We recently had to apply new certificates to an ADFS infrastructure. There are plenty of articles out there that detail how to do this, however we came an across and issue after the supposed successful replacement\install.
In general we followed this procedure
However what we discovered was that the ADFS proxy server would not update the Certificate. The command to do it
Set-WebApplicationProxySslCertificate
would complete successfully.
When you run the
Get-WebApplicationProxySslCertificate
we were getting back no results. It did not error, just returned nothing.
We tried a number of things to fix this, all to no avail in the end.
Ultimately we had to remove the Web Application Role from the server and then re-add it again, and then step through the configuration wizard.
During the troubleshooting we found an 383 event in the event log, not sure if that is indicative of this problem, but I include here for future reference and comment
Reference:
https://technet.microsoft.com/en-us/library/dn770156.aspx
http://blogs.msdn.com/b/javaller/archive/2014/06/18/why-isn-t-my-adfs-ssl-certificate-updating.aspx
http://blogs.perficient.com/microsoft/2014/05/office-365-replacing-the-ssl-certificate-in-ad-fs-3-0/
I had the same problem and solved it like this.
ReplyDeleteIn a administrative command prompt enter:
netsh http show ssl
Copy all the output for 0.0.0.0:443 and externalip:443
Delete both bindings:
Netsh http delete sslcert ipport=0.0.0.0:443
Netsh http delete sslcert ipport=externalip:443
Add both bindings with the correct certificate thumbprint:
netsh http add sslcert ipport=0.0.0.0:443 certhash=xxxx appid=xxxxxx clientcertnegotiation=disable
netsh http add sslcert ipport=externalip:443 certhash=xxxx appid=xxxxxx clientcertnegotiation=disable
Restart WAP services
The above comment working for me.
ReplyDeleteFor some reason after changing out a cert, the bindings on my WAP server disappeared. This problem was noticed because the ADFS portal was accessible to internal computers, but not external. I had to manually set the bindings up again.
The correct appid for a WAP server is {f955c070-e044-456c-ac00-e9e4275b3f04}
For the command to run successfully i had to enter netsh http mode first:
netsh
http
add sslcert ipport=0.0.0.0:443 certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable
add sslcert ipport=externalip:443 certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable
For the ADFS 3.0 server (if you needed to update these binding as well) the appid would be {5d89a20c-beab-4389-9447-324788eb944a}. You would be setting up at least three bindings, one for localhost:443, one for your site FQDN:443 and one for your site FQDN:49443. Client cert negotiation should be enabled for port 49443.
this worked for me however my previous config had used hostnameport so I had to add certstorename=MY and some other settings which I found on my other node:
ReplyDeleteNetsh
Http
add sslcert hostnameport=hostname.org.au:443 certhash=xxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=disable certstorename=MY sslctlstorename=AdfsTrustedDevices
add sslcert hostnameport=hostname.org.au:49443 certhash=xxxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=enable certstorename=MY
Wow, this was nasty, i.e. WAP broke, but no warnings,errors,event log entries, system errors, etc. i.e. nothing showed broken, but sure enough the NIC bindings for SSL were gone. This fixed it. Thank you!! 8D...ave
ReplyDelete