The missing link during your ADFS certificate renewal
Last week I had to troubleshoot a problem on an ADFS Server from a customer who renewed all his ADFS certificates, at least he thought he did…
A few days after he renewed the certs all of a sudden the ADFS stopped working externally (via de WAP server).
We checked the certificate tab in the ADFS management console and this showed that all the certificates where valid.
I then checked the event logs on the WAP Server and found log messages in the System Logs repeated every 10 seconds:
An error occurred when Web Application Proxy tried to read configuration from AD FS.
This could mean that the ADFS was unreachable BUT we were able to ping the servers in both directions and there where no changes in firewall configurations so it had to be something in the HTTPS config.
So what did we do? We started looking at the communication stream and how the ADFS server sets up the connection.
On the ADFS Server there where errors in the System Log as well:
An error occurred while using SSL configuration for endpoint URL:443. The error status code is contained within the returned data.
This lead me to the advertisement of the HTTPS port(s) which (of course) are using a certificate to encrypt the packets between the ADFS and the WAP server.
I ran the following command from a Command Prompt on the ADFS server and retrieved the HTTPS ports and bindings (if you are reading this because you have the same problem then write down the bindings because you will need them later)
netsh http show sslcert
And viola, there it was… these ports where using the old wildcard certificate!
Now, how do you renew these certificates?
On the ADFS Server
A bit shamefull, this Powershell command is really short and does the trick 😉
You will only need the thumbprint of your certificate and place it behind the Thumbprint parameter.
set-AdfsSslCertificate -Thumbprint thumbprint
On the WAP Server
Then on the WAP Server recreate the connection to the ADFS Server by entering the credentials from a local admin on the ADFS Server in a variable in PowerShell:
And then “re-install” the WAP with the certificate thumbprint from the HTTPS ports certificate and the binding as noted in the previous steps.
Install-WebApplicationProxy -CertificateThumbprint THUMBPRINT -FederationServiceName BINDINGS -FederationServiceTrustCredential $credential
Apart from setting all the certificates for the correct services (token encrypt/decrypt and service communications) there still is one certificate to keep the connection alive which you can’t find in the GUI.
So be sure to check this certificate as well when you are replacing your expiring certificate!