ADFS server the real problem was.

The ADFS certificate was expired.
So I had to renew the certificate on the internal ADFS server and on the WAP Proxy server

Solution:

Renew the certificate by the Remote Access Management Console wasn’t possible:
The operation stopped due to an unknown general error. Error code 0x8007520c

Checking the Web Application Proxy Server: The service is stopped

 

Trying to start the service resulted in an Error:
Windows Could not start the Web Application Proxy Service service on Local Computer.
Error 0x80190191: Unauthorized (401).

The remote Access Management Console wasn’t working properly, so I wasn’t able to renew the certificate the easy was, therefor I started the powershell way

 

Checking the current certificates
dir cert:\LocalMachine\my

=> Write down the Thumbprint of this Certificate

First Enable certificate Rollover

Set-ADFSProperties -AutoCertificateRollover $true

 

Import the new certificate on ADFS01

On the ADFS01 server import the certificate for

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94
Set-AdfsCertificate -CertificateType Token-Encryption -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94
Set-AdfsCertificate -CertificateType Token-Signing -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

You can check this in ADFS01 => start AD FS Management => Service => Certificates

 

On the ADFSProxy server

Set-WebApplicationProxySslCertificate -Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94
get-WebApplicationProxySslCertificate

And check the certificate

 

Remote Access Management Console wizard

When at this point your not able to start the Remote Access Management Console wizard, go to the registry

Go to HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus

Change the value of ProxyConfigurationStatus to 1

You can now start the Web Application Proxy Service service, and you can rerun the wizard Remote Access Management Console

Or you can install the certificate by means of powershell:

 

Install-WebApplicationProxy –CertificateThumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94 –FederationServiceName STS. Domain.nl

 

Check the certificates on both servers:

dir cert:\LocalMachine\my

 

certutil -repairstore my *

 

netsh http show sslcert

 

On the ADFS01 server

get-AdfsSslCertificate

 

If you see the old certificate, you need to renew the last certificate :

Set-AdfsSslCertificate –Thumbprint XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

 

The last action is to update your federation on ADFS01:

Update-MsolFederatedDomain -DomainName Domain.nl

 

For more info:

https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

https://gallery.technet.microsoft.com/Update-the-Service-9e080ef8/view/Reviews

You can test your ADFS :

https://STS.Domain.com/adfs/ls/IdpInitiatedSignon.aspx

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.