Management

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other subscribers

Social

  • LinkedIn
  • RSS Feed for Posts
  • Twitter
  • StumbleUpon

[Solved] HOW TO renew ADFS certificate on federation and WAP proxy server

To make everything clear, here’s the data to make the problem clear:

Old certificate:
XXXXXXX6F895C3574F92DC7D6C7DE3DE4BCA6920

New certificate
XXXXXXX74393DBDB2FF3C2DCDB6FEB1A23A6EC94

ADFS01 => internal ADFS server
ADFSProxy => ADFS Proxy server (WAP) in DMZ

This week I had an customer, who wasn’t able to log in to Office 365.
They weren’t able to connect to Sharepoint of Outlook.
A quick peak learned me that the ADFS server the real problem was.

The ADFS certificate was expired.
So I had to renew the certificate on the internal ADFS server and on the WAP Proxy server

Solution:

Renew the certificate by the Remote Access Management Console wasn’t possible:
The operation stopped due to an unknown general error. Error code 0x8007520c

Checking the Web Application Proxy Server: The service is stopped

 

Trying to start the service resulted in an Error:
Windows Could not start the Web Application Proxy Service service on Local Computer.
Error 0x80190191: Unauthorized (401).

The remote Access Management Console wasn’t working properly, so I wasn’t able to renew the certificate the easy was, therefor I started the powershell way

 

Checking the current certificates
dir cert:\LocalMachine\my

=> Write down the Thumbprint of this Certificate

First Enable certificate Rollover

 

Import the new certificate on ADFS01

On the ADFS01 server import the certificate for

You can check this in ADFS01 => start AD FS Management => Service => Certificates

 

On the ADFSProxy server

And check the certificate

 

Remote Access Management Console wizard

When at this point your not able to start the Remote Access Management Console wizard, go to the registry

Go to HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus

Change the value of ProxyConfigurationStatus to 1

You can now start the Web Application Proxy Service service, and you can rerun the wizard Remote Access Management Console

Or you can install the certificate by means of powershell:

 

 

Check the certificates on both servers:

 

 

 

On the ADFS01 server

 

If you see the old certificate, you need to renew the last certificate :

 

The last action is to update your federation on ADFS01:

 

For more info:

https://blogs.technet.microsoft.com/rmilne/2016/03/21/updating-windows-server-2012-r2-adfs-ssl-and-service-certificates/

https://gallery.technet.microsoft.com/Update-the-Service-9e080ef8/view/Reviews

You can test your ADFS :

https://STS.Domain.com/adfs/ls/IdpInitiatedSignon.aspx

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.