Search This Blog

Saturday, July 18, 2015

Trouble with ADFS Proxy Certificate update\renewal

We recently had to apply new certificates to an ADFS infrastructure. There are plenty of articles out there that detail how to do this, however we came an across and issue after the supposed successful replacement\install.

In general we followed this procedure

However what we discovered was that the ADFS proxy server would not update the Certificate. The command to do it


would complete successfully.

When you run the


we were getting back no results. It did not error, just returned nothing.

We tried a number of things to fix this, all to no avail in the end.

Ultimately we had to remove the Web Application Role from the server and then re-add it again, and then step through the configuration wizard.

During the troubleshooting we found an 383 event in the event log, not sure if that is indicative of this problem, but I include here for future reference and comment




  1. I had the same problem and solved it like this.

    In a administrative command prompt enter:
    netsh http show ssl

    Copy all the output for and externalip:443
    Delete both bindings:
    Netsh http delete sslcert ipport=
    Netsh http delete sslcert ipport=externalip:443

    Add both bindings with the correct certificate thumbprint:

    netsh http add sslcert ipport= certhash=xxxx appid=xxxxxx clientcertnegotiation=disable

    netsh http add sslcert ipport=externalip:443 certhash=xxxx appid=xxxxxx clientcertnegotiation=disable

    Restart WAP services

  2. The above comment working for me.

    For some reason after changing out a cert, the bindings on my WAP server disappeared. This problem was noticed because the ADFS portal was accessible to internal computers, but not external. I had to manually set the bindings up again.

    The correct appid for a WAP server is {f955c070-e044-456c-ac00-e9e4275b3f04}

    For the command to run successfully i had to enter netsh http mode first:

    add sslcert ipport= certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable
    add sslcert ipport=externalip:443 certhash=yourcertthumbprint appid={f955c070-e044-456c-ac00-e9e4275b3f04} clientcertnegotiation=disable

    For the ADFS 3.0 server (if you needed to update these binding as well) the appid would be {5d89a20c-beab-4389-9447-324788eb944a}. You would be setting up at least three bindings, one for localhost:443, one for your site FQDN:443 and one for your site FQDN:49443. Client cert negotiation should be enabled for port 49443.

  3. this worked for me however my previous config had used hostnameport so I had to add certstorename=MY and some other settings which I found on my other node:
    add sslcert certhash=xxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=disable certstorename=MY sslctlstorename=AdfsTrustedDevices

    add sslcert certhash=xxxxxxxxxxxxxxxx appid={5d89a20c-beab-4389-9447-324788eb944a} clientcertnegotiation=enable certstorename=MY

  4. Thank you very much! These one save my life.